Get All SharePoint Online Users and Groups with “Full Control” (Owner) Permissions using PowerShell

Requirement: Find all Users and groups with “Full Control” permissions in SharePoint Online sites.

How to Get Users and Groups with Full Control in SharePoint Online?

There may be times when you need to get a list of users who have full control permissions in SharePoint Online sites. The process is relatively simple and can be helpful if you are looking to audit user permissions.

  • Login to your SharePoint Online sites >> Click on the Settings gear >> Click on the “Site Permissions” link.
  • In the “Permissions” panel, click on the “Advanced permissions settings.” link. This takes you to the site permissions page, where you’ll get all users and groups granted permissions to the site.sharepoint online powershell get users with full control

Get All Groups with “Full Control” from a Site Collection using PowerShell

Let’s get all groups with full control permissions and then members from those groups from a given site collection.

#Set Parameters
$AdminCenterURL="https://crescent-admin.sharepoint.com"
$SiteUrl = "https://crescent.sharepoint.com/sites/oncology"

#Connect to SharePoint Online
Connect-SPOService -Url $AdminCenterURL -credential (Get-Credential)

 #Get all Groups from the site
$SiteGroups = Get-SPOSiteGroup -Site $siteURL

#Get Group info that have "Full Control" Permissions
ForEach ($Group in $SiteGroups)
{
    If($Group.Roles.Contains("Full Control"))
    {
        Write-Host -f Yellow $Group.Title
        #Get each member of the group
        ForEach($User in $Group.Users | Where{$_.contains("@")}) #Exclude system Users
        {
            write-host -f Green $User
        }
    }
} 

PowerShell to Get All Users from groups with “Full Control” Access Rights from All Sites:

How about retrieving all SharePoint Online groups with full control permissions from all site collections?

#Variables
$AdminCenterURL = "https://crescent-admin.sharepoint.com/"
 
#Connect to SharePoint Online
Connect-SPOService -url $AdminCenterURL -Credential (Get-Credential)
 
#Get all Site collections
$Sites = Get-SPOSite -Limit All

#Loop through site collections
ForEach($Site in $Sites)
{
    Write-host -f Cyan "Searching site: $($Site.URL)"
    #Get all Groups from the site permissions
    $SiteGroups = Get-SPOSiteGroup -Site $Site | Where { $_.Roles -ne $NULL -and $_.Users -ne $NULL}

    #Get Group info and members that have site owners permissions
    ForEach ($Group in $SiteGroups)
    {
        If($Group.Roles.Contains("Full Control"))
        {
            Write-Host -f Yellow $Group.Title
            #Get each member of the group
            ForEach($User in $Group.Users | Where{$_.contains("@")}) #Exclude system Users
            {
                write-host -f Green $User
            }
        }
    }
}

SharePoint Online: PowerShell to get users with full control

The above script just gets all users from groups with full control. What if there are users with full control permissions assigned through direct permissions?

#Parameters
$SiteURL = "https://crescent.sharepoint.com"
$ReportOutput = "C:\Temp\FullControlPermissionRpt.csv"

#Connect to Site
Connect-PnPonline -Url $SiteURL -Interactive
 
#Get the Root web
$Web = Get-PnPWeb -Includes RoleAssignments

#Loop through each permission assigned to the site and extract details
$PermissionData = @()
ForEach ($RoleAssignment in $Web.RoleAssignments)
{
    #Get the Permission Levels assigned and Member
    Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member
     
    #Check if "Full Control" Permission Level is assigned to the Assignment
    If( ($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name).Contains("Full Control"))
    {
        $PermissionType = $RoleAssignment.Member.PrincipalType
        #Get SharePoint group members
        If($PermissionType -eq "SharePointGroup")
        {
            #Get Group Members
            $GroupMembers = Get-PnPGroupMember -Identity $RoleAssignment.Member.LoginName

            $GroupUsers = ($GroupMembers | Where {$_.LoginName -ne "SHAREPOINT\system"} | Select -ExpandProperty Email) -join "; "
            #Leave Empty Groups - Without users
            If([String]::IsNullOrEmpty($GroupUsers)){ Continue }
   
            #Add the Data to Object
            $Permissions = New-Object PSObject
            $Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
            $Permissions | Add-Member NoteProperty Accounts($GroupUsers)
            $Permissions | Add-Member NoteProperty Type($PermissionType)
            $PermissionData += $Permissions
        }
        Else
        {
            #Get the User
            $User = Get-PnPUser -Identity $RoleAssignment.Member.LoginName
            #Add the Data to Object
            $Permissions = New-Object PSObject
            $Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
            $Permissions | Add-Member NoteProperty Accounts($User.Email)
            $Permissions | Add-Member NoteProperty Type($PermissionType)
            $PermissionData += $Permissions
        }
    }
}
#Export Permissions data to CSV file
$PermissionData | Export-csv -path $ReportOutput -NoTypeInformation

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

2 thoughts on “Get All SharePoint Online Users and Groups with “Full Control” (Owner) Permissions using PowerShell

  • Nice article. The script doesn’t work if I have DG (domain security group) in the full control group. Can you please update the script?

    Reply
    • After Line#38, Add:

      ElseIf($PermissionType -eq “SecurityGroup”)
      {
      #AD Security Group
      }

      Reply

Leave a Reply

Your email address will not be published.