SharePoint Online: How to Stop Inheriting Permission and Setup Unique Access to a Subsite?

Requirement: Break permission inheritance of a Subsite in SharePoint Online.

How to Break Subsite Permission Inheritance in SharePoint Online?
When we create a new subsite in SharePoint Online, we have an option to set its permission: whether the subsite should inherit permissions from its parent site or it should have unique permissions. In case, you have a requirement to change subsite permission inheritance after the site has been created, we can change its permission settings:
  • Navigate to the subsite in which you need to change permission inheritance.
  • Click on Settings gear and then select "Site Settings" from the settings menu.
  • On the Site Settings page, click on the "Site Permissions" link under the "Users and Permissions" section.
  • On the site permissions page, you'll get a message saying: "This web site inherits permissions from its parent. (Parent Site Title)", If the site inherits permissions from its parent.
    sharepoint online powershell break subsite permission inheritance
  • To configure unique permissions for the subsite, Click on "Stop inheriting permissions" button from the ribbon and confirm the prompt.
  • This takes us to "Set Up Groups for this Site" page where you need to set up groups for this subsite, such as: default owners, members and visitors of the subsite. You can either select an existing SharePoint group or create a new group.
    set subsite permissions sharepoint online
  • Click the OK button to save.
Now, Go to the Site permissions page (Settings gear >> Site settings >> Site permissions), you'll find the site is using unique permissons. You can add new users to the site by clicking the Grant Permissions button or Remove the existing users and groups that you don't want to have access to the subsite by selecting them and clickling on the "Remove User Permissons" button in the ribbon.

SharePoint Online: PowerShell to break permission inheritance of a Subsite
Here is how to set up unique permissions in a subsite by break permission inheritance.
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Variables
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/2018"
 
Try {
    #Get Credentials to connect
    $Cred= Get-Credential
 
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
   
    #Get the web from URL
    $Web = $Ctx.web
    $Ctx.Load($Web)
    $Ctx.executeQuery()
 
    #Break Permission inheritance of the Web - use existing groups from parent
    $Web.BreakRoleInheritance($True, $False)
    $Ctx.executeQuery()
    Write-host -f Green "Permission Inheritance Broken for the Subsite!"
}
Catch {
    write-host -f Red "Error Breaking Subsite Permissions!" $_.Exception.Message
}

What If you want to create new groups and associated default Owner/Member/Visitor groups with the subsite?
#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Function to Ensure a SharePoint Online Group
Function Ensure-SPOGroup([Microsoft.SharePoint.Client.Web]$Web, $GroupName, $PermissionLevel)
{
    Try {
        $Ctx = $Web.Context
        #Get Existing Groups
        $Groups = $Web.SiteGroups
        $Ctx.Load($Groups)
        $Ctx.ExecuteQuery()
 
        #Check if the Group Exists already
        $Group = $Groups | Where { $_.Title -eq $GroupName}
        If(-Not $Group)
        {
            $GroupInfo = New-Object Microsoft.SharePoint.Client.GroupCreationInformation
            $GroupInfo.Title = $GroupName
            $Group = $Web.SiteGroups.Add($GroupInfo)
            $Ctx.ExecuteQuery()
 
            #Assign permission to the group
            $RoleDefinition = $web.RoleDefinitions.GetByName($PermissionLevel)
            $RoleDefBinding = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
            $RoleDefBinding.Add($RoleDefinition)
            $Ctx.Load($Web.RoleAssignments.Add($Group,$RoleDefBinding))
            $Ctx.ExecuteQuery()
            Write-host -f Green "`tCreated Group $GroupName and Assigned Permissions $PermissionLevel"
        }
        Return $Group
    }
    catch {
        write-host -f Red "Error:" $_.Exception.Message
    }
}
 
#Setup Credentials to connect
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/2018"
$Cred = Get-Credential
 
Try {
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
 
    #Get the Web
    $Web=$Ctx.Web
    $Ctx.Load($Web)
    $Ctx.ExecuteQuery()
 
    #Break Permission inheritance of the Web
    $Web.BreakRoleInheritance($False, $False)
    $Ctx.executeQuery()
    Write-host -f Green "Permission Inheritance Broken for the Subsite!"

    #Set Group Names
    $OwnersGroupName = $Web.Title + " Owners"
    $MembersGroupName = $Web.Title + " Members"
    $VisitorsGroupName = $Web.Title + " Visitors"
 
    #Get Default Groups
    $OwnersGroup = Ensure-SPOGroup -Web $Web -GroupName $OwnersGroupName -PermissionLevel "Full Control"
    $MembersGroup = Ensure-SPOGroup -Web $Web -GroupName $MembersGroupName -PermissionLevel "Edit"
    $VisitorsGroup = Ensure-SPOGroup -Web $Web -GroupName $VisitorsGroupName -PermissionLevel "Read"
 
    #Associate Default Groups
    $web.AssociatedOwnerGroup  = $OwnersGroup
    $web.AssociatedOwnerGroup.Update()
    $web.AssociatedMemberGroup = $MembersGroup
    $web.AssociatedMemberGroup.Update()
    $web.AssociatedVisitorGroup = $VisitorsGroup
    $web.AssociatedVisitorGroup.Update()
    $web.Update()
    $Ctx.ExecuteQuery()
    Write-host -f Green "Default Groups Set for the Subsite!"
}
catch {
    write-host -f Red "Error:" $_.Exception.Message
}

Set Unique Permissions in a subsite using PnP PowerShell
#Parameter
$SiteURL= "https://crescent.sharepoint.com/sites/marketing/2018/"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -UseWebLogin  #-Credentials (Get-Credential)

#Get the Web
$Web = Get-PnPWeb

#Stop Inheriting Permissions of the subsite
$Web.BreakRoleInheritance($True, $False)
Invoke-PnPQuery
This script stops permission inheritance of a subsite. Here is my another post on setting up unique permissions on a subsite using Pnp PowerShell: SharePoint Online: Create Subsite with Unique Permissions using PowerShell
SharePoint Online: How to Stop Inheriting Permission and Setup Unique Access to a Subsite? SharePoint Online: How to Stop Inheriting Permission and Setup Unique Access to a Subsite? Reviewed by Salaudeen Rajack on February 20, 2019 Rating: 5

No comments:

Please Login and comment to get your questions answered!

Powered by Blogger.