SharePoint Online: Remove User Permission from All List Items using PowerShell
Requirement: Remove a user from all item permissions in a list.
How to remove user permissions from a document or item in SharePoint Online?
When a user no longer requires access to the documents in a document library, it may be necessary to remove their permissions. To remove a user’s permissions from a document in SharePoint Online, you can follow these steps:
- Go to your SharePoint Online site and navigate to the document library where the document is stored.
- Right-click the document and select “Manage Access” from the context menu.
- In the “Manage Access” popup, click on the little dropdown next to the user name and choose “Stop sharing”. This will remove the user from the particular document.
- You can also click on the “Advanced” link in the “Manage Access” popup >> click “Stop Inheriting Permissions” >> From the list of users, select the user whose permissions you want to remove.
- Click the “Remove User Permissions” button to delete the user.
- Confirm the action by clicking “OK”.
- Save the changes by clicking the “Save” button.
By following these steps, you can remove a user’s permissions from a specific document in SharePoint Online. Doing this manually for each document can be time-consuming, especially if there are many documents. Let’s discuss the steps to remove a user’s permissions from all documents in a document library in SharePoint Online using PowerShell.
SharePoint Online: Remove User Permissions from All Items using PowerShell
There are multiple items with unique permissions in a SharePoint Online list to which a specific user has access. There is a requirement to remove the particular user from all list items to which he has access. Here is the PowerShell for SharePoint Online to remove item-level permissions:
#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
##Variables for Processing
$SiteUrl = "https://crescent.sharepoint.com/sites/marketing"
$ListName= "Migration Documents"
$UserAccount = "i:0#.f|membership|salaudeen@crescent.com"
#Get Credentials to connect
$Cred= Get-Credential
#Set up the context
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl)
$Context.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
#Get the List
$List = $Context.web.Lists.GetByTitle($ListName)
#Get the User
$User = $Context.Web.EnsureUser($UserAccount)
$Context.Load($User)
$Context.ExecuteQuery()
$Query = New-Object Microsoft.SharePoint.Client.CamlQuery
$Query.ViewXml = "<View Scope='RecursiveAll'><RowLimit>2000</RowLimit></View>"
#Batch process list items - to mitigate list threshold issue on larger lists
Do {
#Get items from the list in batches
$ListItems = $List.GetItems($Query)
$Context.Load($ListItems)
$Context.ExecuteQuery()
$Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
#Loop through each List item
ForEach($ListItem in $ListItems)
{
$ListItem.Retrieve("HasUniqueRoleAssignments")
$Context.ExecuteQuery()
If($ListItem.HasUniqueRoleAssignments -eq $true)
{
#Get List Item Permissions
$Context.Load($ListItem.RoleAssignments)
$Context.ExecuteQuery()
Foreach($RoleAssignment in $ListItem.RoleAssignments)
{
$Context.Load($RoleAssignment.Member)
$Context.executeQuery()
#Is the current user is the user we search for?
If($RoleAssignment.Member.LoginName -eq $User.LoginName)
{
#Remove User from List Item Permissions
$ListItem.RoleAssignments.GetByPrincipal($User).DeleteObject()
$Context.ExecuteQuery()
Write-host -ForegroundColor Green ("User Removed from List Item Permissions ID {0} at {1}" -f $ListItem.ID,$ListItem["FileRef"])
}
}
}
}
$Context.ExecuteQuery()
} While ($Query.ListItemCollectionPosition -ne $null)
This PowerShell script removes the user from all items to which the user has access.
PnP PowerShell to Remove User from All Files and Folders in a Document Library
This time, let’s remove a user from all files and folders wherever he has permission with the help of PnP PowerShell.
#Config Variables
$SiteURL = "https://Crescent.sharepoint.com/sites/Marketing"
$ListName="Branding"
$UserAccount = "i:0#.f|membership|steve@Crescent.com"
Try {
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Interactive
#Get the User
$User = Get-PnPUser -Identity $UserAccount -ErrorAction Stop
#Get all list items
$ListItems = Get-PnPListItem -List $ListName -PageSize 500 -Fields ID
$ItemCount = $ListItems.Count
#Iterate through each list item
$Counter=1
ForEach($ListItem in $ListItems)
{
#Display a progress bar
Write-Progress -PercentComplete ($Counter / $ItemCount * 100) -Activity "Processing Items from List:" -Status "Checking Item '$($ListItem.FieldValues.FileRef)' ($Counter of $ItemCount)"
#Check if the Item has unique permissions
$HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property "HasUniqueRoleAssignments"
If($HasUniquePermissions)
{
#Get Permissions Assigned to the Item
$RoleAssignments = Get-PnPProperty -ClientObject $ListItem -Property RoleAssignments
#Remove user from Item permissions - If Found!
[Bool]$UserFound = $false
ForEach($RoleAssignment in $RoleAssignments)
{
$Member = Get-PnPProperty -ClientObject $RoleAssignment -Property Member
If($Member.LoginName -eq $User.LoginName)
{
$UserFound = $True
$ListItem.RoleAssignments.GetByPrincipal($User).DeleteObject()
Invoke-PnPQuery
}
}
If($UserFound) { Write-host -f Green "Removed user from $($Listitem.FileSystemObjectType) at '$($ListItem.FieldValues.FileRef)' Permissions!" }
}
$Counter++
}
}
Catch {
write-host -f Red "Error Removing user from List Items:" $_.Exception.Message
}
This script connects to the SharePoint Online site. Then, it retrieves the specified list or document library and all its items. For each item with unique permissions, the script checks if the user has permission. If yes, the script removes the user’s permission from the item. By using the PowerShell script from this guide, you can remove a user’s permissions from all documents in a SharePoint Online document library. This can be a useful tool for revoking access for a user who no longer requires it, or when you want to make changes to the permissions for multiple documents at once.
Hello,
the second script entry still asks for a list entry even though it’s supposed to be for files and folders, not lists. I may be misunderstanding, though. Thank you.