SharePoint Online: Get Subsite Permission Report using PowerShell

Requirement: PowerShell script to get subsite permissions in SharePoint Online.

How to Get Subsite Permissions in SharePoint Online?

To get permissions of a SharePoint Online subsite,

Click on Setting gear >> Click on "Site Permissions" link
Click on "Advanced Permission Settings" in the site permissions page

sharepoint online powershell subsite permissions

This gives you a all users and groups that has permissions to the subsite.

SharePoint Online: PowerShell to Get Subsite Permissions

This PowerShell script extracts and exports all direct permissions of the given subsite (not any underlying objects such as list, folder, file) .

#Parameters
$SiteURL = "https://crescent.sharepoint.com/sites/Marketing/2020"
$ReportOutput = "C:\Temp\SitePermissionRpt.csv"

#Connect to Site
Connect-PnPonline -Url $SiteURL -UseWebLogin

#Get the web
$Web = Get-PnPWeb -Includes RoleAssignments

#Loop through each permission assigned and extract details
$PermissionData = @()
ForEach ($RoleAssignment in $Web.RoleAssignments)
{
    #Get the Permission Levels assigned and Member
    Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member
    
    #Get the Permission Levels assigned
    $PermissionLevels = ($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name | Where {$_ -ne "Limited Access"}) -join ","
    $PermissionType = $RoleAssignment.Member.PrincipalType

    #Leave Principals with no Permissions
    If($PermissionLevels.Length -eq 0) {Continue}
    
    #Collect Permission Data
    $Permissions = New-Object PSObject
    $Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
    $Permissions | Add-Member NoteProperty Type($PermissionType)
    $Permissions | Add-Member NoteProperty PermissionLevels($PermissionLevels)
    $PermissionData += $Permissions
}

$PermissionData
$PermissionData | Export-csv -path $ReportOutput -NoTypeInformation

This script gets all permissions from the subsite and generates a CSV as:

sharepoint online subsite permission report using powershell

While this script extracts permissions applied on the subsite, what if you want to get members of each group along with the direct permissions to the site?

#Parameters
$SiteURL = "https://crescent.sharepoint.com/sites/Marketing/2020"
$ReportOutput = "C:\Temp\SitePermissionRpt.csv"

#Connect to Site
Connect-PnPonline -Url $SiteURL -UseWebLogin

#Get the web
$Web = Get-PnPWeb -Includes RoleAssignments

#Loop through each permission assigned and extract details
$PermissionData = @()
ForEach ($RoleAssignment in $Web.RoleAssignments)
{
    #Get the Permission Levels assigned and Member
    Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member
    
    #Get the Permission Levels assigned
    $PermissionLevels = ($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name | Where { $_ -ne "Limited Access"} ) -join ","
    
    #Leave Principals with no Permissions
    If($PermissionLevels.Length -eq 0) {Continue}

    $PermissionType = $RoleAssignment.Member.PrincipalType
    #Get SharePoint group members
    If($PermissionType -eq "SharePointGroup")
    {
        #Get Group Members
        $GroupMembers = Get-PnPGroupMembers -Identity $RoleAssignment.Member.LoginName
                  
        #Leave Empty Groups
        If($GroupMembers.count -eq 0){ Continue }
        $GroupUsers = ($GroupMembers | Select -ExpandProperty LoginName | Where { $_ -ne "SHAREPOINT\system"}) -join "; "
  
        #Add the Data to Object
        $Permissions = New-Object PSObject
        $Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
        $Permissions | Add-Member NoteProperty Accounts($GroupUsers)
        $Permissions | Add-Member NoteProperty Type($PermissionType)
        $Permissions | Add-Member NoteProperty PermissionLevels($PermissionLevels)
        $PermissionData += $Permissions
    }
    Else
    {
        #Add the Data to Object
        $Permissions = New-Object PSObject
        $Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
        $Permissions | Add-Member NoteProperty Accounts($RoleAssignment.Member.LoginName)
        $Permissions | Add-Member NoteProperty Type($PermissionType)
        $Permissions | Add-Member NoteProperty PermissionLevels($PermissionLevels)
        $PermissionData += $Permissions
    }
}

#Export Permissions data to CSV file
$PermissionData | Export-csv -path $ReportOutput -NoTypeInformation

This script gets all the users, SharePoint groups and members of the SharePoint Online site or subsite along with the permissions assigned to them. Please note, this script generates permission report of the given site or subsite and not the permissions of any underlying objects such as subsite, list, library, folder or list item. To generate the complete permissions report for SharePoint Online site, use: SharePoint Online: Generate Permissions Report for a Site Collection using PnP PowerShell

Disclaimer

This is my personal blog. Articles written on this blog are from my experience for my own reference and to help others.

Do not reproduce my content anywhere, in any form without my permission. If any article written on this blog violates copyright, please contact me! If you have a more elegant solution on any of the topics discussed - please post a comment, I'll be happy to hear!

This site uses cookies to personalize content, advertisements, and to analyze traffic. More here: Privacy Policy

SharePoint Diary

SharePoint Online: Get Subsite Permission Report using PowerShell

1 comment:

Social Profiles

About Me

Archive

Popular

Labels

Total Views

Disclaimer

SharePoint Video Tutors

Follow by Email

Blog Awards