Client Side Object Model (CSOM) Permission PowerShell SharePoint SharePoint Online 

SharePoint Online: Remove User Permission from All List Items using PowerShell

Salaudeen Rajack 0 Comments

Requirement: Remove user from all items in a list.

powershell to remove user from all list items in sharepoint online

SharePoint Online: Remove User Permissions from All Items using PowerShell

There are multiple items with unique permissions in a SharePoint Online list where a specific user is granted access. There is a requirement to remove the particular user from all list items where he has access. Here is the PowerShell for SharePoint Online to remove item-level permissions: 

#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

##Variables for Processing
$SiteUrl = "https://crescent.sharepoint.com/sites/marketing"
$ListName= "Migration Documents"
$UserAccount = "i:0#.f|membership|[email protected]"

#To call a non-generic method Load
Function Invoke-LoadMethod() {
    param(
            [Microsoft.SharePoint.Client.ClientObject]$Object = $(throw "Please provide a Client Object"),
            [string]$PropertyName
        ) 
   $ctx = $Object.Context
   $load = [Microsoft.SharePoint.Client.ClientContext].GetMethod("Load") 
   $type = $Object.GetType()
   $clientLoad = $load.MakeGenericMethod($type)
   
   $Parameter = [System.Linq.Expressions.Expression]::Parameter(($type), $type.Name)
   $Expression = [System.Linq.Expressions.Expression]::Lambda([System.Linq.Expressions.Expression]::Convert([System.Linq.Expressions.Expression]::PropertyOrField($Parameter,$PropertyName),[System.Object] ), $($Parameter))
   $ExpressionArray = [System.Array]::CreateInstance($Expression.GetType(), 1)
   $ExpressionArray.SetValue($Expression, 0)
   $clientLoad.Invoke($ctx,@($Object,$ExpressionArray))
}

#Get Credentials to connect
$Cred= Get-Credential
  
#Set up the context
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl) 
$Context.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
    
#Get the List
$List = $Context.web.Lists.GetByTitle($ListName)

#Get the User
$User = $Context.Web.EnsureUser($UserAccount) 
$Context.Load($User)
$Context.ExecuteQuery()
 
$Query = New-Object Microsoft.SharePoint.Client.CamlQuery
$Query.ViewXml = "<View Scope='RecursiveAll'><RowLimit>2000</RowLimit></View>"
 
#Batch process list items - to mitigate list threshold issue on larger lists
Do {  
    #Get items from the list in batches
    $ListItems = $List.GetItems($Query)
    $Context.Load($ListItems)
    $Context.ExecuteQuery()
           
    $Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
  
    #Loop through each List item
    ForEach($ListItem in $ListItems)
    {
        Invoke-LoadMethod -Object $ListItem -PropertyName "HasUniqueRoleAssignments"
        $Context.ExecuteQuery()

        If($ListItem.HasUniqueRoleAssignments -eq $true)
        {
            #Get List Item Permissions
            $Context.Load($ListItem.RoleAssignments)
            $Context.ExecuteQuery()

            Foreach($RoleAssignment in $ListItem.RoleAssignments)
            {
                $Context.Load($RoleAssignment.Member)
                $Context.executeQuery()
                #Is the current user is the user we search for?
                If($RoleAssignment.Member.LoginName -eq $User.LoginName)
                {
                    #Remove User from List Item Permissions
                    $ListItem.RoleAssignments.GetByPrincipal($User).DeleteObject()
                    $Context.ExecuteQuery()

                    Write-host -ForegroundColor Green ("User Removed from List Item Permissions ID {0} at {1}" -f $ListItem.ID,$ListItem["FileRef"])
                }
            }
        }
    }
    $Context.ExecuteQuery()
} While ($Query.ListItemCollectionPosition -ne $null)

This PowerShell script removes the user from all items where the user has access.

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

Leave a Reply