Get User Effective Permissions in SharePoint Online using PowerShell

Requirement: Get effective permissions granted to a user on a SharePoint Online site using PowerShell.

PowerShell to Get User’s Effective Permissions in SharePoint Online

Here is how to use the “GetUserEffectivePermissions” method to retrieve all effective permissions a specific user has on a given SharePoint site.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Parameters
$SiteUrl = "https://salaudeen.sharepoint.com/sites/Retail"
$AdminAccount = "[email protected]"
$UserName = "[email protected]"

Try {
    # Connect to SharePoint Online
    $password = Read-Host -Prompt "Enter password" -AsSecureString
    $credential = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($AdminAccount, $password)

    $ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl)
    $ctx.Credentials = $credential

    #Get the site
    $web = $ctx.Web
    $ctx.Load($web)
    $ctx.ExecuteQuery()

    #get the User
    $User=$web.EnsureUser($UserName)
    $ctx.Load($User)
    $ctx.ExecuteQuery()

    # Retrieve the user permissions on the site
    $Permissions = $web.GetUserEffectivePermissions($user.LoginName)
    $ctx.ExecuteQuery()

    #get all base permissions granted to the user
    $PermissionKindObj=New-Object Microsoft.SharePoint.Client.PermissionKind
    $PermissionKindType=$PermissionKindObj.getType()

    ForEach ($PermissionKind in [System.Enum]::GetValues($PermissionKindType))
    {
        $hasPermisssion = $permissions.Value.Has($PermissionKind)
        if ($hasPermisssion)
        {
            Write-host $permissionKind.ToString()                    
        }
    }
}
Catch {
    write-host -f Red "Error:" $_.Exception.Message
}

This script gets all permissions, such as “AddListItems”, “EditListItems”, “DeleteListItems”, etc., for the given user on the given site.

We can use this method to check the user’s permission on any SharePoint object such as a site, list or library, Folder, List item, or file.

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

Leave a Reply

Your email address will not be published. Required fields are marked *