Sharepoint Online Folder permission report export

Question

Hi Team,

How to generate folder permission reports from SharePoint online.

license - M365 BS

Answer 1

Hi @Pavithra Perera
You could export the permission report using powershell:

Function Get-SPOFolderPermission([String]$SiteURL, [String]$FolderRelativeURL)  
{  
    Try{  
        #Setup the context  
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)  
        $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)  
        
        #Get the Folder  
        $Folder = $Ctx.Web.GetFolderByServerRelativeUrl($FolderRelativeURL)  
        $Ctx.Load($Folder)  
        $Ctx.ExecuteQuery()  
   
        #Get permissions assigned to the Folder  
        $RoleAssignments = $Folder.ListItemAllFields.RoleAssignments  
        $Ctx.Load($RoleAssignments)  
        $Ctx.ExecuteQuery()  
   
        #Loop through each permission assigned and extract details  
        $PermissionCollection = @()  
        Foreach($RoleAssignment in $RoleAssignments)  
        {  
            $Ctx.Load($RoleAssignment.Member)  
            $Ctx.executeQuery()  
   
            #Get the User Type  
            $PermissionType = $RoleAssignment.Member.PrincipalType  
   
            #Get the Permission Levels assigned  
            $Ctx.Load($RoleAssignment.RoleDefinitionBindings)  
            $Ctx.ExecuteQuery()  
            $PermissionLevels = ($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name) -join ","  
               
            #Get the User/Group Name  
            $Name = $RoleAssignment.Member.Title # $RoleAssignment.Member.LoginName  
   
            #Add the Data to Object  
            $Permissions = New-Object PSObject  
            $Permissions | Add-Member NoteProperty Name($Name)  
            $Permissions | Add-Member NoteProperty Type($PermissionType)  
            $Permissions | Add-Member NoteProperty PermissionLevels($PermissionLevels)  
            $PermissionCollection += $Permissions  
        }  
        Return $PermissionCollection  
    }  
    Catch {  
    write-host -f Red "Error Getting Folder Permissions!" $_.Exception.Message  
    }  
}  
    
#Set Config Parameters  
$SiteURL="https://domain.sharepoint.com/sites/siteB"  
$FolderRelativeURL="/sites/siteB/Shared Documents/test2  
    
#Get Credentials to connect  
$Cred= Get-Credential  
  
  
#Call the function to Get Folder Permissions an export to CSV file  
Get-SPOFolderPermission $SiteURL $FolderRelativeURL | Export-CSV "C:\FolderPermissions.csv" -NoTypeInformation  

This will generate a CSV file which contains information of permission in a specific folder；

If you want to generate a permission report for a given folder and all its subfolders in SharePoint Online, you could use:

#Function to Get Permissions Applied on a particular Folder  
Function Get-PnPFolderPermission([Microsoft.SharePoint.Client.Folder]$Folder)  
{  
    Try {  
        #Get permissions assigned to the Folder  
        Get-PnPProperty -ClientObject $Folder.ListItemAllFields -Property HasUniqueRoleAssignments, RoleAssignments  
    
        #Check if Folder has unique permissions  
        $HasUniquePermissions = $Folder.ListItemAllFields.HasUniqueRoleAssignments  
       
        #Loop through each permission assigned and extract details  
        $PermissionCollection = @()  
        Foreach($RoleAssignment in $Folder.ListItemAllFields.RoleAssignments)  
        {  
            #Get the Permission Levels assigned and Member  
            Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member  
   
            #Leave the Hidden Permissions  
            If($RoleAssignment.Member.IsHiddenInUI -eq $False)  
            {     
                #Get the Principal Type: User, SP Group, AD Group  
                $PermissionType = $RoleAssignment.Member.PrincipalType  
                $PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name  
    
                #Remove Limited Access  
                $PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join ","  
                If($PermissionLevels.Length -eq 0) {Continue}  
    
                #Get SharePoint group members  
                If($PermissionType -eq "SharePointGroup")  
                {  
                    #Get Group Members  
                    $GroupName = $RoleAssignment.Member.LoginName  
                    $GroupMembers = Get-PnPGroupMember -Identity $GroupName  
                    
                    #Leave Empty Groups  
                    If($GroupMembers.count -eq 0){Continue}  
                    If($GroupName -notlike "*System Account*" -and $GroupName -notlike "*SharingLinks*" -and $GroupName -notlike "*tenant*" -and $GroupName -notlike `  
                        "Excel Services Viewers" -and $GroupName -notlike "Restricted Readers" -and  $GroupName -notlike "Records Center Web Service Submitters for records")  
                    {  
                        ForEach($User in $GroupMembers)  
                        {  
                            #Add the Data to Folder  
                            $Permissions = New-Object PSObject  
                            $Permissions | Add-Member NoteProperty FolderName($Folder.Name)  
                            $Permissions | Add-Member NoteProperty FolderURL($Folder.ServerRelativeUrl)  
                            $Permissions | Add-Member NoteProperty User($User.Title)  
                            $Permissions | Add-Member NoteProperty Type($PermissionType)  
                            $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)  
                            $Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")  
                            $PermissionCollection += $Permissions  
                        }  
                    }  
                }  
                Else  
                {  
   
                    #Add the Data to Folder  
                    $Permissions = New-Object PSObject  
                    $Permissions | Add-Member NoteProperty FolderName($Folder.Name)  
                    $Permissions | Add-Member NoteProperty FolderURL($Folder.ServerRelativeUrl)  
                    $Permissions | Add-Member NoteProperty User($RoleAssignment.Member.Title)  
                    $Permissions | Add-Member NoteProperty Type($PermissionType)  
                    $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)  
                    $Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")  
                    $PermissionCollection += $Permissions  
                }  
            }  
        }  
        #Export Permissions to CSV File  
        $PermissionCollection | Export-CSV $ReportFile -NoTypeInformation -Append  
        Write-host -f Green "`n*** Permissions of Folder '$($Folder.Name)' at '$($Folder.ServerRelativeUrl)' Exported Successfully!***"  
    }  
    Catch {  
    write-host -f Red "Error Generating Folder Permission Report!" $_.Exception.Message  
    }  
}  
      
# Parameters  
$SiteURL="https://crescent.sharepoint.com/sites/Marketing"  
$ReportFile="C:\FolderPermissionRpt2.csv"  
$FolderSiteRelativeURL = "/Branding/2020"  
    
#Connect to the Site collection  
Connect-PnPOnline -URL $SiteURL -Interactive  
   
#Delete the file, If already exist!  
If (Test-Path $ReportFile) { Remove-Item $ReportFile }  
   
#Get the Folder and all Subfolders from URL  
$Folder = Get-PnPFolder -Url $FolderSiteRelativeURL  
$SubFolders = Get-PnPFolderItem -FolderSiteRelativeUrl $FolderSiteRelativeURL -ItemType Folder -Recursive  
   
#Call the function to generate folder permission report  
Get-PnPFolderPermission $Folder  
$SubFolders | ForEach-Object { Get-PnPFolderPermission $_ }  

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.