SharePoint Online: Remove User Permission from All List Items using PowerShell
Requirement: Remove a user from all items in a list.
SharePoint Online: Remove User Permissions from All Items using PowerShell
There are multiple items with unique permissions in a SharePoint Online list where a specific user has access. There is a requirement to remove the particular user from all list items where he has access. Here is the PowerShell for SharePoint Online to remove item-level permissions:
#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
##Variables for Processing
$SiteUrl = "https://crescent.sharepoint.com/sites/marketing"
$ListName= "Migration Documents"
$UserAccount = "i:0#.f|membership|[email protected]"
#To call a non-generic method Load
Function Invoke-LoadMethod() {
param(
[Microsoft.SharePoint.Client.ClientObject]$Object = $(throw "Please provide a Client Object"),
[string]$PropertyName
)
$ctx = $Object.Context
$load = [Microsoft.SharePoint.Client.ClientContext].GetMethod("Load")
$type = $Object.GetType()
$clientLoad = $load.MakeGenericMethod($type)
$Parameter = [System.Linq.Expressions.Expression]::Parameter(($type), $type.Name)
$Expression = [System.Linq.Expressions.Expression]::Lambda([System.Linq.Expressions.Expression]::Convert([System.Linq.Expressions.Expression]::PropertyOrField($Parameter,$PropertyName),[System.Object] ), $($Parameter))
$ExpressionArray = [System.Array]::CreateInstance($Expression.GetType(), 1)
$ExpressionArray.SetValue($Expression, 0)
$clientLoad.Invoke($ctx,@($Object,$ExpressionArray))
}
#Get Credentials to connect
$Cred= Get-Credential
#Set up the context
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl)
$Context.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
#Get the List
$List = $Context.web.Lists.GetByTitle($ListName)
#Get the User
$User = $Context.Web.EnsureUser($UserAccount)
$Context.Load($User)
$Context.ExecuteQuery()
$Query = New-Object Microsoft.SharePoint.Client.CamlQuery
$Query.ViewXml = "<View Scope='RecursiveAll'><RowLimit>2000</RowLimit></View>"
#Batch process list items - to mitigate list threshold issue on larger lists
Do {
#Get items from the list in batches
$ListItems = $List.GetItems($Query)
$Context.Load($ListItems)
$Context.ExecuteQuery()
$Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
#Loop through each List item
ForEach($ListItem in $ListItems)
{
Invoke-LoadMethod -Object $ListItem -PropertyName "HasUniqueRoleAssignments"
$Context.ExecuteQuery()
If($ListItem.HasUniqueRoleAssignments -eq $true)
{
#Get List Item Permissions
$Context.Load($ListItem.RoleAssignments)
$Context.ExecuteQuery()
Foreach($RoleAssignment in $ListItem.RoleAssignments)
{
$Context.Load($RoleAssignment.Member)
$Context.executeQuery()
#Is the current user is the user we search for?
If($RoleAssignment.Member.LoginName -eq $User.LoginName)
{
#Remove User from List Item Permissions
$ListItem.RoleAssignments.GetByPrincipal($User).DeleteObject()
$Context.ExecuteQuery()
Write-host -ForegroundColor Green ("User Removed from List Item Permissions ID {0} at {1}" -f $ListItem.ID,$ListItem["FileRef"])
}
}
}
}
$Context.ExecuteQuery()
} While ($Query.ListItemCollectionPosition -ne $null)
This PowerShell script removes the user from all items where the user has access.
PnP PowerShell to Remove User from All Files and Folders in a Document Library
This time, let’s remove a user from all files and folders wherever he has permission with the help of PnP PowerShell.
#Config Variables
$SiteURL = "https://Crescent.sharepoint.com/sites/Marketing"
$ListName="Branding"
$UserAccount = "i:0#.f|membership|[email protected]"
Try {
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Interactive
#Get the User
$User = Get-PnPUser -Identity $UserAccount -ErrorAction Stop
#Get all list items
$ListItems = Get-PnPListItem -List $ListName -PageSize 500 -Fields ID
$ItemCount = $ListItems.Count
#Iterate through each list item
$Counter=1
ForEach($ListItem in $ListItems)
{
#Display a progress bar
Write-Progress -PercentComplete ($Counter / $ItemCount * 100) -Activity "Processing Items from List:" -Status "Checking Item '$($ListItem.FieldValues.FileRef)' ($Counter of $ItemCount)"
#Check if the Item has unique permissions
$HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property "HasUniqueRoleAssignments"
If($HasUniquePermissions)
{
#Get Permissions Assigned to the Item
$RoleAssignments = Get-PnPProperty -ClientObject $ListItem -Property RoleAssignments
#Remove user from Item permissions - If Found!
[Bool]$UserFound = $false
ForEach($RoleAssignment in $RoleAssignments)
{
$Member = Get-PnPProperty -ClientObject $RoleAssignment -Property Member
If($Member.LoginName -eq $User.LoginName)
{
$UserFound = $True
$ListItem.RoleAssignments.GetByPrincipal($User).DeleteObject()
Invoke-PnPQuery
}
}
If($UserFound) { Write-host -f Green "Removed user from $($Listitem.FileSystemObjectType) at '$($ListItem.FieldValues.FileRef)' Permissions!" }
}
$Counter++
}
}
Catch {
write-host -f Red "Error Removing user from List Items:" $_.Exception.Message
}
This PowerShell removes the given user from all items that have unique permissions.
Hello,
the second script entry still asks for a list entry even though it’s supposed to be for files and folders, not lists. I may be misunderstanding, though. Thank you.