Only allow read permissions to a Sharepoint online folder

Jonathan Zahler 0 Reputation points
2023-09-14T18:25:45.2066667+00:00

Hey everyone!

I have a complex SharePoint online structure with very detailed permissions.

We recently came across a possible need to lock down around 800 folders (throughout the structure) to only allow read permissions.

There are currently around 20-30 groups of unique permissions in each folder.

As such I am looking for a way to script this.

Thanks

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
8,118 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
1,327 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. RaytheonXie_MSFT 24,531 Reputation points Microsoft Vendor
    2023-09-15T06:51:47.98+00:00

    Hi @Jonathan Zahler,

    Per my test, You can use the following code to remove user from folder permissions via a CSV file by PowerShell:

    #Config Variables  
$SiteURL = "https://crescent.sharepoint.com/sites/legal"  
$ListName="Work"  
$CSVFile = "C:\Temp\Folders.csv"  
$UserAccount = "i:0#.f|membership|steve@crescent.com"  
   
Try {  
    #Connect to PnP Online  
    Connect-PnPOnline -Url $SiteURL -Interactive  
   
    #Get content from CSV file  
    Import-Csv $CSVFile | ForEach-Object {  
        Write-host "Processing Folder:"$_.URL  
        #Get the Folder from URL  
        $Folder = Get-PnPFolder -Url $_.URL  
   
        #Get Folder Item  
        $FolderItem = Get-PnPProperty -ClientObject $Folder -Property ListItemAllFields  
        $HasUniquePerm =  Get-PnPProperty -ClientObject $FolderItem -Property HasUniqueRoleAssignments  
   
        #Break Permission Inheritance  
        If(!$HasUniquePerm)  
        {  
            $FolderItem.BreakRoleInheritance($True, $True)  
            Write-host "`tFolder's Permission Inheritance Broken!"  
        }  
        #Get the User  
        $User = Get-PnPUser -Identity $UserAccount -ErrorAction Stop  
   
        #Get Permissions from the Folder  
        $RoleAssignments = Get-PnPProperty -ClientObject $FolderItem -Property RoleAssignments  
   
        #Remove user from folder permissions  
        [Bool]$UserFound = $false  
        ForEach($RoleAssignment in $RoleAssignments)  
        {  
           $Member =  Get-PnPProperty -ClientObject $RoleAssignment -Property Member  
           If($Member.LoginName -eq $User.LoginName)  
           {  
                $UserFound = $True  
                $FolderItem.RoleAssignments.GetByPrincipal($User).DeleteObject()  
                Invoke-PnPQuery  
           }  
        }  
           
        If($UserFound) { Write-host "`tRemoved user from Folder Permission!" }   
    }  
}  
Catch {  
    write-host -f Red "Error Removing user from Folder:" $_.Exception.Message  
}

    After delet the permissions, you can grant access by following code

    https://sharepoint.stackexchange.com/questions/109840/add-group-to-folder-in-a-document-library-using-powershell

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.