SharePoint Online: Get Subsite Permission Report using PowerShell
Requirement: PowerShell script to get subsite permissions in SharePoint Online.
How to Get Subsite Permissions in SharePoint Online?
Do you need to access the SharePoint Online site permissions but don’t know how? If so, this blog post is for you! With a few steps, you will be able to view all of the site permissions on any given SharePoint Online. I have been working on a project to improve the security of our SharePoint Online site. One problem is that too many people have access to the site, and I need to figure out who can be removed from it.
To get permissions for a SharePoint Online subsite,
- Click on Setting gear >> Click on the “Site Permissions” link.
- Click on “Advanced Permission Settings” in the site permissions page.
This gives you all users and groups that have permission to the subsite. How about creating a permission report for the site? Sure, I have created a report that lists all users with permissions on the specific SharePoint Online site. This helped me determine which users do not need access anymore.
SharePoint Online: PowerShell to Get Subsite Permissions
This PowerShell script extracts and exports all direct permissions of the given subsite (not any underlying objects such as list, folder, or file). The report can be used to better understand who are all the people accessing and using your site and help you determine if there are any changes needed to meet organizational security requirements.
#Parameters
$SiteURL = "https://crescent.sharepoint.com/sites/Marketing/2020"
$ReportOutput = "C:\Temp\SitePermissionRpt.csv"
#Connect to Site
Connect-PnPonline -Url $SiteURL -Interactive
#Get the web
$Web = Get-PnPWeb -Includes RoleAssignments
#Loop through each permission assigned and extract details
$PermissionData = @()
ForEach ($RoleAssignment in $Web.RoleAssignments)
{
#Get the Permission Levels assigned and Member
Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member
#Get the Permission Levels assigned
$PermissionLevels = ($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name | Where {$_ -ne "Limited Access"}) -join ","
$PermissionType = $RoleAssignment.Member.PrincipalType
#Leave Principals with no Permissions
If($PermissionLevels.Length -eq 0) {Continue}
#Collect Permission Data
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty PermissionLevels($PermissionLevels)
$PermissionData += $Permissions
}
$PermissionData
$PermissionData | Export-csv -path $ReportOutput -NoTypeInformation
This script gets all permissions from the subsite and generates a CSV as:
SharePoint Online: PowerShell to Get Site Permissions
While the above script extracts permissions applied on the subsite, what if you want to get each group member and the direct permissions to the site?
#Parameters
$SiteURL = "https://crescent.sharepoint.com/sites/Marketing/2020"
$ReportOutput = "C:\Temp\SitePermissionRpt.csv"
#Connect to Site
Connect-PnPonline -Url $SiteURL -Interactive
#Get the web
$Web = Get-PnPWeb -Includes RoleAssignments
#Loop through each permission assigned and extract details
$PermissionData = @()
ForEach ($RoleAssignment in $Web.RoleAssignments)
{
#Get the Permission Levels assigned and Member
Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member
#Get the Permission Levels assigned
$PermissionLevels = ($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name | Where { $_ -ne "Limited Access"} ) -join ","
#Leave Principals with no Permissions
If($PermissionLevels.Length -eq 0) {Continue}
$PermissionType = $RoleAssignment.Member.PrincipalType
#Get SharePoint group members
If($PermissionType -eq "SharePointGroup")
{
#Get Group Members
$GroupMembers = Get-PnPGroupMember -Identity $RoleAssignment.Member.LoginName
#Leave Empty Groups
If($GroupMembers.count -eq 0){ Continue }
$GroupUsers = ($GroupMembers | Select -ExpandProperty LoginName | Where { $_ -ne "SHAREPOINT\system"}) -join "; "
#Add the Data to Object
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
$Permissions | Add-Member NoteProperty Accounts($GroupUsers)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty PermissionLevels($PermissionLevels)
$PermissionData += $Permissions
}
Else
{
#Add the Data to Object
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
$Permissions | Add-Member NoteProperty Accounts($RoleAssignment.Member.LoginName)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty PermissionLevels($PermissionLevels)
$PermissionData += $Permissions
}
}
#Export Permissions data to CSV file
$PermissionData | Export-csv -path $ReportOutput -NoTypeInformation
This script gets all the users, SharePoint groups, and members of the SharePoint Online site or subsite along with their permissions. Please note, this script generates a permission report of the given site or subsite and not the permissions of any underlying objects such as subsite, list, library, folder, or list item. To generate the complete permissions report for the SharePoint Online site and subsites, use: SharePoint Online: Generate Permissions Report for a Site Collection using PnP PowerShell
Request you to Please share this kind of script for SharePoint 2010/2013. To export users list of all site collection with respected permission level.
Use this script: SharePoint 2013/2016 Site Collection Permission Report using PowerShell
Getting following error: Get-PnPProperty : The Push Notifications feature is not activated on the site ‘https://i