PS script to check what sites the user has access to

Question

PS script to check what sites the user has access to

SR VSP 1,251

Hi Guys,

I'm looking for a PS script to check what sites the user has access to across the teanant in SharePoint Online. Any help ?

Ex: If we input a user email id that should give all the sites the user has access to

@Jerry Xu-MSFT

2 answers

Your answer

Answer 1

Tasadduq Burney 8,956 MVP Volunteer Moderator

Here's a PowerShell script that should give you the list of all sites the user has access to in SharePoint Online:

# Connect to SharePoint
Connect-SPOService -Url https://contoso-admin.sharepoint.com

# Set the user's email address
$userEmail = "user@example.com"

# Get all site collections in the tenant
$sites = Get-SPOSite -Limit All

# Loop through each collection and check if the user has access
foreach ($site in $sites) {

    # Get the user's permissions for the site collection

    $permissions = Get-SPOUser -Site $site.Url -LoginName $userEmail -ErrorAction SilentlyContinue
    if ($permissions) {

        # If the user has permissions, output the site collection URL

        Write-Host "User $($userEmail) has access to $($site.Url)"
    }
}

SR VSP 1,251 Reputation points

2023-05-04T13:22:11.4666667+00:00

Thank you so much for your response. Can you export those sites which user has access to in to a CSV file ?
SR VSP 1,251 Reputation points

2023-05-04T13:29:10.9033333+00:00

and this is printing in the output for all the sites as a default message even if the user dont have access to those sites "User has access to $($site.Url)"

Get-SpoUser: Access is denied.(Exception from HResult....)

Kevin Pinel 0

@SR VSP Access denied would come from when your account is trying to query the site permissions. This would be the case in our tenant where our accounts do not have any overarching permissions on the sites like the server farm admins would have back in the day.

Outputting to CSV would be a matter of adding 2 lines

$SiteList = @()	## Declare an array to hold the site names and URLs
# Loop through each collection and check if the user has access
foreach ($site in $sites) {

    # Get the user's permissions for the site collection

    $permissions = Get-SPOUser -Site $site.Url -LoginName $userEmail -ErrorAction SilentlyContinue
    if ($permissions) {

        # If the user has permissions, output the site collection URL

        Write-Host "User $($userEmail) has access to $($site.Url)"
		$SiteList += $Site | select-object Name,Url		## Add site name and URL to the list
    }
}
$SiteList | Export-Csv ".\PathToCsv\$($UserEmail -replace '@','_AT_')-sites.csv" -NoTypeInformation	## Creates the CSV with the user's email replacing the @ with _AT_

Yannick Levesque 0 Reputation points

2023-12-14T16:49:30.8+00:00

There is a flaw in the script that cause false positive, the permission variable does not get reinitialize on every loop.

Add Clear-Variable -Name permissions after the Write-host to fix it.

Mark Johnston 10

You can use Try/Catch to list out the sites that the user has and doesn't have access to. Replace the last part of the script with:

# Loop through each collection and check if the user has access
foreach ($site in $sites) {      
	# Get the user's permissions for the site collection  	
	Try { 	    
		$permissions = Get-SPOUser -Site $site.Url -LoginName $userEmail -ErrorAction SilentlyContinue         
		Write-Host "User $($userEmail) has access to $($site.Url)"
	} Catch { 		
		Write-Host "User $($userEmail) does not have access to $($site.Url)" 	} 
}

Mark Johnston 10

Using the scripts above and adding in an iteration over a set of user emails, this script will, slowly, go through your site and list out permissions both to the output and a CSV file.

# Connect to SharePoint
Connect-SPOService -Url https://YOURSITE-admin.sharepoint.com/  

#list of users' emails 
$userList = @("******@YOURSITE.com","******@YOURSITE.com","******@YOURSITE.com")  
$SiteList = @()	## Declare an array to hold the site names and URLs  

# Loop through the user's email addresses
ForEach ($userEmail in $userList) {   

	# Get all site collections in the tenant 
	$sites = Get-SPOSite -Limit All  
	
	# Loop through each collection and check if the user has access 
	foreach ($site in $sites) {     
		# Get the user's permissions for the site collection 	 	
		$siteInfo = $Site | select-object Url  	
		Try { 	    
			$permissions = Get-SPOUser -Site $site.Url -LoginName $userEmail -ErrorAction SilentlyContinue         
			Write-Host "User $($userEmail) has access to $($site.Url)" 		
			$SiteList += [PSCustomObject]@{ URL = $site.Url; User = $userEmail; Access = "True"}
		 } 	Catch { 		
			Write-Host "User $($userEmail) does not have access to $($site.Url)" 		
			$SiteList += [PSCustomObject]@{ URL = $site.Url; User = $userEmail; Access = "False"}	 	
		}
	}
} 
$SiteList | Export-Csv ".\downloads\user-access-sites.csv" -NoTypeInformation

Brandon Capes 0 Reputation points

2024-08-28T18:54:45.2266667+00:00

Thanks Mark!

Answer 2

Xyza Xue_MSFT 30,176 Microsoft External Staff

Hi @Srini VSP ,

As far as I know this shouldn't be possible using Powershell. It’s very easy to export “who has access to this particular resource” but much more difficult to export “what resources does specific have access to?”

I tested the code provided by Tasadduq Burney , and the output of this PS code seems to show that I have access to all site urls in the teanant (as shown in the figure below, it shows that I have access to the site "test1232", but actually I cannot access ). Even I can help you to modify the PS code to make it output to csv file.

User's image

I found a discussion with the same requirement as yours ( Possibly achievable via MS Graph or other methods), you can check it out:

https://www.reddit.com/r/sharepoint/comments/10eob9v/list_all_sites_a_user_has_access_to/

Maybe you can take a look at this, this approach also meets your needs.: Use Search to List All the Sites You Have Access
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

SR VSP 1,251 Reputation points

2023-05-05T13:46:34.2533333+00:00

Haoyan - thanks a lot for sharing the article the user has access to . It seems this was displaying only the sites which i've access to. Do you know how to check for the other users ? If i have Global admin role/SharePoint admin role can we check ?
Xyza Xue_MSFT 30,176 Reputation points Microsoft External Staff

2023-05-08T06:40:11.7866667+00:00

Unfortunately, this method can only view the list of sites that you yourself have permission to access.

Even if you have a Global admin role/SharePoint admin role, you cannot view other people's accessible lists. This involves permission issues and has nothing to do with roles.
SR VSP 1,251 Reputation points

2023-05-08T16:22:33.55+00:00

@Echo Du_MSFT any advice here ?
Yanli Jiang - MSFT 31,596 Reputation points Microsoft External Staff

2023-05-09T06:44:18.4233333+00:00

Hi @Srini VSP ,

According to our research and consultation with Graph engineers, unfortunately, there is currently no way to obtain other user's access lists. As @Xyza Xue_MSFT said, even if you are a Global Admin, it is impossible to have the authority of all sites, and the basis for obtaining the authority list in SharePoint is that the account has sufficient authority for the site.

Of course, if you have new ideas on this issue, you can also tell us, and we will verify whether it can be realized.
Carlos Lino 6 Reputation points

2023-06-24T16:57:09.3033333+00:00

Any update or advice?

I found another way https://www.sharepointdiary.com/2021/06/sharepoint-online-show-all-sites-you-have-access-to.html but it resolves for the time being , although it is not productive.

Share via

PS script to check what sites the user has access to

2 answers

Your answer