Share via

Get folder(s) a user has access to in SharePoint Online

Cloud_Geek_82 881 Reputation points
2023-12-04T21:37:51.1866667+00:00

Hi All,

I need to remove access for a specific user from ALL SharePoint Online folders.

I have already removed that user from SharePoint Online groups but it seems there is a folder or folders the user was granted access directly (not based on group membership)

Screenshot 2023-12-05 083243

How to find out which folder or folders the user has access to?

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
11,069 questions
0 comments
Accepted answer
  1. AllenXu-MSFT 22,686 Reputation points Microsoft Vendor
    2023-12-05T02:54:55.01+00:00

    Hi @Cloud_Geek_82,

    You can use the PowerShell below to check user permissions and export the findings into a CSV file. Change the Parameters $SiteURL and $User according to your environment.

    #Set parameter values
$SiteURL="https://xxx.sharepoint.com/sites/xxx"
$UserAccount="i:0#.f|membership|xxx@xxx.com"
$ReportFile="C:\Temp\PermissionRpt.csv"
$BatchSize = 500
 
#sharepoint online powershell to get user permissions Applied on a particular Object, such as: Web, List, Folder or Item
Function Get-Permissions([Microsoft.SharePoint.Client.SecurableObject]$Object)
{
    #Determine the type of the object
    Switch($Object.TypedObject.ToString())
    {
        "Microsoft.SharePoint.Client.Web"  { $ObjectType = "Site" ; $ObjectURL = $Object.URL }
        "Microsoft.SharePoint.Client.ListItem"
        {
            $ObjectType = "List Item/Folder"
  
            #Get the URL of the List Item
            $Object.ParentList.Retrieve("DefaultDisplayFormUrl")
            $Ctx.ExecuteQuery()
            $DefaultDisplayFormUrl = $Object.ParentList.DefaultDisplayFormUrl
            $ObjectURL = $("{0}{1}?ID={2}" -f $Ctx.Web.Url.Replace($Ctx.Web.ServerRelativeUrl,''), $DefaultDisplayFormUrl,$Object.ID)
        }
        Default
        {
            $ObjectType = "List/Library"
            #Get the URL of the List or Library
            $Ctx.Load($Object.RootFolder)
            $Ctx.ExecuteQuery()           
            $ObjectURL = $("{0}{1}" -f $Ctx.Web.Url.Replace($Ctx.Web.ServerRelativeUrl,''), $Object.RootFolder.ServerRelativeUrl)
        }
    }
  
    #Get permissions assigned to the object
    $Ctx.Load($Object.RoleAssignments)
    $Ctx.ExecuteQuery()
  
    Foreach($RoleAssignment in $Object.RoleAssignments)
    {
                $Ctx.Load($RoleAssignment.Member)
                $Ctx.executeQuery()
  
                #Check direct permissions
                if($RoleAssignment.Member.PrincipalType -eq "User")
                {
                    #Is the current user is the user we search for?
                    if($RoleAssignment.Member.LoginName -eq $SearchUser.LoginName)
                    {
                        Write-Host  -f Cyan "Found the User under direct permissions of the $($ObjectType) at $($ObjectURL)"
                          
                        #Get the Permissions assigned to user
                        $UserPermissions=@()
                        $Ctx.Load($RoleAssignment.RoleDefinitionBindings)
                        $Ctx.ExecuteQuery()
                        foreach ($RoleDefinition in $RoleAssignment.RoleDefinitionBindings)
                        {
                            $UserPermissions += $RoleDefinition.Name +";"
                        }
                        #Send the Data to Report file
                        "$($ObjectURL) `t $($ObjectType) `t $($Object.Title)`t Direct Permission `t $($UserPermissions)" | Out-File $ReportFile -Append
                    }
                }
                  
                Elseif($RoleAssignment.Member.PrincipalType -eq "SharePointGroup")
                {
                        #Search inside SharePoint Groups and check if the user is member of that group
                        $Group= $Web.SiteGroups.GetByName($RoleAssignment.Member.LoginName)
                        $GroupUsers=$Group.Users
                        $Ctx.Load($GroupUsers)
                        $Ctx.ExecuteQuery()
  
                        #Check if user is member of the group
                        Foreach($User in $GroupUsers)
                        {
                            #Check if the search users is member of the group
                            if($user.LoginName -eq $SearchUser.LoginName)
                            {
                                Write-Host -f Cyan "Found the User under Member of the Group '$($RoleAssignment.Member.LoginName)' on $($ObjectType) at $($ObjectURL)"
  
                                #Get the Group's Permissions on site
                                $GroupPermissions=@()
                                $Ctx.Load($RoleAssignment.RoleDefinitionBindings)
                                $Ctx.ExecuteQuery()
                                Foreach ($RoleDefinition  in $RoleAssignment.RoleDefinitionBindings)
                                {
                                    $GroupPermissions += $RoleDefinition.Name +";"
                                }         
                                #Send the Data to Report file
                                "$($ObjectURL) `t $($ObjectType) `t $($Object.Title)`t Member of '$($RoleAssignment.Member.LoginName)' Group `t $($GroupPermissions)" | Out-File $ReportFile -Append
                            }
                        }
                }
            }
}
 
Try {
    #Get Credentials to connect
    $Cred= Get-Credential
    $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
   
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = $Credentials
  
    #Get the Web
    $Web = $Ctx.Web
    $Ctx.Load($Web)
    $Ctx.ExecuteQuery()
  
    #Get the User object
    $SearchUser = $Web.EnsureUser($UserAccount)
    $Ctx.Load($SearchUser)
    $Ctx.ExecuteQuery()
  
    #Write CSV- TAB Separated File) Header
    "URL `t Object `t Title `t PermissionType `t Permissions" | out-file $ReportFile
  
    Write-host -f Yellow "Searching in the Site Collection Administrators Group..."
    #Check if Site Collection Admin
    If($SearchUser.IsSiteAdmin -eq $True)
    {
        Write-host -f Cyan "Found the User under Site Collection Administrators Group!"
        #Send the Data to report file
        "$($Web.URL) `t Site Collection `t $($Web.Title)`t Site Collection Administrator `t Site Collection Administrator" | Out-File $ReportFile -Append
    }
  
  
    #Function to Check Permissions of All List Items of a given List
    Function Check-SPOListItemsPermission([Microsoft.SharePoint.Client.List]$List)
    {
        Write-host -f Yellow "Searching in List Items of the List '$($List.Title)..."
  
        $Query = New-Object Microsoft.SharePoint.Client.CamlQuery
        $Query.ViewXml = "<View Scope='RecursiveAll'><Query><OrderBy><FieldRef Name='ID' Ascending='TRUE'/></OrderBy></Query><RowLimit Paged='TRUE'>$BatchSize</RowLimit></View>"
 
        $Counter = 0
        #Batch process list items - to mitigate list threshold issue on larger lists
        Do { 
            #Get items from the list in Batch
            $ListItems = $List.GetItems($Query)
            $Ctx.Load($ListItems)
            $Ctx.ExecuteQuery()
           
            $Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
            #Loop through each List item
            ForEach($ListItem in $ListItems)
            {
                $ListItem.Retrieve("HasUniqueRoleAssignments")
                $Ctx.ExecuteQuery()
                if ($ListItem.HasUniqueRoleAssignments -eq $true)
                {
                    #Call the function to generate Permission report
                    Get-Permissions -Object $ListItem
                }
                $Counter++
                Write-Progress -PercentComplete ($Counter / ($List.ItemCount) * 100) -Activity "Processing Items $Counter of $($List.ItemCount)" -Status "Searching Unique Permissions in List Items of '$($List.Title)'"
            }
        } While ($Query.ListItemCollectionPosition -ne $null)
    }
  
    #Function to Check Permissions of all lists from the web
    Function Check-SPOListPermission([Microsoft.SharePoint.Client.Web]$Web)
    {
        #Get All Lists from the web
        $Lists = $Web.Lists
        $Ctx.Load($Lists)
        $Ctx.ExecuteQuery()
  
        #Get all lists from the web  
        ForEach($List in $Lists)
        {
            #Exclude System Lists
            If($List.Hidden -eq $False)
            {
                #Get List Items Permissions
                Check-SPOListItemsPermission $List
  
                #Get the Lists with Unique permission
                $List.Retrieve("HasUniqueRoleAssignments")
                $Ctx.ExecuteQuery()
  
                If( $List.HasUniqueRoleAssignments -eq $True)
                {
                    #Call the function to check permissions
                    Get-Permissions -Object $List
                }
            }
        }
    }
  
    #Function to Check Webs's Permissions from given URL
    Function Check-SPOWebPermission([Microsoft.SharePoint.Client.Web]$Web)
    {
        #Get all immediate subsites of the site
        $Ctx.Load($web.Webs) 
        $Ctx.executeQuery()
   
        #Call the function to Get Lists of the web
        Write-host -f Yellow "Searching in the Web "$Web.URL"..."
  
        #Check if the Web has unique permissions
        $Web.Retrieve("HasUniqueRoleAssignments")
        $Ctx.ExecuteQuery()
  
        #Get the Web's Permissions
        If($web.HasUniqueRoleAssignments -eq $true)
        {
            Get-Permissions -Object $Web
        }
  
        #Scan Lists with Unique Permissions
        Write-host -f Yellow "Searching in the Lists and Libraries of "$Web.URL"..."
        Check-SPOListPermission($Web)
   
        #Iterate through each subsite in the current web
        Foreach ($Subweb in $web.Webs)
        {
                #Call the function recursively                           
                Check-SPOWebPermission($SubWeb)
        }
    }
  
    #Call the function with RootWeb to get site collection permissions
    Check-SPOWebPermission $Web
  
    Write-host -f Green "User Permission Report Generated Successfully!"
    }
Catch {
    write-host -f Red "Error Generating User Permission Report!" $_.Exception.Message
}

    And the result of the SharePoint Online user permissions reports using PowerShell: Script generates a CSV file in the below format. Obviously, all the folders, files, and items the user has access to will be listed.

    User's image

    If the answer is helpful, please click "Accept as Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.