How to Get the SharePoint Site Permissions Report (Powershell) (2024)

Last Updated on June 22, 2024

Need a permissions report?

In this guide, I will walk you through the steps of generating a SharePoint site permissions report using PowerShell.

Let’s get started.

What is a permissions report?

A permissions report in SharePoint provides a detailed view of who has access to what within a site.

It helps site collection administrators manage and audit permissions efficiently:

• Identifies all users and groups with access to the site
• Shows the level of access each user or group has
• Highlights permissions at different levels, such as site, list, and item levels

SharePoint Online permissions reports are essential for maintaining security and compliance.

They ensure that only authorized users have access to sensitive information.

Administrators can quickly identify and address any discrepancies or unwanted access.

This helps in preventing data breaches and ensuring that the SharePoint environment is secure and well-managed.

👉 Related: How to Check User Permissions in SharePoint Online (Guide)

Generating Site Permissions Report

Using PowerShell scripts, you can efficiently extract detailed permissions data and export it into a CSV file for analysis.

Here are the steps:

1. Define the site URL and the path where you want to save the report.
2. Use the PnP PowerShell module to connect to your SharePoint Online site.
3. Loop through each role assignment to collect permission details.
4. Save the collected data into a CSV file for further analysis.

Here’s an example of a PowerShell script for this process:

# Parameters$SiteURL = "https://yourtenant.sharepoint.com/sites/yoursite"$ReportOutput = "C:\Temp\SitePermissionRpt.csv"# Connect to SiteConnect-PnPOnline -Url $SiteURL -Interactive# Get the web$Web = Get-PnPWeb -Includes RoleAssignments# Initialize an array to hold permission data$PermissionData = @()# Loop through each permission assignedForEach ($RoleAssignment in $Web.RoleAssignments) { # Get the Permission Levels assigned and Member Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member # Collect Permission Data $Permissions = New-Object PSObject $Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title) $Permissions | Add-Member NoteProperty Type($RoleAssignment.Member.PrincipalType) $Permissions | Add-Member NoteProperty PermissionLevels(($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name) -join ",") $PermissionData += $Permissions}# Export to CSV$PermissionData | Export-Csv -Path $ReportOutput -NoTypeInformationWrite-Host "Site Permission Report Generated Successfully!"

Let me explain what happened:

• The $SiteURL variable holds the URL of your SharePoint Online site, and $ReportOutput specifies the file path where the CSV report will be saved.
• Connect-PnPOnline is used to authenticate and connect to the specified SharePoint Online site.
• Get-PnPWeb -Includes RoleAssignments retrieves the web object along with its role assignments.
• A loop goes through each role assignment, retrieves its properties, and stores the data in the $PermissionData array.
• The collected permission data is exported to a CSV file using Export-Csv.

This is the CSV that was generated:

Nice! 👏

Advanced Reporting Options

You can also implement advanced options to provide deeper insights and get more detailed data.

Some advanced techniques include:

Recursive permissions reporting

For a thorough audit, you may want to include permissions for all subsites and nested objects within your SharePoint Online site.

This involves recursively scanning each subsite and its contents:

# Function to Get Web Permissions RecursivelyFunction Get-PnPWebPermissions([Microsoft.SharePoint.Client.Web]$Web) { # Get Web Permissions Get-Permissions -Object $Web # Get Permissions for Lists and Libraries Get-PnPListPermissions -Web $Web # Recursively process each subsite $Web.Webs | ForEach-Object { Get-PnPWebPermissions -Web $_ }}# Start the recursive permission retrieval$RootWeb = Get-PnPWebGet-PnPWebPermissions -Web $RootWeb

Item-level permissions

To capture permissions at the item level, modify the script to loop through all items within a list and check for unique permissions.

Example script:

# Function to Get List Item PermissionsFunction Get-PnPListItemPermissions([Microsoft.SharePoint.Client.List]$List) { $ListItems = Get-PnPListItem -List $List -PageSize 500 ForEach ($Item in $ListItems) { $HasUniquePermissions = Get-PnPProperty -ClientObject $Item -Property HasUniqueRoleAssignments If ($HasUniquePermissions) { Get-Permissions -Object $Item } }}# Call the function for each list$Lists = Get-PnPListForEach ($List in $Lists) { Get-PnPListItemPermissions -List $List}

Including group members

Often, you need to see not only the group names but also the members within each group.

Extend the script to expand groups and include individual user permissions:

# Function to Expand Groups and Get MembersFunction Get-GroupMembers([Microsoft.SharePoint.Client.Group]$Group) { $GroupUsers = Get-PnPProperty -ClientObject $Group -Property Users ForEach ($User in $GroupUsers) { $Permissions = New-Object PSObject $Permissions | Add-Member NoteProperty Name($User.Title) $Permissions | Add-Member NoteProperty Type("User") $Permissions | Add-Member NoteProperty PermissionLevels(($Group | Select -ExpandProperty RoleDefinitionBindings) -join ",") $PermissionData += $Permissions }}# Integrate with main scriptForEach ($RoleAssignment in $Web.RoleAssignments) { If ($RoleAssignment.Member.PrincipalType -eq "SharePointGroup") { Get-GroupMembers -Group $RoleAssignment.Member }}

Filtering and customizing reports

You might want to filter permissions by specific criteria such as user roles, permissions levels, or specific Sharepoint sites.

Adjust the script to include these filters:

# Filter by Specific RoleForEach ($RoleAssignment in $Web.RoleAssignments) { $RoleBindings = $RoleAssignment.RoleDefinitionBindings | Where-Object { $_.Name -ne "Limited Access" } If ($RoleBindings) { # Collect data for filtered roles $Permissions = New-Object PSObject $Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title) $Permissions | Add-Member NoteProperty Type($RoleAssignment.Member.PrincipalType) $Permissions | Add-Member NoteProperty PermissionLevels(($RoleBindings | Select -ExpandProperty Name) -join ",") $PermissionData += $Permissions }}

Common Issues and Troubleshooting

Unfortunately, you may encounter several issues. 😰

Well, that’s not unlikely when using PowerShell, but these issues may produce incomplete reports.

Here are common issues you may encounter and what you can do:

Issue 1: List not found error

This error occurs when the script cannot find a specified list.

Ensure that the list name is correct and exists on the site.

Use the Get-PnPList cmdlet to verify the list’s presence:

$Lists = Get-PnPListForEach ($List in $Lists) { Write-Host $List.Title}

Issue 2: Collection not initialized

This error means the script is trying to access a collection that has not been loaded or initialized.

Explicitly request the collection using the Get-PnPProperty cmdlet before accessing it.

Like this:

$Webs = Get-PnPProperty -ClientObject $Web -Property Webs

Issue 3: RoleDefinitionBindings property not found

This error occurs when the script cannot find the RoleDefinitionBindings property in a group.

For this, ensure the RoleAssignments property is correctly loaded and accessed.

You can do it like this:

$RoleAssignments = Get-PnPProperty -ClientObject $Object -Property RoleAssignmentsForEach ($RoleAssignment in $RoleAssignments) { $RoleAssignment.RoleDefinitionBindings | ForEach-Object { # Process permissions }}

Issue 4: Method invocation failure

This error happens when using methods or properties that don’t exist for an object.

You can check that the objects’ properties are correctly retrieved and used.

$Permissions = @()$RoleAssignments = Get-PnPProperty -ClientObject $Object -Property RoleAssignmentsForEach ($RoleAssignment in $RoleAssignments) { $Permissions += New-Object PSObject -Property @{ Name = $RoleAssignment.Member.Title Type = $RoleAssignment.Member.PrincipalType PermissionLevels = ($RoleAssignment.RoleDefinitionBindings | Select-Object -ExpandProperty Name) -join "," }}

Additional information:

• Always test scripts in a non-production SharePoint Online environment first to avoid disrupting live sites.
• Use verbose logging (Write-Host) to track the script’s progress and identify where issues occur.
• Regularly update your PowerShell modules (Update-Module -Name PowerShellGet) to ensure compatibility with SharePoint Online updates.

Anyway, got any questions on generating a site collection permissions report? Let me know.

For any business-related queries or concerns, contact me through the contact form. I always reply. 🙂