Replacing Everyone/Everyone except external users account with a different User/Group
Technorati Tags: Migrate User in SPO,Replace Everyone in SPO,Replace Everyone except external users in SPO,SPO,O365,SharePoint Online
Recently I had couple of customers asking me for a script where they can replace Everyone/Everyone except external users account in SPO with a different account/group.
Following script will copy permissions of an account to a new account.
It will check for SharePoint Group membership
It will check for SPWeb unique membership
It will check for SPList unique membership
It will check for SPFolder unique membership
It will check for SPItem unique membership
After this script you can remove or even disable Everyone from showing in people picker.
Let me know your suggestions in comments. I will try to add your suggestions to my script.
[System.Reflection.Assembly]::LoadFile("C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.dll") | Out-Null
[System.Reflection.Assembly]::LoadFile("C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.Runtime.dll") | Out-Null
$username = "admin@MOD841120.onmicrosoft.com" #Replace this with SPO Admin
$password = "password" #Replace this with SPO Admin password
$password = ConvertTo-SecureString $password -AsPlainText -Force
$spoCred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($UserName, $Password)
$url = "https://mod841120.sharepoint.com/sites/DemoPerm" #URL of the SPO Site Collection
$FindUser = "c:0-.f|rolemanager|spo-grid-all-users/c1051fd0-af79-4b55-8710-a34798fbe37b" #User Id for External Users
$New = "industrytrends@MOD841120.onmicrosoft.com" #Group/User that you want to add
#No changes required from this point
$global:AllWebs = @()
Function Invoke-LoadMethod() {
param(
[Microsoft.SharePoint.Client.ClientObject]$Object = $(throw "Please provide a Client Object"),
[string]$PropertyName
)
$ctx = $Object.Context
$load = [Microsoft.SharePoint.Client.ClientContext].GetMethod("Load")
$type = $Object.GetType()
$clientLoad = $load.MakeGenericMethod($type)
$Parameter = [System.Linq.Expressions.Expression]::Parameter(($type), $type.Name)
$Expression = [System.Linq.Expressions.Expression]::Lambda(
[System.Linq.Expressions.Expression]::Convert(
[System.Linq.Expressions.Expression]::PropertyOrField($Parameter,$PropertyName),
[System.Object]
),
$($Parameter)
)
$ExpressionArray = [System.Array]::CreateInstance($Expression.GetType(), 1)
$ExpressionArray.SetValue($Expression, 0)
$clientLoad.Invoke($ctx,@($Object,$ExpressionArray))
}
function CheckGroup($SPOWeb , $UserID)
{
$User = $SPOWeb.EnsureUser($New)
$Context.Load($User)
$Context.ExecuteQuery()
$Groups = $SPOWeb.SiteGroups
$context.Load($Groups)
$context.ExecuteQuery()
foreach($Group in $Groups)
{
$context.Load($Group)
$context.ExecuteQuery()
$GroupUser = $Group.Users.GetById($UserID)
$context.Load($GroupUser)
try
{
$context.ExecuteQuery()
$Context.Load($Group)
$Context.Load($Group.Users.AddUser($User))
$Context.ExecuteQuery()
}
Catch
{
}
}
}
function Get-SPOWebs(){
param(
$Url = $(throw "Please provide a Site Collection Url"),
$Credential = $(throw "Please provide a Credentials")
)
$context = New-Object Microsoft.SharePoint.Client.ClientContext($Url)
$context.Credentials = $spoCred
$web = $context.Web
$context.Load($web)
$context.ExecuteQuery()
$User = $web.SiteUsers.GetByLoginName($FindUser)
$context.Load($User)
try
{
$context.ExecuteQuery()
CheckGroup $Web $User.ID
$context.Load($web.webs)
$context.ExecuteQuery()
foreach($web in $web.Webs)
{
Get-SPOWebs -Url $web.Url -Credential $Credential
$global:AllWebs += $web.url
}
}
Catch
{
}
}
$global:AllWebs += $url
Get-SPOWebs -Url $Url -Credential $spoCred
function ReplaceUserInWeb($SPOW , $SPOWBinding)
{
$User = $SPOW.EnsureUser($New)
$Context.Load($User)
$Context.ExecuteQuery()
$Perm = $SPOw.RoleDefinitions.GetByName($SPOWBinding)
$Context.Load($Perm)
$Context.ExecuteQuery()
$Roleassignment = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Context)
$Roleassignment.Add($Perm)
$Context.Load($SPOW.RoleAssignments.Add($User,$Roleassignment))
$SPOW.update()
$Context.ExecuteQuery()
}
function ReplaceUserInList($SPOW , $SPOLBinding , $SPOListID)
{
$User = $SPOW.EnsureUser($New)
$Context.Load($User)
$Context.ExecuteQuery()
$List = $SPOW.Lists.GetById($SPOListID)
$context.Load($List)
$context.ExecuteQuery()
$Perm = $SPOw.RoleDefinitions.GetByName($SPOLBinding)
$Context.Load($Perm)
$Context.ExecuteQuery()
$Roleassignment = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Context)
$Roleassignment.Add($Perm)
$Context.Load($List.RoleAssignments.Add($User,$Roleassignment))
$List.update()
$Context.ExecuteQuery()
}
function ReplaceUserInListItem($SPOW , $SPOLBinding, $ListID,$ItemID)
{
$User = $SPOW.EnsureUser($New)
$Context.Load($User)
$Context.ExecuteQuery()
$List = $SPOW.Lists.GetById($ListID)
$context.Load($List)
$context.ExecuteQuery()
$ListItem = $List.GetItemById($ItemID)
$context.Load($ListItem)
$context.ExecuteQuery()
$Perm = $SPOw.RoleDefinitions.GetByName($SPOLBinding)
$Context.Load($Perm)
$Context.ExecuteQuery()
$Roleassignment = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Context)
$Roleassignment.Add($Perm)
$Context.Load($ListItem.RoleAssignments.Add($User,$Roleassignment))
$ListItem.update()
$Context.ExecuteQuery()
}
function GetListItemsRoleBinding($SPOW , $UserID , $ListID,$ItemID)
{
$LIBindings = @()
$List = $SPOW.Lists.GetById($ListID)
$context.Load($List)
$context.ExecuteQuery()
$ListItem = $List.GetItemById($ItemID)
$context.Load($ListItem)
$context.ExecuteQuery()
$SPOLIRole = $ListItem.RoleAssignments.GetByPrincipalId($UserID)
$context.Load($SPOLIRole)
$context.ExecuteQuery()
$LIRoleBindings = $SPOLIRole.RoleDefinitionBindings
$context.Load($LIRoleBindings)
$context.ExecuteQuery()
foreach($LIRoleBinding in $LIRoleBindings)
{
$context.load($LIRoleBinding)
$context.ExecuteQuery()
if($LIRoleBinding.Name -eq "Limited Access")
{
}
else
{
$LIBindings += $LIRoleBinding.Name
}
}
return $LIBindings
}
function GetListRoleBinding($SPOW , $UserID , $ListID)
{
$LBindings = @()
$List = $SPOW.Lists.GetById($ListID)
$context.Load($List)
$context.ExecuteQuery()
$SPOLRole = $List.RoleAssignments.GetByPrincipalId($UserID)
$context.Load($SPOLRole)
$context.ExecuteQuery()
$LRoleBindings = $SPOLRole.RoleDefinitionBindings
$context.Load($LRoleBindings)
$context.ExecuteQuery()
foreach($LRoleBinding in $LRoleBindings)
{
$context.load($LRoleBinding)
$context.ExecuteQuery()
if($LRoleBinding.Name -eq "Limited Access")
{
}
else
{
$LBindings += $LRoleBinding.Name
}
}
$LBindings.count
return $LBindings
}
function GetWebRoleBinding($SPOW , $UserID )
{
$Bindings = @()
$SPOWRole = $SPOW.RoleAssignments.GetByPrincipalId($UserID)
$context.Load($SPOWRole)
$context.ExecuteQuery()
$RoleBindings = $SPOWRole.RoleDefinitionBindings
$context.Load($RoleBindings)
$context.ExecuteQuery()
foreach($RoleBinding in $RoleBindings)
{
$context.load($RoleBinding)
$context.ExecuteQuery()
if($RoleBinding.Name -eq "Limited Access")
{
}
else
{
$Bindings += $RoleBinding.Name
}
}
return $Bindings
}
foreach($Web in $AllWebs)
{
$context = New-Object Microsoft.SharePoint.Client.ClientContext($web)
$context.Credentials = $spoCred
$SPOWeb = $context.Web
$context.Load($SPOWeb)
$context.ExecuteQuery()
Invoke-LoadMethod -Object $SPOWeb -PropertyName "HasUniqueRoleAssignments"
$context.ExecuteQuery()
$SPOWebUser = $spoweb.SiteUsers.GetByLoginName($FindUser)
$context.Load($SPOWebUser)
try{
$context.ExecuteQuery()
}
catch
{
write-host "User does not Exist in the site collection"
}
if ($SPOWeb.HasUniqueRoleAssignments -eq $true)
{
$SPOWebRoles = $SPOWeb.RoleAssignments.GetByPrincipalId($SPOWebUser.Id)
$context.Load($SPOWebROles)
try{
$context.ExecuteQuery()
$GetWBindings = GetWebRoleBinding $SPOWeb $SPOWebUser.Id
foreach ($GetWBinding in $GetWBindings)
{
$ReplaceUser = ReplaceUserInWeb $SPOWeb $GetWBinding
}
}
catch
{
}
}
else
{
}
$Lists = $spoWeb.Lists
$Context.Load($Lists)
$context.ExecuteQuery()
foreach($List in $Lists)
{
$Context.Load($List)
Invoke-LoadMethod -Object $List -PropertyName "HasUniqueRoleAssignments"
$context.ExecuteQuery()
if (($List.HasUniqueRoleAssignments -eq $true) -and ($List.Hidden -eq $false) )
{
$ListRoles = $List.RoleAssignments.GetByPrincipalId($SPOWebUser.Id)
$context.Load($ListROles)
try
{
$context.ExecuteQuery()
$GetLBindings = $null
$GetLBindings = GetListRoleBinding $SPOWeb $SPOWebUser.Id $List.id
foreach ($GetLBinding in $GetLBindings)
{
$Type = $GetLBinding.GetType()
if($Type.Name -eq "String")
{
$ReplaceLUser = ReplaceUserInList $SPOWeb $GetLBinding $List.ID
}
}
}
catch
{
}
}
else
{
}
$qry = [Microsoft.SharePoint.Client.CamlQuery]::CreateAllItemsQuery()
$ListItems = $List.GetItems($qry)
$context.Load($ListItems)
$Context.ExecuteQuery()
foreach($ListItem in $ListItems)
{
$Context.Load($ListItem)
Invoke-LoadMethod -Object $ListItem -PropertyName "HasUniqueRoleAssignments"
$context.ExecuteQuery()
if ($ListItem.HasUniqueRoleAssignments -eq $true)
{
$ListItemRoles = $ListItem.RoleAssignments.GetByPrincipalId($SPOWebUser.Id)
$context.Load($ListItemRoles)
try
{
$context.ExecuteQuery()
$GetLIBindings = $null
$GetLIBindings = GetListItemsRoleBinding $SPOWeb $SPOWebUser.Id $List.id $ListItem.ID
foreach ($GetLIBinding in $GetLIBindings)
{
$Type = $GetLIBinding.GetType()
if($Type.Name -eq "String")
{
$ReplaceLUser = ReplaceUserInListItem $SPOWeb $GetLIBinding $List.ID $ListItem.ID
}
}
}
catch
{
}
}
}
}
}
$context.Dispose()