SharePoint Online: Get Document Library Permissions and Export to CSV using PnP PowerShell
Requirement: SharePoint Online PowerShell to Get Document Library Permissions.
PnP PowerShell to Export Document Library Permissions in SharePoint Online:
This PowerShell script exports all permissions of a SharePoint Online document library.
While this script extracts permissions applied on the List, what if you want to get permissions on all underlying objects of the list, such as : Folder, List item?
Here is the sample report generated:
PnP PowerShell to Export Document Library Permissions in SharePoint Online:
This PowerShell script exports all permissions of a SharePoint Online document library.
# Parameters
$SiteUrl = "https://crescent.sharepoint.com/sites/ICDocuments"
$ReportOutput = "C:\Temp\LibraryPermissions.csv"
$LibraryName = "IC Documents"
#Connect to to PnP Online
Connect-PnPOnline -Url $SiteUrl -UseWebLogin # -Credentials (Get-Credential)
# Get the document library
$Library = Get-PnpList -Identity $LibraryName -Includes RoleAssignments
# Get all users and groups who has access
$RoleAssignments = $Library.RoleAssignments
$PermissionCollection = @()
Foreach ($RoleAssignment in $RoleAssignments)
{
#Get the Permission Levels assigned and Member
Get-PnPProperty -ClientObject $roleAssignment -Property RoleDefinitionBindings, Member
#Get the Principal Type: User, SP Group, AD Group
$PermissionType = $RoleAssignment.Member.PrincipalType
$PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name
#Get all permission levels assigned (Excluding:Limited Access)
$PermissionLevels = ($PermissionLevels | Where { $_ –ne "Limited Access"}) -join ","
If($PermissionLevels.Length -eq 0) {Continue}
#Get SharePoint group members
If($PermissionType -eq "SharePointGroup")
{
#Get Group Members
$GroupMembers = Get-PnPGroupMembers -Identity $RoleAssignment.Member.LoginName
#Leave Empty Groups
If($GroupMembers.count -eq 0){Continue}
ForEach($User in $GroupMembers)
{
#Add the Data to Object
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty User($User.Title)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
$Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")
$PermissionCollection += $Permissions
}
}
Else
{
#Add the Data to Object
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty User($RoleAssignment.Member.Title)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
$Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")
$PermissionCollection += $Permissions
}
}
#Export Permissions to CSV File
$PermissionCollection
$PermissionCollection | Export-CSV $ReportOutput -NoTypeInformation
Write-host -f Green "Permission Report Generated Successfully!"
| SharePoint Online PowerShell to Get List Permissions |
#Function to Get Permissions on a particular on List, Folder or List Item
Function Get-PnPPermissions([Microsoft.SharePoint.Client.SecurableObject]$Object)
{
#Determine the type of the object
Switch($Object.TypedObject.ToString())
{
"Microsoft.SharePoint.Client.ListItem"
{
If($Object.FileSystemObjectType -eq "Folder")
{
$ObjectType = "Folder"
#Get the URL of the Folder
$Folder = Get-PnPProperty -ClientObject $Object -Property Folder
$ObjectTitle = $Object.Folder.Name
$ObjectURL = $("{0}{1}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''),$Object.Folder.ServerRelativeUrl)
}
Else #File or List Item
{
#Get the URL of the Object
Get-PnPProperty -ClientObject $Object -Property File, ParentList
If($Object.File.Name -ne $Null)
{
$ObjectType = "File"
$ObjectTitle = $Object.File.Name
$ObjectURL = $("{0}{1}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''),$Object.File.ServerRelativeUrl)
}
else
{
$ObjectType = "List Item"
$ObjectTitle = $Object["Title"]
#Get the URL of the List Item
$DefaultDisplayFormUrl = Get-PnPProperty -ClientObject $Object.ParentList -Property DefaultDisplayFormUrl
$ObjectURL = $("{0}{1}?ID={2}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''), $DefaultDisplayFormUrl,$Object.ID)
}
}
}
Default
{
$ObjectType = "List or Library"
$ObjectTitle = $Object.Title
#Get the URL of the List or Library
$RootFolder = Get-PnPProperty -ClientObject $Object -Property RootFolder
$ObjectURL = $("{0}{1}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''), $RootFolder.ServerRelativeUrl)
}
}
#Get permissions assigned to the object
Get-PnPProperty -ClientObject $Object -Property HasUniqueRoleAssignments, RoleAssignments
#Check if Object has unique permissions
$HasUniquePermissions = $Object.HasUniqueRoleAssignments
#Loop through each permission assigned and extract details
$PermissionCollection = @()
Foreach($RoleAssignment in $Object.RoleAssignments)
{
#Get the Permission Levels assigned and Member
Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member
#Get the Principal Type: User, SP Group, AD Group
$PermissionType = $RoleAssignment.Member.PrincipalType
#Get the Permission Levels assigned
$PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name
#Remove Limited Access
$PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join ","
#Leave Principals with no Permissions
If($PermissionLevels.Length -eq 0) {Continue}
#Get SharePoint group members
If($PermissionType -eq "SharePointGroup")
{
#Get Group Members
$GroupMembers = Get-PnPGroupMembers -Identity $RoleAssignment.Member.LoginName
#Leave Empty Groups
If($GroupMembers.count -eq 0){Continue}
$GroupUsers = ($GroupMembers | Select -ExpandProperty Title) -join "; "
#Add the Data to Object
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty Object($ObjectType)
$Permissions | Add-Member NoteProperty Title($ObjectTitle)
$Permissions | Add-Member NoteProperty URL($ObjectURL)
$Permissions | Add-Member NoteProperty HasUniquePermissions($HasUniquePermissions)
$Permissions | Add-Member NoteProperty Users($GroupUsers)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
$Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")
$PermissionCollection += $Permissions
}
Else
{
#Add the Data to Object
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty Object($ObjectType)
$Permissions | Add-Member NoteProperty Title($ObjectTitle)
$Permissions | Add-Member NoteProperty URL($ObjectURL)
$Permissions | Add-Member NoteProperty HasUniquePermissions($HasUniquePermissions)
$Permissions | Add-Member NoteProperty Users($RoleAssignment.Member.Title)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
$Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")
$PermissionCollection += $Permissions
}
}
#Export Permissions to CSV File
$PermissionCollection | Export-CSV $ReportFile -NoTypeInformation -Append
}
#Function to get sharepoint online list permissions report
Function Generate-PnPListPermissionRpt()
{
[cmdletbinding()]
Param
(
[Parameter(Mandatory=$false)] [String] $SiteURL,
[Parameter(Mandatory=$false)] [String] $ListName,
[Parameter(Mandatory=$false)] [String] $ReportFile,
[Parameter(Mandatory=$false)] [switch] $ScanItemLevel,
[Parameter(Mandatory=$false)] [switch] $IncludeInheritedPermissions
)
Try {
#Connect to the Site
Connect-PnPOnline -URL $SiteURL -UseWebLogin
#Get the Web
$Web = Get-PnPWeb
#Function to Get Permissions of All List Items of a given List
Function Get-PnPListItemsPermission([Microsoft.SharePoint.Client.List]$List)
{
Write-host -f Yellow "`t `t Getting Permissions of List Items in the List:"$List.Title
#Get All Items from List in batches
$ListItems = Get-PnPListItem -List $List -PageSize 500
$ItemCounter = 0
#Loop through each List item
ForEach($ListItem in $ListItems)
{
#Get Objects with Unique Permissions or Inherited Permissions based on 'IncludeInheritedPermissions' switch
If($IncludeInheritedPermissions)
{
Get-PnPPermissions -Object $ListItem
}
Else
{
#Check if List Item has unique permissions
$HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property HasUniqueRoleAssignments
If($HasUniquePermissions -eq $True)
{
#Call the function to generate Permission report
Get-PnPPermissions -Object $ListItem
}
}
$ItemCounter++
Write-Progress -PercentComplete ($ItemCounter / ($List.ItemCount) * 100) -Activity "Processing Items $ItemCounter of $($List.ItemCount)" -Status "Searching Unique Permissions in List Items of '$($List.Title)'"
}
}
#Get the List
$List = Get-PnpList -Identity $ListName -Includes RoleAssignments
Write-host -f Yellow "`t Getting Permissions of the List..."
#Get List Permissions
Get-PnPPermissions -Object $List
#Get Item Level Permissions if 'ScanItemLevel' switch present
If($ScanItemLevel)
{
#Get List Items Permissions
Get-PnPListItemsPermission -List $List
}
Write-host -f Green "`n*** List Permission Report Generated Successfully!***"
}
Catch {
write-host -f Red "Error Generating List Permission Report!" $_.Exception.Message
}
}
#region ***Parameters***
$SiteURL="https://crescent.sharepoint.com/sites/ICDocs"
$ListName = "Documents"
$ReportFile="C:\Temp\ListPermissionRpt.csv"
#endregion
#Remove the Output report if exists
If (Test-Path $ReportFile) { Remove-Item $ReportFile }
#Call the function to generate list permission report
Generate-PnPListPermissionRpt -SiteURL $SiteURL -ListName $ListName -ReportFile $ReportFile
#Generate-PnPListPermissionRpt -SiteURL $SiteURL -ListName $ListName -ReportFile $ReportFile -ScanItemLevel
#Generate-PnPListPermissionRpt -SiteURL $SiteURL -ListName $ListName -ReportFile $ReportFile -ScanItemLevel -IncludeInheritedPermissions
Here is the sample report generated:
SharePoint Online: Get Document Library Permissions and Export to CSV using PnP PowerShell
Reviewed by Salaudeen Rajack
on
February 15, 2019
Rating:
Reviewed by Salaudeen Rajack
on
February 15, 2019
Rating:
With your second script I am only retrieving the permissions of the docLib and not of any subfolders/files. I am not sure what's wrong with the script, I have changed the parameters. Anyone else having the same problem?
ReplyDeleteIf you're not getting any errors, you may want to try uncommenting one of the other two function calls at the bottom.
Delete(Sorry, below comment was meant to be a reply).
If you're not getting any errors, you may want to try uncommenting one of the other two function calls at the bottom.
ReplyDeleteThanks to the author for an awesome script! Very useful!
Is there a script that applies these csv permissions?
ReplyDelete