SharePoint Online: PowerShell to Break Folder Permission Inheritance
Requirement: Break Permission Inheritance of a Folder in SharePoint Online using PowerShell.
How to break the inheritance of a folder in SharePoint Online?
By default, folders in SharePoint Online inherit permission from their parent objects, such as document library or list. In some cases, you might want to give users different permissions for a particular folder than they have for the library or site. For example, you might want to give a group of users read-only access to a document folder, while allowing other users to add, edit, and delete items in that folder. To provide unique permissions to folders, you need to break the permission inheritance of the folder first.
Here is how to break permission inheritance in SharePoint Online:
- Navigate to your SharePoint Online library, where the folder is stored.
- Select the Folder >> Click on “Manage Access” from the folder’s context menu >> Click on the “Advanced” link in the Manage Access popup.
- On the permissions page, if the folder inherits permissions from its parent, we have to break the permission inheritance by clicking the “Stop inheriting Permissions” button. Confirm the prompt once.
Now, you can add or remove users to the folder by clicking the “Grant Permissions” button from the Grant group. Once you stop inheriting permissions – All users and groups are copied from the list or library to the folder’s permission. From this point, Any future permission changes made to the parent object no longer affect the folder!
SharePoint Online: PowerShell to Break Permission Inheritance Folder
Breaking permission inheritance is a common task performed on SharePoint Online resources such as sites, lists, and list items. Let’s break the folder’s permission Inheritance using PowerShell to give unique permissions to a folder in SharePoint Online:
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
#Variables
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/"
$FolderServerRelativeURL = "/sites/marketing/Shared Documents/2018"
Try {
#Get Credentials to connect
$Cred= Get-Credential
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
#Get the Folder
$Folder = $Ctx.Web.GetFolderByServerRelativeUrl($FolderServerRelativeURL)
$Ctx.Load($Folder)
$Ctx.ExecuteQuery()
#Break Permission inheritence of the folder - Keep all existing folder permissions & keep Item level permissions
$Folder.ListItemAllFields.BreakRoleInheritance($True,$True)
$Ctx.ExecuteQuery()
Write-host "Folder's Permission Inheritance Broken Successfully!" -ForegroundColor Green
}
Catch {
write-host -f Red "Error breaking Folder Permission Inheritance!" $_.Exception.Message
}
This can be useful in situations where specific users or groups need to be granted access to a folder, but not to the entire site, list, or library.
Break Inheritance of Folder in SharePoint Online using PnP PowerShell
Wouldn’t it be good to check if the folder has unique permissions already before breaking the folder’s permissions? Well, let’s do that first and then break the folder’s permission using PnP PowerShell:
#Variables
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/"
$FolderServerRelativeURL = "/sites/marketing/Shared Documents/2018"
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential) #-Interactive
#Get the Folder
$Folder = Get-PnPFolder -Url $FolderServerRelativeURL -Includes ListItemAllFields.HasUniqueRoleAssignments
If($Folder.ListItemAllFields.HasUniqueRoleAssignments)
{
Write-host "Folder is already with broken permissions!" -f Yellow
}
Else
{
#Break Folder permissions - keep all existing permissions & keep Item level permissions
$Folder.ListItemAllFields.BreakRoleInheritance($True,$True)
Invoke-PnPQuery
Write-host "Folder's Permission Inheritance is broken!!" -f Green
}
In summary, breaking a folder permission inheritance in SharePoint Online is a relatively simple process that can be accomplished through the user interface or PowerShell. By breaking the inheritance, it is possible to assign unique permissions to a folder, allowing specific users or groups to access the folder.
Once the folder’s permission inheritance is broken, you can add or remove users to the folder:
The IF loop is reversed, it needs to be “If(!$Folder.ListItemAllFields.HasUniqueRoleAssignments)” with the “!”
For the rest is works great, thanks!
Thanks for your code! Works great in most cases…
The comments below are for SharePoint Online with SharePointPnPPowerShellOnline version 3.22.2006.2.
I learned the hard way that the PnP solution has a couple of quirks. Not sure if it is PowerShell, SharePoint or sunspots…
Quirk 1 – If you set permissions for a group BEFORE breaking inheritance, the code detects broken inheritance even when it is not broken.
Quirk 2 – If you break permissions for a lower level folder and then later break the permissions for the parent folder of your lower level folder, then inheritance is TURNED BACK ON for the lower level folder.
This took several hours to figure out. I hope this saves others from chasing these same issues.
Amazing – I was looking for exactly this confirmation. I was breaking inheritance in reverse order subfolders to parent, and the subfolder break (and subsequent rights reassignment) was working perfectly. Until I broke the inheritance on the parent – then the subfolders had inheritance re-enabled and were assigned the rights from the parent. Guess I’m going to have to re-order folder processing.
Thanks,
jbw