Only allow read permissions to a Sharepoint online folder

Jonathan Zahler 0 Reputation points

Hey everyone!

I have a complex SharePoint online structure with very detailed permissions.

We recently came across a possible need to lock down around 800 folders (throughout the structure) to only allow read permissions.

There are currently around 20-30 groups of unique permissions in each folder.

As such I am looking for a way to script this.


A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
8,118 questions
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
1,327 questions
{count} votes

1 answer

Sort by: Most helpful
  1. RaytheonXie_MSFT 24,531 Reputation points Microsoft Vendor

    Hi @Jonathan Zahler,

    Per my test, You can use the following code to remove user from folder permissions via a CSV file by PowerShell:

    #Config Variables  
    $SiteURL = ""  
    $CSVFile = "C:\Temp\Folders.csv"  
    $UserAccount = "i:0#.f|membership|"  
    Try {  
        #Connect to PnP Online  
        Connect-PnPOnline -Url $SiteURL -Interactive  
        #Get content from CSV file  
        Import-Csv $CSVFile | ForEach-Object {  
            Write-host "Processing Folder:"$_.URL  
            #Get the Folder from URL  
            $Folder = Get-PnPFolder -Url $_.URL  
            #Get Folder Item  
            $FolderItem = Get-PnPProperty -ClientObject $Folder -Property ListItemAllFields  
            $HasUniquePerm =  Get-PnPProperty -ClientObject $FolderItem -Property HasUniqueRoleAssignments  
            #Break Permission Inheritance  
                $FolderItem.BreakRoleInheritance($True, $True)  
                Write-host "`tFolder's Permission Inheritance Broken!"  
            #Get the User  
            $User = Get-PnPUser -Identity $UserAccount -ErrorAction Stop  
            #Get Permissions from the Folder  
            $RoleAssignments = Get-PnPProperty -ClientObject $FolderItem -Property RoleAssignments  
            #Remove user from folder permissions  
            [Bool]$UserFound = $false  
            ForEach($RoleAssignment in $RoleAssignments)  
               $Member =  Get-PnPProperty -ClientObject $RoleAssignment -Property Member  
               If($Member.LoginName -eq $User.LoginName)  
                    $UserFound = $True  
            If($UserFound) { Write-host "`tRemoved user from Folder Permission!" }   
    Catch {  
        write-host -f Red "Error Removing user from Folder:" $_.Exception.Message  

    After delet the permissions, you can grant access by following code

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.