How to build SharePoint Permissions Reports
Blog written by:
SharePoint & .Net Consultant
In this article, I have developed a PowerShell script to build a SharePoint Permissions Report I call ‘Users with Direct Access Permissions Report’. This SharePoint Permissions report works with SharePoint Online and the report is outputted in CSV format.
If you need a permission report for SharePoint on-premise (it also supports SharePoint Online (Office 365) as well, and includes Azure AD support), check out the product by Cognillo which manages and reports on SharePoint Permissions for SharePoint on-premise and online.
This script will:
- Check a specific User or Group’s DIRECT access to SharePoint
- Checks the SharePoint Lists and Items for uniquely defined (broken Inheritance) permissions, then checks if user is granted access directly to it
This script will NOT:
- Check inside of SharePoint or Domain Groups
- Check Site or Site Collection Administrator level or Farm/Web Application level access
The script will iterate through the list and list items to check if the user has the permission and also determine what kind of permission the account has. Below is the screenshot of the permission report generated in CSV format.
You can download the entire PowerShell script from here.
Try the SharePoint Essentials Toolkit (SharePoint Permissions Tool) by Cognillo
See why Microsoft, NASA, Intel, NASA, the Australian Government, and many more have switched over to use us!
In addition, you can also schedule security reports for those repetitive jobs. Check out our SharePoint Permissions Management Tool by Cognillo and learn more about the SharePoint Essentials Toolkit Suite
and DOWNLOAD a Trial Now.
Step 1: Install the SharePoint Online SDK file from Microsoft
Make sure you have client.dll and runtime.client.dll (SharePoint Online Client Component) installed. Download the the file using this link below and install it.
The SharePoint Online Client Components SDK are used to help you manage SharePoint Online using ‘commands’ (don’t worry if you are new to this, it is not too hard once you do it a few times).
Step 2: Load SharePoint Windows PowerShell Snap-in
Once you install above, go to the Start Menu, and open “Windows PowerShell”
(NOTE: Unlike on-premise SharePoint Management Shell, you need to load this snap-in manually to use the cmdlets for SharePoint Online.)
Copy below and paste it into the command window:
What are these commands?
If you are new to PowerShell, these commands can look daunting. If comfortable with these, then that is great and please continue below!
You can read more about Windows PowerShell here
Step 3: Add ‘DLL Libraries’ needed
Copy and paste below into the command window (same as we did above):
Add-Type -path “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll”
Add-Type -path “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll”
The Add-Type ‘cmdlet’ lets you define a Microsoft .NET Framework class in your Windows PowerShell session. This let’s you use commands from Microsoft (DLL LIbraries) to “do stuff” !
Step 3: Connect to SharePoint Online:
Now, we need to connect to SharePoint online site.
To connect to SharePoint online we need to create the ‘client context’ (to define the SharePoint tenant, site and user who we will connect as).
Use the Script I built (download link at top of blog) and modify the text needed as specified below:
Below is the code to connect to SharePoint online and some variables we need to enter.
Update the $siteUrl, $username and $password parameters with your sharepoint site url, sharepoint online username and sharepoint online password.
TIP: Be sure to put double quotes ” around the site URL, username and password
$siteUrl = “https://company.sharepoint.com/sites/accounting”
$username = “firstname.lastname@example.org”
$password = “mySecretPassword123”
You do not need to change any other variables in the script.
|# Initialize client context$siteUrl = ‘Site url’
$username = ‘admin username’
$password = ‘admin password’
$checkpermusername = “i:0#.f|membership|”+$SearchUser
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username,$securePassword)
$clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($siteUrl)
$clientContext.Credentials = $credentials
$Web = $clientContext.Web;
Check If the list permission has been broken
We will check if the permission inheritance has been broken on the list or not by using the HasUniqueRoleAssignments property of the list.
This PowerShell script will generate a report for the site and display what the user has access to.
Checking Item Level Permission
The code (in download link below) will check if the SharePoint List has ‘broken’ permission inheritance or not.
If the SharePoint List does not have inherited permissions set (hence ‘broken’ permissions), then it will check if the given user has direct permission to the list or not.
The script will iterate all lists and items that the user may have access to and outputs them in the report.
For a more comprehensive SharePoint Permissions report, be sure to check out the SharePoint Essentials Toolkit! (There is also a direct Download link below this blog)
Script Limitations to be aware of
This utility does not check within Domain Groups for user access, however, you can enter groups that the user is a member of in a separate report.
Download Link for SharePoint Permissions Report
You can download the entire PowerShell script from here.
Please let me know any issues or comments in the comment box below!
- SharePoint Metadata - October 8, 2018
- SharePoint Permission Levels - August 29, 2018
- SharePoint Online User Permission Reports - March 8, 2018
2 thoughts on “SharePoint Online User Permission Reports”
I tried running this code. I changed the path and file name as per the code.
it’s is running but returning a blank csv file.
How can i solve this issue?
Are you getting any errors when it is run? Try using Windows PowerShell ISE debugger to execute script.
Then check for errors, let me know your email and we can try to help