Share via

All SPO sites inheritance break and add some group custom permission

GoodResource 306 Reputation points
2024-02-07T11:01:28.1266667+00:00

Hi, We are trying to break inheritance of all Site library permission and then, make the team member group as read and also then add few AD security groups and add permission accordingly. Is there a way to do it for all sites with Global admin privilege? We want members if part of certain group to have read permission and rest to be having edit control.

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
11,230 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ling Zhou_MSFT 22,805 Reputation points Microsoft External Staff
    2024-02-08T06:24:06.87+00:00

    Hi @GoodResource, Thank you for posting in this community.

    Unfortunately, we don't have an out-of-the-box way to break permissions on all file repositories in each site in a tenant. Because each site set has a different administrator and owner, we can't manage the file libraries of all sites in the tenant for security reasons.

    However, we can use PnP PowerShell to break access to all file libraries in a site.

    Please install the PnP module first, and then try to execute the following commands.

    #Config Variables
$SiteURL = "http://crescent.sharepoint.com/sites/yourSiteName"  
Try {
    #Connect to PnP Online
    Connect-PnPOnline -Url $SiteURL -Interactive
     #Get all document libraries
     $DocLibs = Get-PnPList | Where-Object {$_.BaseType -eq "DocumentLibrary" -and $_.Hidden -eq $false }
Foreach ($Doc in $DocLibs)
{
    Write-Host -f White "Document Library: '$Doc.Title'"
    If($Doc)
    {   
        #$ListName = $Doc |Select Title
        #Break Permission Inheritance of the List
        Set-PnPList -Identity $Doc.Title -BreakRoleInheritance -CopyRoleAssignments
        Write-Host -f Green "Permission Inheritance Broken for Document Library!"
    }
    Else
    {   
        Write-Host -f Yellow "Could not Find Document Library '$Doc.Title'"
    } 
} 
      
}
catch {
    write-host "Error: $($_.Exception.Message)" -foregroundcolor Red
}

    Next, we use this command to change the permissions of a member group.

    #Connect to the Site
Connect-PnPOnline -Url "https://Crescent.sharepoint.com/sites/Purchase"
 
#Get the Associated - Default Members Group
$MembersGroup = Get-PnPGroup -AssociatedMemberGroup
 
#Change Group Permissions  - Replace Edit with Contribute
Set-PnPGroupPermissions -Identity $MembersGroup -RemoveRole "Edit" -AddRole "Read"

    Next, we use this command to add an AD security group. 

    Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
 
#Parameters
$SiteURL = "https://intranet.crescent.com"
$ADGroupName = "Crescent\Marketing Managers"
$PermissionLevel = "Edit"
 
Try {
    #Get Objects
    $Web = Get-SPWeb $SiteURL
    $ADGroup = $Web.EnsureUser($ADGroupName)
  
    #Grant Permission to the AD Group
    $RoleAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($ADGroup)
    $RoleDefinition = $Web.RoleDefinitions[$PermissionLevel]
    $RoleAssignment.RoleDefinitionBindings.Add($RoleDefinition)
    $Web.RoleAssignments.Add($RoleAssignment)
    Write-host "Granted Edit Access to AD Group!" -f Green
}
Catch {
    write-host -f Red "Error:" $_.Exception.Message
}

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.