SharePoint online: Get permission from each document folder by PowerShell via CSV file

Sato,Rene 21 Reputation points
2021-12-10T05:58:24.157+00:00

Hi,

I'm looking for solution on following.

I want to get permission from a document library the folder and subfolder with permission settings and want it as CSV file output.

During searching, I found this script, but it doesn't include the folder name.
https://learn.microsoft.com/en-us/answers/questions/508193/sharepoint-online-powershell-get-document-library.html

How can I add the folder name in the script? Or is there another way?

Thank you in advance.

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
11,000 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,584 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 39,741 Reputation points
    2021-12-10T16:00:12.95+00:00

    Hi there,

    Folder level permission in SharePoint Online helps to obtain fine-grained permissions, and they are an important part of SharePoint Online security. This Microsft article explains in detail the process.

    How to Export Folder Permissions to Excel or CSV File
    https://social.technet.microsoft.com/wiki/contents/articles/51422.how-to-export-folder-permissions-to-excel-or-csv-file.aspx

    Here is an article as well to help you out here
    https://learn.microsoft.com/en-us/answers/questions/511907/on-a-sharepoint-online-site-what-powershell-code-c.html

    -------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--


1 additional answer

Sort by: Most helpful
  1. JoyZ 18,076 Reputation points
    2021-12-10T08:45:53.933+00:00

    @Sato,Rene ,

    Here is an SharePoint Online document library permission report generated by the PowerShell(you can get permissions on all underlying objects of the library, such as : Folder,subfolder, List item):

    #Function to Get Permissions on a particular on List, Folder or List Item  
    Function Get-PnPPermissions([Microsoft.SharePoint.Client.SecurableObject]$Object)  
    {  
        #Determine the type of the object  
        Switch($Object.TypedObject.ToString())  
        {  
            "Microsoft.SharePoint.Client.ListItem"  
            {  
                If($Object.FileSystemObjectType -eq "Folder")  
                {  
                    $ObjectType = "Folder"  
                    #Get the URL of the Folder  
                    $Folder = Get-PnPProperty -ClientObject $Object -Property Folder  
                    $ObjectTitle = $Object.Folder.Name  
                    $ObjectURL = $("{0}{1}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''),$Object.Folder.ServerRelativeUrl)  
                }  
                Else #File or List Item  
                {  
                    #Get the URL of the Object  
                    Get-PnPProperty -ClientObject $Object -Property File, ParentList  
                    If($Object.File.Name -ne $Null)  
                    {  
                        $ObjectType = "File"  
                        $ObjectTitle = $Object.File.Name  
                        $ObjectURL = $("{0}{1}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''),$Object.File.ServerRelativeUrl)  
                    }  
                    else  
                    {  
                        $ObjectType = "List Item"  
                        $ObjectTitle = $Object["Title"]  
                        #Get the URL of the List Item  
                        $DefaultDisplayFormUrl = Get-PnPProperty -ClientObject $Object.ParentList -Property DefaultDisplayFormUrl                      
                        $ObjectURL = $("{0}{1}?ID={2}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''), $DefaultDisplayFormUrl,$Object.ID)  
                    }  
                }  
            }  
            Default  
            {  
                $ObjectType = "List or Library"  
                $ObjectTitle = $Object.Title  
                #Get the URL of the List or Library  
                $RootFolder = Get-PnPProperty -ClientObject $Object -Property RootFolder      
                $ObjectURL = $("{0}{1}" -f $Web.Url.Replace($Web.ServerRelativeUrl,''), $RootFolder.ServerRelativeUrl)  
            }  
        }  
          
        #Get permissions assigned to the object  
        Get-PnPProperty -ClientObject $Object -Property HasUniqueRoleAssignments, RoleAssignments  
        
        #Check if Object has unique permissions  
        $HasUniquePermissions = $Object.HasUniqueRoleAssignments  
            
        #Loop through each permission assigned and extract details  
        $PermissionCollection = @()  
        Foreach($RoleAssignment in $Object.RoleAssignments)  
        {  
            #Get the Permission Levels assigned and Member  
            Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member  
        
            #Get the Principal Type: User, SP Group, AD Group  
            $PermissionType = $RoleAssignment.Member.PrincipalType  
           
            #Get the Permission Levels assigned  
            $PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name  
        
            #Remove Limited Access  
            $PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join ","  
        
            #Leave Principals with no Permissions  
            If($PermissionLevels.Length -eq 0) {Continue}  
        
            #Get SharePoint group members  
            If($PermissionType -eq "SharePointGroup")  
            {  
                #Get Group Members  
                $GroupMembers = Get-PnPGroupMember -Identity $RoleAssignment.Member.LoginName  
                        
                #Leave Empty Groups  
                If($GroupMembers.count -eq 0){Continue}  
                $GroupUsers = ($GroupMembers | Select -ExpandProperty Title) -join "; "  
        
                #Add the Data to Object  
                $Permissions = New-Object PSObject  
                $Permissions | Add-Member NoteProperty Object($ObjectType)  
                $Permissions | Add-Member NoteProperty Title($ObjectTitle)  
                $Permissions | Add-Member NoteProperty URL($ObjectURL)  
                $Permissions | Add-Member NoteProperty HasUniquePermissions($HasUniquePermissions)  
                $Permissions | Add-Member NoteProperty Users($GroupUsers)  
                $Permissions | Add-Member NoteProperty Type($PermissionType)  
                $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)  
                $Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")  
                $PermissionCollection += $Permissions  
            }  
            Else  
            {  
                #Add the Data to Object  
                $Permissions = New-Object PSObject  
                $Permissions | Add-Member NoteProperty Object($ObjectType)  
                $Permissions | Add-Member NoteProperty Title($ObjectTitle)  
                $Permissions | Add-Member NoteProperty URL($ObjectURL)  
                $Permissions | Add-Member NoteProperty HasUniquePermissions($HasUniquePermissions)  
                $Permissions | Add-Member NoteProperty Users($RoleAssignment.Member.Title)  
                $Permissions | Add-Member NoteProperty Type($PermissionType)  
                $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)  
                $Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")  
                $PermissionCollection += $Permissions  
            }  
        }  
        #Export Permissions to CSV File  
        $PermissionCollection | Export-CSV $ReportFile -NoTypeInformation -Append  
    }  
          
    #Function to get sharepoint online list permissions report  
    Function Generate-PnPListPermissionRpt()  
    {  
    [cmdletbinding()]  
        Param   
        (     
            [Parameter(Mandatory=$false)] [String] $SiteURL,  
            [Parameter(Mandatory=$false)] [String] $ListName,          
            [Parameter(Mandatory=$false)] [String] $ReportFile,  
            [Parameter(Mandatory=$false)] [switch] $ScanItemLevel,  
            [Parameter(Mandatory=$false)] [switch] $IncludeInheritedPermissions  
        )  
        Try {  
            #Function to Get Permissions of All List Items of a given List  
            Function Get-PnPListItemsPermission([Microsoft.SharePoint.Client.List]$List)  
            {  
                Write-host -f Yellow "`t `t Getting Permissions of List Items in the List:"$List.Title  
         
                #Get All Items from List in batches  
                $ListItems = Get-PnPListItem -List $List -PageSize 500  
         
                $ItemCounter = 0  
                #Loop through each List item  
                ForEach($ListItem in $ListItems)  
                {  
                    #Get Objects with Unique Permissions or Inherited Permissions based on 'IncludeInheritedPermissions' switch  
                    If($IncludeInheritedPermissions)  
                    {  
                        Get-PnPPermissions -Object $ListItem  
                    }  
                    Else  
                    {  
                        #Check if List Item has unique permissions  
                        $HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property HasUniqueRoleAssignments  
                        If($HasUniquePermissions -eq $True)  
                        {  
                            #Call the function to generate Permission report  
                            Get-PnPPermissions -Object $ListItem  
                        }  
                    }  
                    $ItemCounter++  
                    Write-Progress -PercentComplete ($ItemCounter / ($List.ItemCount) * 100) -Activity "Processing Items $ItemCounter of $($List.ItemCount)" -Status "Searching Unique Permissions in List Items of '$($List.Title)'"  
                }  
            }  
       
                #Get the List  
                $List = Get-PnpList -Identity $ListName -Includes RoleAssignments  
                   
                Write-host -f Yellow "Getting Permissions of the List '$ListName'..."  
                #Get List Permissions  
                Get-PnPPermissions -Object $List  
       
                #Get Item Level Permissions if 'ScanItemLevel' switch present  
                If($ScanItemLevel)  
                {  
                    #Get List Items Permissions  
                    Get-PnPListItemsPermission -List $List  
                }  
            Write-host -f Green "`t List Permission Report Generated Successfully!"   
         }  
        Catch {  
            write-host -f Red "Error Generating List Permission Report!" $_.Exception.Message  
       }  
    }  
       
    #region ***Parameters***  
    $SiteURL="https://tenant.sharepoint.com/sites/Team1"  
    $ListName = "Shared Documents"  
    $ReportFile="C:\Temp\ListPermissionRpt.csv"  
    #endregion  
       
    #Remove the Output report if exists  
    If (Test-Path $ReportFile) { Remove-Item $ReportFile }  
       
    #Connect to the Site  
    Connect-PnPOnline -URL $SiteURL -Credentials (Get-Credential)  
       
    #Get the Web  
    $Web = Get-PnPWeb  
      
    Generate-PnPListPermissionRpt -SiteURL $SiteURL -ListName $ListName -ReportFile $ReportFile -ScanItemLevel -IncludeInheritedPermissions   
    

    After generating the report, you can filter the object to folder only:

    156596-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.