What PowerShell command can give a list of users who have access to a certain SharePoint folder or file? It will be great, if it can give what type of permission does the user have like Contribute or Edit, etc.?

frob 4,216 Reputation points
2022-08-23T19:55:37.64+00:00

Hi there

What PowerShell command can give a list of users who have access to a certain SharePoint folder or file? It will be great, if it can give what type of permission does the user have like Contribute or Edit, etc.?

Thanks.

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,566 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,357 questions
{count} votes

Accepted answer
  1. Yanli Jiang - MSFT 21,366 Reputation points Microsoft Vendor
    2022-08-25T02:47:50.307+00:00

    Hi @frob ,
    According to my research and testing, you can use the following PowerShell code to achieve your requirement.
    Note: Make sure you have at least Edit permission on the object you are operating on.
    For folder:

    #Function to Get Permissions Applied on a particular Object such as: Web, List, Library, Folder or List Item  
    Function Get-PnPPermissions([Microsoft.SharePoint.Client.SecurableObject]$Object)  
    {  
        Try {  
            #Get permissions assigned to the Folder  
            Get-PnPProperty -ClientObject $Object -Property HasUniqueRoleAssignments, RoleAssignments  
       
            #Check if Object has unique permissions  
            $HasUniquePermissions = $Object.HasUniqueRoleAssignments  
          
            #Loop through each permission assigned and extract details  
            $PermissionCollection = @()  
            Foreach($RoleAssignment in $Object.RoleAssignments)  
            {  
                #Get the Permission Levels assigned and Member  
                Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member  
          
                #Get the Principal Type: User, SP Group, AD Group  
                $PermissionType = $RoleAssignment.Member.PrincipalType  
                $PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name  
       
                #Remove Limited Access  
                $PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join ","  
                If($PermissionLevels.Length -eq 0) {Continue}  
       
                #Get SharePoint group members  
                If($PermissionType -eq "SharePointGroup")  
                {  
                    #Get Group Members  
                    $GroupMembers = Get-PnPGroupMember -Identity $RoleAssignment.Member.LoginName  
                       
                    #Leave Empty Groups  
                    If($GroupMembers.count -eq 0){Continue}  
       
                    ForEach($User in $GroupMembers)  
                    {  
                        #Add the Data to Object  
                        $Permissions = New-Object PSObject  
                        $Permissions | Add-Member NoteProperty User($User.Title)  
                        $Permissions | Add-Member NoteProperty Type($PermissionType)  
                        $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)  
                        $Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")  
                        $PermissionCollection += $Permissions  
                    }  
                }  
                Else  
                {  
                    #Add the Data to Object  
                    $Permissions = New-Object PSObject  
                    $Permissions | Add-Member NoteProperty User($RoleAssignment.Member.Title)  
                    $Permissions | Add-Member NoteProperty Type($PermissionType)  
                    $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)  
                    $Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")  
                    $PermissionCollection += $Permissions  
                }  
            }  
            #Export Permissions to CSV File  
            $PermissionCollection | Export-CSV $ReportFile -NoTypeInformation  
            Write-host -f Green "`n*** Folder Permission Report Generated Successfully!***"  
        }  
        Catch {  
        write-host -f Red "Error Generating Folder Permission Report!" $_.Exception.Message  
        }  
    }  
         
    #region ***Parameters***  
    $SiteURL="https://domain.sharepoint.com/sites/Amy12345"  
    $ReportFile="C:\Users\spadmin\Desktop\Permissions.csv"  
    $FolderRelativeURL = "/sites/Amy12345/0715/0805"  
    #endregion  
       
    #Connect to the Site collection  
    Connect-PnPOnline -URL $SiteURL -Interactive  
       
    #Get the Folder from URL  
    $Folder = Get-PnPFolder -Url $FolderRelativeURL  
       
    #Call the function to generate permission report  
    Get-PnPPermissions $Folder.ListItemAllFields  
    

    The result:
    234684-08251.png

    For file:
    Just get the file and call the function.

    $File = Get-PnPFile -Url $filePath -AsListItem  
    Get-PnPPermissions $File  
    

    Thanks,
    Yanli Jiang

    ===========================================

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Limitless Technology 39,341 Reputation points
    2022-08-24T13:46:08.153+00:00

    Hello there,

    This script returns all permission level names, including out-of-the-box permission levels such as “Full Control” and any custom permission levels created in the given SharePoint Online site collection.

    Get the permission level

    $PermissionLevelName ="Read"
    $PermissionLevel = $web.RoleDefinitions.GetByName($PermissionLevelName)
    $Ctx.Load($PermissionLevel)
    $Ctx.ExecuteQuery()


    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments