SharePoint Online: Remove User Permission from All List Items using PowerShell

Requirement: Remove a user from all item permissions in a list.

powershell to remove user from all list items in sharepoint online

How to remove user permissions from a document or item in SharePoint Online?

When a user no longer requires access to the documents in a document library, it may be necessary to remove their permissions. To remove a user’s permissions from a document in SharePoint Online, you can follow these steps:

  1. Go to your SharePoint Online site and navigate to the document library where the document is stored.
  2. Right-click the document and select “Manage Access” from the context menu.
  3. In the “Manage Access” popup, click on the little dropdown next to the user name and choose “Stop sharing”. This will remove the user from the particular document.
    how to remove user permission from document in sharepoint online
  4. You can also click on the “Advanced” link in the “Manage Access” popup >> click “Stop Inheriting Permissions” >> From the list of users, select the user whose permissions you want to remove.
  5. Click the “Remove User Permissions” button to delete the user.
    remove user from sharepoint online document
  6. Confirm the action by clicking “OK”.
  7. Save the changes by clicking the “Save” button.

By following these steps, you can remove a user’s permissions from a specific document in SharePoint Online. Doing this manually for each document can be time-consuming, especially if there are many documents. Let’s discuss the steps to remove a user’s permissions from all documents in a document library in SharePoint Online using PowerShell.

SharePoint Online: Remove User Permissions from All Items using PowerShell

There are multiple items with unique permissions in a SharePoint Online list to which a specific user has access. There is a requirement to remove the particular user from all list items to which he has access. Here is the PowerShell for SharePoint Online to remove item-level permissions:

#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

##Variables for Processing
$SiteUrl = "https://crescent.sharepoint.com/sites/marketing"
$ListName= "Migration Documents"
$UserAccount = "i:0#.f|membership|[email protected]"

#Get Credentials to connect
$Cred= Get-Credential
  
#Set up the context
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl) 
$Context.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
    
#Get the List
$List = $Context.web.Lists.GetByTitle($ListName)

#Get the User
$User = $Context.Web.EnsureUser($UserAccount) 
$Context.Load($User)
$Context.ExecuteQuery()
 
$Query = New-Object Microsoft.SharePoint.Client.CamlQuery
$Query.ViewXml = "<View Scope='RecursiveAll'><RowLimit>2000</RowLimit></View>"
 
#Batch process list items - to mitigate list threshold issue on larger lists
Do {  
    #Get items from the list in batches
    $ListItems = $List.GetItems($Query)
    $Context.Load($ListItems)
    $Context.ExecuteQuery()
           
    $Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
  
    #Loop through each List item
    ForEach($ListItem in $ListItems)
    {
        $ListItem.Retrieve("HasUniqueRoleAssignments")
        $Context.ExecuteQuery()

        If($ListItem.HasUniqueRoleAssignments -eq $true)
        {
            #Get List Item Permissions
            $Context.Load($ListItem.RoleAssignments)
            $Context.ExecuteQuery()

            Foreach($RoleAssignment in $ListItem.RoleAssignments)
            {
                $Context.Load($RoleAssignment.Member)
                $Context.executeQuery()
                #Is the current user is the user we search for?
                If($RoleAssignment.Member.LoginName -eq $User.LoginName)
                {
                    #Remove User from List Item Permissions
                    $ListItem.RoleAssignments.GetByPrincipal($User).DeleteObject()
                    $Context.ExecuteQuery()

                    Write-host -ForegroundColor Green ("User Removed from List Item Permissions ID {0} at {1}" -f $ListItem.ID,$ListItem["FileRef"])
                }
            }
        }
    }
    $Context.ExecuteQuery()
} While ($Query.ListItemCollectionPosition -ne $null) 

This PowerShell script removes the user from all items to which the user has access.

PnP PowerShell to Remove User from All Files and Folders in a Document Library

This time, let’s remove a user from all files and folders wherever he has permission with the help of PnP PowerShell.

#Config Variables
$SiteURL = "https://Crescent.sharepoint.com/sites/Marketing"
$ListName="Branding"
$UserAccount = "i:0#.f|membership|[email protected]"

Try {
    #Connect to PnP Online
    Connect-PnPOnline -Url $SiteURL -Interactive
    
    #Get the User
    $User = Get-PnPUser -Identity $UserAccount -ErrorAction Stop

    #Get all list items
    $ListItems =  Get-PnPListItem -List $ListName -PageSize 500 -Fields ID
    $ItemCount = $ListItems.Count

    #Iterate through each list item
    $Counter=1
    ForEach($ListItem in $ListItems)
    {
        #Display a progress bar
        Write-Progress -PercentComplete ($Counter / $ItemCount * 100) -Activity "Processing Items from List:" -Status "Checking Item '$($ListItem.FieldValues.FileRef)' ($Counter of $ItemCount)"

        #Check if the Item has unique permissions
        $HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property "HasUniqueRoleAssignments"
        If($HasUniquePermissions)
        { 
            #Get Permissions Assigned to the Item
            $RoleAssignments = Get-PnPProperty -ClientObject $ListItem -Property RoleAssignments
 
            #Remove user from Item permissions - If Found!
            [Bool]$UserFound = $false
            ForEach($RoleAssignment in $RoleAssignments)
            {
                $Member =  Get-PnPProperty -ClientObject $RoleAssignment -Property Member
                If($Member.LoginName -eq $User.LoginName)
                {
                    $UserFound = $True
                    $ListItem.RoleAssignments.GetByPrincipal($User).DeleteObject()
                    Invoke-PnPQuery
                }
            }
            If($UserFound) { Write-host -f Green "Removed user from $($Listitem.FileSystemObjectType) at '$($ListItem.FieldValues.FileRef)' Permissions!" }
        }
        $Counter++
    }
}
Catch {
    write-host -f Red "Error Removing user from List Items:" $_.Exception.Message
}

This script connects to the SharePoint Online site. Then, it retrieves the specified list or document library and all its items. For each item with unique permissions, the script checks if the user has permission. If yes, the script removes the user’s permission from the item. By using the PowerShell script from this guide, you can remove a user’s permissions from all documents in a SharePoint Online document library. This can be a useful tool for revoking access for a user who no longer requires it, or when you want to make changes to the permissions for multiple documents at once.

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

One thought on “SharePoint Online: Remove User Permission from All List Items using PowerShell

  • Hello,
    the second script entry still asks for a list entry even though it’s supposed to be for files and folders, not lists. I may be misunderstanding, though. Thank you.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *