SharePoint Online: How to Stop Inheriting Permission and Setup Unique Access to a Subsite?

Requirement: Break permission inheritance of a Subsite in SharePoint Online.

How to Break Subsite Permission Inheritance in SharePoint Online?

When we create a new subsite in SharePoint Online, we have an option to set its permission: whether the subsite should inherit permissions from its parent site or it should have unique permissions. In case, you have a requirement to change subsite permission inheritance after the site has been created, we can change its permission settings:

  • Navigate to the subsite in which you need to change permission inheritance.
  • Click on the Settings gear and then select “Site Settings” from the settings menu.
  • On the Site Settings page, click on the “Site Permissions” link under the “Users and Permissions” section.
  • On the site permissions page, you’ll get a message saying: “This web site inherits permissions from its parent. (Parent Site Title)”, If the site inherits permissions from its parent.
    sharepoint online powershell break subsite permission inheritance
  • To configure unique permissions for the subsite, click on the “Stop inheriting permissions” button from the ribbon and confirm the prompt.
  • This takes us to the “Set Up Groups for this Site” page where you need to set up groups for this subsite, such as: default owners, members, and visitors of the subsite. You can either select an existing SharePoint group or create a new group.
    set subsite permissions sharepoint online
  • Click the OK button to save.

Now, Go to the Site permissions page (Settings gear >> Site settings >> Site permissions), you’ll find the site is using unique permissions. You can add new users to the site by clicking the Grant Permissions button or Remove the existing users and groups that you don’t want to have access to the subsite by selecting them and clicking on the “Remove User Permissions” button in the ribbon.

SharePoint Online: PowerShell to break permission inheritance of a Subsite

Here is how to set up unique permissions in a subsite by break permission inheritance.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Variables
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/2018"
 
Try {
    #Get Credentials to connect
    $Cred= Get-Credential
 
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
   
    #Get the web from URL
    $Web = $Ctx.web
    $Ctx.Load($Web)
    $Ctx.executeQuery()
 
    #Break Permission inheritance of the Web - use existing groups from parent
    $Web.BreakRoleInheritance($True, $False)
    $Ctx.executeQuery()
    Write-host -f Green "Permission Inheritance Broken for the Subsite!"
}
Catch {
    write-host -f Red "Error Breaking Subsite Permissions!" $_.Exception.Message
}

What If you want to create new groups and associated default Owner/Member/Visitor groups with the subsite?

#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Function to Ensure a SharePoint Online Group
Function Ensure-SPOGroup([Microsoft.SharePoint.Client.Web]$Web, $GroupName, $PermissionLevel)
{
    Try {
        $Ctx = $Web.Context
        #Get Existing Groups
        $Groups = $Web.SiteGroups
        $Ctx.Load($Groups)
        $Ctx.ExecuteQuery()
 
        #Check if the Group Exists already
        $Group = $Groups | Where { $_.Title -eq $GroupName}
        If(-Not $Group)
        {
            $GroupInfo = New-Object Microsoft.SharePoint.Client.GroupCreationInformation
            $GroupInfo.Title = $GroupName
            $Group = $Web.SiteGroups.Add($GroupInfo)
            $Ctx.ExecuteQuery()
 
            #Assign permission to the group
            $RoleDefinition = $web.RoleDefinitions.GetByName($PermissionLevel)
            $RoleDefBinding = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
            $RoleDefBinding.Add($RoleDefinition)
            $Ctx.Load($Web.RoleAssignments.Add($Group,$RoleDefBinding))
            $Ctx.ExecuteQuery()
            Write-host -f Green "`tCreated Group $GroupName and Assigned Permissions $PermissionLevel"
        }
        Return $Group
    }
    catch {
        write-host -f Red "Error:" $_.Exception.Message
    }
}
 
#Setup Credentials to connect
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/2018"
$Cred = Get-Credential
 
Try {
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
 
    #Get the Web
    $Web=$Ctx.Web
    $Ctx.Load($Web)
    $Ctx.ExecuteQuery()
 
    #Break Permission inheritance of the Web
    $Web.BreakRoleInheritance($False, $False)
    $Ctx.executeQuery()
    Write-host -f Green "Permission Inheritance Broken for the Subsite!"

    #Set Group Names
    $OwnersGroupName = $Web.Title + " Owners"
    $MembersGroupName = $Web.Title + " Members"
    $VisitorsGroupName = $Web.Title + " Visitors"
 
    #Get Default Groups
    $OwnersGroup = Ensure-SPOGroup -Web $Web -GroupName $OwnersGroupName -PermissionLevel "Full Control"
    $MembersGroup = Ensure-SPOGroup -Web $Web -GroupName $MembersGroupName -PermissionLevel "Edit"
    $VisitorsGroup = Ensure-SPOGroup -Web $Web -GroupName $VisitorsGroupName -PermissionLevel "Read"
 
    #Associate Default Groups
    $web.AssociatedOwnerGroup  = $OwnersGroup
    $web.AssociatedOwnerGroup.Update()
    $web.AssociatedMemberGroup = $MembersGroup
    $web.AssociatedMemberGroup.Update()
    $web.AssociatedVisitorGroup = $VisitorsGroup
    $web.AssociatedVisitorGroup.Update()
    $web.Update()
    $Ctx.ExecuteQuery()
    Write-host -f Green "Default Groups Set for the Subsite!"
}
catch {
    write-host -f Red "Error:" $_.Exception.Message
}

Set Unique Permissions in a subsite using PnP PowerShell

#Parameter
$SiteURL= "https://crescent.sharepoint.com/sites/marketing/2018/"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -UseWebLogin  #-Credentials (Get-Credential)

#Get the Web
$Web = Get-PnPWeb

#Stop Inheriting Permissions of the subsite
$Web.BreakRoleInheritance($True, $False)
Invoke-PnPQuery

This script stops the permission inheritance of a subsite. Here is another post on setting up unique permissions on a subsite using PnP PowerShell: SharePoint Online: Create Subsite with Unique Permissions using PowerShell

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

One thought on “SharePoint Online: How to Stop Inheriting Permission and Setup Unique Access to a Subsite?

  • January 15, 2021 at 2:43 AM

    How to create a group, add user, assign edit permissions, and add the newly created group to the broken inheritance sub web only.

    Reply

Leave a Reply