SharePoint Online User Permission Reports

How to build SharePoint Permissions Reports

Blog written by: 
Dhaval Shah
SharePoint & .Net Consultant

Intro

In this article, I have developed a PowerShell script to build a SharePoint Permissions Report I call ‘Users with Direct Access Permissions Report’. This SharePoint Permissions report works with SharePoint Online and the report is outputted in CSV format.

If you need a permission report for SharePoint on-premise (it also supports SharePoint Online (Office 365) as well, and includes Azure AD support), check out the product by Cognillo which manages and reports on SharePoint Permissions for SharePoint on-premise and online.

This script will:
  • Check a specific User or Group’s DIRECT access to SharePoint
  • Checks the SharePoint Lists and Items for uniquely defined (broken Inheritance) permissions, then checks if user is granted access directly to it
This script will NOT:
  • Check inside of SharePoint or Domain Groups
  • Check Site or Site Collection Administrator level or Farm/Web Application level access

The script will iterate through the list and list items to check if the user has the permission and also determine what kind of permission the account has. Below is the screenshot of the permission report generated in CSV format.

You can download the entire PowerShell script from here.

Try the SharePoint Essentials Toolkit (SharePoint Permissions Tool) by Cognillo

See why Microsoft, NASA, Intel, NASA, the Australian Government, and many more have switched over to use us!

In addition, you can also schedule security reports for those repetitive jobs. Check out our SharePoint Permissions Management Tool by Cognillo and learn more about the SharePoint Essentials Toolkit Suite

and DOWNLOAD a Trial Now.

Step 1: Install the SharePoint Online SDK file from Microsoft

Make sure you have client.dll and runtime.client.dll (SharePoint Online Client Component) installed. Download the the file using this link below and install it.

SharePoint Online Permissions Report install SDK

https://www.microsoft.com/en-us/download/details.aspx?id=42038

The SharePoint Online Client Components SDK are used to help you manage SharePoint Online using ‘commands’ (don’t worry if you are new to this, it is not too hard once you do it a few times).

Step 2: Load SharePoint Windows PowerShell Snap-in

Once you install above, go to the Start Menu, and open “Windows PowerShell”

Microsoft Windows PowerShell

(NOTE: Unlike on-premise SharePoint Management Shell, you need to load this snap-in manually to use the cmdlets for SharePoint Online.)

Copy below and paste it into the command window:

[void][System.Reflection.Assembly]::LoadWithPartialName(“Microsoft.SharePoint.PowerShell”)

What are these commands?

If you are new to PowerShell, these commands can look daunting. If comfortable with these, then that is great and please continue below!

You can read more about Windows PowerShell here

Step 3: Add ‘DLL Libraries’ needed

Copy and paste below into the command window (same as we did above):

Add-Type -path “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll”

Add-Type -path “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll”

NOTE: Add-Type

The Add-Type ‘cmdlet’ lets you define a Microsoft .NET Framework class in your Windows PowerShell session. This let’s you use commands from Microsoft (DLL LIbraries) to “do stuff” !

Step 3: Connect to SharePoint Online:

Now, we need to connect to SharePoint online site.

To connect to SharePoint online we need to create the ‘client context’ (to define the SharePoint tenant, site and user who we will connect as).

Use the Script I built (download link at top of blog) and modify the text needed as specified below:

Below is the code to connect to SharePoint online and some variables we need to enter.

Update the $siteUrl, $username and $password parameters with your sharepoint site url, sharepoint online username and sharepoint online password.

TIP: Be sure to put double quotes ” around the site URL, username and password

Example:

$siteUrl = “https://company.sharepoint.com/sites/accounting”
$username = “myemail@company.com”
$password = “mySecretPassword123”

You do not need to change any other variables in the script.

# Initialize client context$siteUrl = ‘Site url’

$username = ‘admin username’

$password = ‘admin password’

$checkpermusername = “i:0#.f|membership|”+$SearchUser

$securePassword = ConvertTo-SecureString $password -AsPlainText -Force

$credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username,$securePassword)

$clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($siteUrl)

$clientContext.Credentials = $credentials

$Web = $clientContext.Web;

$clientContext.Load($Web)

$clientContext.ExecuteQuery()

Check If the list permission has been broken

We will check if the permission inheritance has been broken on the list or not by using the HasUniqueRoleAssignments property of the list.

This PowerShell script will generate a report for the site and display what the user has access to.

Checking Item Level Permission

The code (in download link below) will check if the SharePoint List has ‘broken’ permission inheritance or not.

If the SharePoint List does not have inherited permissions set (hence ‘broken’ permissions), then it will check if the given user has direct permission to the list or not.

The script will iterate all lists and items that the user may have access to and outputs them in the report.

For a more comprehensive SharePoint Permissions report, be sure to check out the SharePoint Essentials Toolkit! (There is also a direct Download link below this blog)

Script Limitations to be aware of

This utility does not check within Domain Groups for user access, however, you can enter groups that the user is a member of in a separate report.

Download Link for SharePoint Permissions Report

You can download the entire PowerShell script from here.

Please let me know any issues or comments in the comment box below!

Do you use SharePoint? Try our toolkit
Download SharePoint Essentials Toolkit Now
Download the SharePoint Essentials Toolkit
Follow me

Dhaval Shah - MCD, MCSD

SharePoint and Dot Net Consultant at QiPoint
Dhaval Shah (Houston, TX USA) has more than 9 Years of professional experience working as a SharePoint and Dot Net Consultant. He has worked on 30+ projects dealing with more than 15+ clients. He has a special focus on developing and implementing enterprise-level business solutions, built on SharePoint, Dot net and the Microsoft technology stack involving MVC apps, Web API and REST services.

View his professional profile on linked in
https://www.linkedin.com/in/dhavalshah27/
Follow me

Latest posts by Dhaval Shah - MCD, MCSD (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.