SharePoint Online: Get Document Library Permissions and Export to CSV using PnP PowerShell
Requirement: SharePoint Online PowerShell to Get Document Library Permissions.
PnP PowerShell to Export Document Library Permissions in SharePoint Online:
This PowerShell script exports all permissions of a SharePoint Online document library.
This PowerShell script can be also used to get list permissions in SharePoint Online. While this script extracts permissions applied on the List, what if you want to get permissions on all underlying objects of the list, such as : Folder, List item?
Here is the SharePoint Online document library permission report generated by the PowerShell:
How about generating permissions report for all document libraries in a site? Just call the function Generate-PnPListPermissionRpt for all libraries! Here is how:
PnP PowerShell to Export Document Library Permissions in SharePoint Online:
This PowerShell script exports all permissions of a SharePoint Online document library.
# Parameters $SiteUrl = "https://crescent.sharepoint.com/sites/ICDocuments" $ReportOutput = "C:\Temp\LibraryPermissions.csv" $LibraryName = "IC Documents" #Connect to to PnP Online Connect-PnPOnline -Url $SiteUrl -UseWebLogin # -Credentials (Get-Credential) # Get the document library $Library = Get-PnpList -Identity $LibraryName -Includes RoleAssignments # Get all users and groups who has access $RoleAssignments = $Library.RoleAssignments $PermissionCollection = @() Foreach ($RoleAssignment in $RoleAssignments) { #Get the Permission Levels assigned and Member Get-PnPProperty -ClientObject $roleAssignment -Property RoleDefinitionBindings, Member #Get the Principal Type: User, SP Group, AD Group $PermissionType = $RoleAssignment.Member.PrincipalType $PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name #Get all permission levels assigned (Excluding:Limited Access) $PermissionLevels = ($PermissionLevels | Where { $_ –ne "Limited Access"}) -join "," If($PermissionLevels.Length -eq 0) {Continue} #Get SharePoint group members If($PermissionType -eq "SharePointGroup") { #Get Group Members $GroupMembers = Get-PnPGroupMembers -Identity $RoleAssignment.Member.LoginName #Leave Empty Groups If($GroupMembers.count -eq 0){Continue} ForEach($User in $GroupMembers) { #Add the Data to Object $Permissions = New-Object PSObject $Permissions | Add-Member NoteProperty User($User.Title) $Permissions | Add-Member NoteProperty Type($PermissionType) $Permissions | Add-Member NoteProperty Permissions($PermissionLevels) $Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)") $PermissionCollection += $Permissions } } Else { #Add the Data to Object $Permissions = New-Object PSObject $Permissions | Add-Member NoteProperty User($RoleAssignment.Member.Title) $Permissions | Add-Member NoteProperty Type($PermissionType) $Permissions | Add-Member NoteProperty Permissions($PermissionLevels) $Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions") $PermissionCollection += $Permissions } } #Export Permissions to CSV File $PermissionCollection $PermissionCollection | Export-CSV $ReportOutput -NoTypeInformation Write-host -f Green "Permission Report Generated Successfully!"
SharePoint Online PowerShell to Get List Permissions |
#Function to Get Permissions on a particular on List, Folder or List Item Function Get-PnPPermissions([Microsoft.SharePoint.Client.SecurableObject]$Object) { #Determine the type of the object Switch($Object.TypedObject.ToString()) { "Microsoft.SharePoint.Client.ListItem" { If($Object.FileSystemObjectType -eq "Folder") { $ObjectType = "Folder" #Get the URL of the Folder $Folder = Get-PnPProperty -ClientObject $Object -Property Folder $ObjectTitle = $Object.Folder.Name $ObjectURL = $("{0}{1}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''),$Object.Folder.ServerRelativeUrl) } Else #File or List Item { #Get the URL of the Object Get-PnPProperty -ClientObject $Object -Property File, ParentList If($Object.File.Name -ne $Null) { $ObjectType = "File" $ObjectTitle = $Object.File.Name $ObjectURL = $("{0}{1}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''),$Object.File.ServerRelativeUrl) } else { $ObjectType = "List Item" $ObjectTitle = $Object["Title"] #Get the URL of the List Item $DefaultDisplayFormUrl = Get-PnPProperty -ClientObject $Object.ParentList -Property DefaultDisplayFormUrl $ObjectURL = $("{0}{1}?ID={2}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''), $DefaultDisplayFormUrl,$Object.ID) } } } Default { $ObjectType = "List or Library" $ObjectTitle = $Object.Title #Get the URL of the List or Library $RootFolder = Get-PnPProperty -ClientObject $Object -Property RootFolder $ObjectURL = $("{0}{1}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''), $RootFolder.ServerRelativeUrl) } } #Get permissions assigned to the object Get-PnPProperty -ClientObject $Object -Property HasUniqueRoleAssignments, RoleAssignments #Check if Object has unique permissions $HasUniquePermissions = $Object.HasUniqueRoleAssignments #Loop through each permission assigned and extract details $PermissionCollection = @() Foreach($RoleAssignment in $Object.RoleAssignments) { #Get the Permission Levels assigned and Member Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member #Get the Principal Type: User, SP Group, AD Group $PermissionType = $RoleAssignment.Member.PrincipalType #Get the Permission Levels assigned $PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name #Remove Limited Access $PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join "," #Leave Principals with no Permissions If($PermissionLevels.Length -eq 0) {Continue} #Get SharePoint group members If($PermissionType -eq "SharePointGroup") { #Get Group Members $GroupMembers = Get-PnPGroupMembers -Identity $RoleAssignment.Member.LoginName #Leave Empty Groups If($GroupMembers.count -eq 0){Continue} $GroupUsers = ($GroupMembers | Select -ExpandProperty Title) -join "; " #Add the Data to Object $Permissions = New-Object PSObject $Permissions | Add-Member NoteProperty Object($ObjectType) $Permissions | Add-Member NoteProperty Title($ObjectTitle) $Permissions | Add-Member NoteProperty URL($ObjectURL) $Permissions | Add-Member NoteProperty HasUniquePermissions($HasUniquePermissions) $Permissions | Add-Member NoteProperty Users($GroupUsers) $Permissions | Add-Member NoteProperty Type($PermissionType) $Permissions | Add-Member NoteProperty Permissions($PermissionLevels) $Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)") $PermissionCollection += $Permissions } Else { #Add the Data to Object $Permissions = New-Object PSObject $Permissions | Add-Member NoteProperty Object($ObjectType) $Permissions | Add-Member NoteProperty Title($ObjectTitle) $Permissions | Add-Member NoteProperty URL($ObjectURL) $Permissions | Add-Member NoteProperty HasUniquePermissions($HasUniquePermissions) $Permissions | Add-Member NoteProperty Users($RoleAssignment.Member.Title) $Permissions | Add-Member NoteProperty Type($PermissionType) $Permissions | Add-Member NoteProperty Permissions($PermissionLevels) $Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions") $PermissionCollection += $Permissions } } #Export Permissions to CSV File $PermissionCollection | Export-CSV $ReportFile -NoTypeInformation -Append } #Function to get sharepoint online list permissions report Function Generate-PnPListPermissionRpt() { [cmdletbinding()] Param ( [Parameter(Mandatory=$false)] [String] $SiteURL, [Parameter(Mandatory=$false)] [String] $ListName, [Parameter(Mandatory=$false)] [String] $ReportFile, [Parameter(Mandatory=$false)] [switch] $ScanItemLevel, [Parameter(Mandatory=$false)] [switch] $IncludeInheritedPermissions ) Try { #Function to Get Permissions of All List Items of a given List Function Get-PnPListItemsPermission([Microsoft.SharePoint.Client.List]$List) { Write-host -f Yellow "`t `t Getting Permissions of List Items in the List:"$List.Title #Get All Items from List in batches $ListItems = Get-PnPListItem -List $List -PageSize 500 $ItemCounter = 0 #Loop through each List item ForEach($ListItem in $ListItems) { #Get Objects with Unique Permissions or Inherited Permissions based on 'IncludeInheritedPermissions' switch If($IncludeInheritedPermissions) { Get-PnPPermissions -Object $ListItem } Else { #Check if List Item has unique permissions $HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property HasUniqueRoleAssignments If($HasUniquePermissions -eq $True) { #Call the function to generate Permission report Get-PnPPermissions -Object $ListItem } } $ItemCounter++ Write-Progress -PercentComplete ($ItemCounter / ($List.ItemCount) * 100) -Activity "Processing Items $ItemCounter of $($List.ItemCount)" -Status "Searching Unique Permissions in List Items of '$($List.Title)'" } } #Get the List $List = Get-PnpList -Identity $ListName -Includes RoleAssignments Write-host -f Yellow "Getting Permissions of the List '$ListName'..." #Get List Permissions Get-PnPPermissions -Object $List #Get Item Level Permissions if 'ScanItemLevel' switch present If($ScanItemLevel) { #Get List Items Permissions Get-PnPListItemsPermission -List $List } Write-host -f Green "`t List Permission Report Generated Successfully!" } Catch { write-host -f Red "Error Generating List Permission Report!" $_.Exception.Message } } #region ***Parameters*** $SiteURL="https://crescent.sharepoint.com/sites/marketing" $ListName = "Branding" $ReportFile="C:\Temp\ListPermissionRpt.csv" #endregion #Remove the Output report if exists If (Test-Path $ReportFile) { Remove-Item $ReportFile } #Connect to the Site Connect-PnPOnline -URL $SiteURL -Credentials (Get-Credential) #Get the Web $Web = Get-PnPWeb #Call the function to generate list permission report Generate-PnPListPermissionRpt -SiteURL $SiteURL -ListName $ListName -ReportFile $ReportFile #Generate-PnPListPermissionRpt -SiteURL $SiteURL -ListName $ListName -ReportFile $ReportFile -ScanItemLevel #Generate-PnPListPermissionRpt -SiteURL $SiteURL -ListName $ListName -ReportFile $ReportFile -ScanItemLevel -IncludeInheritedPermissions
Here is the SharePoint Online document library permission report generated by the PowerShell:
How about generating permissions report for all document libraries in a site? Just call the function Generate-PnPListPermissionRpt for all libraries! Here is how:
#region ***Parameters*** $SiteURL="https://crescent.sharepoint.com/sites/marketing" $ReportsPath="C:\Temp\" #endregion #Connect to PnP Online Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential) #Get the Web $Web = Get-PnPWeb #Get all document libraries - Exclude Hidden Libraries $DocumentLibraries = Get-PnPList | Where-Object {$_.BaseType -eq "DocumentLibrary" -and $_.Hidden -eq $false} ForEach($Library in $DocumentLibraries) { #Remove the Output report if exists $ReportFile = [string]::Concat($ReportsPath, $Library.title) If (Test-Path $ReportFile) { Remove-Item $ReportFile } #Call the function to generate list permission report Generate-PnPListPermissionRpt -SiteURL $SiteURL -ListName $Library.Title -ReportFile $ReportFile }
With your second script I am only retrieving the permissions of the docLib and not of any subfolders/files. I am not sure what's wrong with the script, I have changed the parameters. Anyone else having the same problem?
ReplyDeleteIf you're not getting any errors, you may want to try uncommenting one of the other two function calls at the bottom.
Delete(Sorry, below comment was meant to be a reply).
If you're not getting any errors, you may want to try uncommenting one of the other two function calls at the bottom.
ReplyDeleteThanks to the author for an awesome script! Very useful!
Is there a script that applies these csv permissions?
ReplyDeleteHi Thank you for the Script, But i am getting this error: Error Generating List Permission Report! Cannot process argument transformation on parameter 'Object'. Cannot convert the "Microsoft.SharePoint.Client.List" value of type "Microsoft.SharePoint.Client.List" to type "Microsoft.SharePoint.Client.SecurableObject".
ReplyDeleteAny help?
Did you ever figure this out?
Deletehello, i might be in right page here since i'm looking for ways to export the list of users that has access to Document Libraries in one of our Sharepoint Online site. may i know please and will really appreciate if you can guide me to achieve these:
ReplyDelete1. how to connect to Sharepoint online with MFA enabled security
2. how to export to Excel all the permission of every document library in our Site?
thanks upfront for your time ;)
1. Use this article for How to Connect to SharePoint Online from PowerShell using MFA Enabled Account?
Delete2. Just call the function Generate-PnPListPermissionRpt for all libraries! Article has been appended!
Thanks for your time looking at it, I saved as .ps1 your recent added section here "Generate-PnPListPermissionRpt" and run but I am prompted by username and password. Normally we used to login with MFA.
DeleteInstead of "Connect-PnPOnline -URL $SiteURL -Credentials (Get-Credential)", use: Connect-PnPOnline -URL $SiteURL -UseWebLogin to login with MFA enabled accounts.
Delete@Salaudeen, thank you for a lot of patience to me, when I run the script after using "-UseWebLogin", I got below error message
DeletePS C:\Users\myname\Documents\PowerShell\VN> .\DocLibrary.ps1 Generate-PnPListPermissionRpt : The term 'Generate-PnPListPermissionRpt' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Users\myname\Documents\PowerShell\VN\DocLibrary.ps1:22 char:5
+ Generate-PnPListPermissionRpt -SiteURL $SiteURL -ListName $Librar ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Generate-PnPListPermissionRpt:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Hi, This failed for me with:
ReplyDeleteUnexpected token '–ne "Limited' in expression or statement.
because it didn't like the line trying to filter limited access (this one)
$PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join ","
I got around this by changing this line
$PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name
to filter out the limited access
$PermissionLevels = $RoleAssignment.RoleDefinitionBindings |?{$_.Name -ne "Limited Access"}| Select -ExpandProperty Name
and then removing the offending line completely, I hope that helps someone else 8-)