Only allow read permissions to a Sharepoint online folder

Jonathan Zahler 0 Reputation points
2023-09-14T18:25:45.2066667+00:00

Hey everyone!

I have a complex SharePoint online structure with very detailed permissions.

We recently came across a possible need to lock down around 800 folders (throughout the structure) to only allow read permissions.

There are currently around 20-30 groups of unique permissions in each folder.

As such I am looking for a way to script this.

Thanks

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,565 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,455 questions
{count} votes

1 answer

Sort by: Most helpful
  1. RaytheonXie_MSFT 34,986 Reputation points Microsoft Vendor
    2023-09-15T06:51:47.98+00:00

    Hi @Jonathan Zahler,

    Per my test, You can use the following code to remove user from folder permissions via a CSV file by PowerShell:

    #Config Variables  
    $SiteURL = "https://crescent.sharepoint.com/sites/legal"  
    $ListName="Work"  
    $CSVFile = "C:\Temp\Folders.csv"  
    $UserAccount = "i:0#.f|membership|steve@crescent.com"  
       
    Try {  
        #Connect to PnP Online  
        Connect-PnPOnline -Url $SiteURL -Interactive  
       
        #Get content from CSV file  
        Import-Csv $CSVFile | ForEach-Object {  
            Write-host "Processing Folder:"$_.URL  
            #Get the Folder from URL  
            $Folder = Get-PnPFolder -Url $_.URL  
       
            #Get Folder Item  
            $FolderItem = Get-PnPProperty -ClientObject $Folder -Property ListItemAllFields  
            $HasUniquePerm =  Get-PnPProperty -ClientObject $FolderItem -Property HasUniqueRoleAssignments  
       
            #Break Permission Inheritance  
            If(!$HasUniquePerm)  
            {  
                $FolderItem.BreakRoleInheritance($True, $True)  
                Write-host "`tFolder's Permission Inheritance Broken!"  
            }  
            #Get the User  
            $User = Get-PnPUser -Identity $UserAccount -ErrorAction Stop  
       
            #Get Permissions from the Folder  
            $RoleAssignments = Get-PnPProperty -ClientObject $FolderItem -Property RoleAssignments  
       
            #Remove user from folder permissions  
            [Bool]$UserFound = $false  
            ForEach($RoleAssignment in $RoleAssignments)  
            {  
               $Member =  Get-PnPProperty -ClientObject $RoleAssignment -Property Member  
               If($Member.LoginName -eq $User.LoginName)  
               {  
                    $UserFound = $True  
                    $FolderItem.RoleAssignments.GetByPrincipal($User).DeleteObject()  
                    Invoke-PnPQuery  
               }  
            }  
               
            If($UserFound) { Write-host "`tRemoved user from Folder Permission!" }   
        }  
    }  
    Catch {  
        write-host -f Red "Error Removing user from Folder:" $_.Exception.Message  
    }
    
    
    

    After delet the permissions, you can grant access by following code

    https://sharepoint.stackexchange.com/questions/109840/add-group-to-folder-in-a-document-library-using-powershell


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.