Created
April 29, 2024 22:49
-
-
Save reshmee011/c23123e5f1abedd1085876279ac17b7f to your computer and use it in GitHub Desktop.
Query Permissions Unique Permissions Sharing links SharePoint Online PowerShell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Clear-Host | |
$properties=@{SiteUrl='';SiteTitle='';ListTitle='';Type='';RelativeUrl='';ParentGroup='';MemberType='';MemberName='';MemberLoginName='';Roles='';}; | |
$dateTime = (Get-Date).toString("dd-MM-yyyy-hh-ss") | |
$invocation = (Get-Variable MyInvocation).Value | |
$directorypath = (Split-Path $invocation.MyCommand.Path) + "\Logs\" | |
$excludeLimitedAccess = $true; | |
$includeListsItems = $true; | |
$SiteCollectionUrl = Read-Host -Prompt "Enter site collection URL "; | |
$global:siteTitle= ""; | |
#Exclude certain libraries | |
$ExcludedLibraries = @("Form Templates", "Preservation Hold Library", "Site Assets", "Images", "Pages", "Settings", "Videos","Timesheet" | |
"Site Collection Documents", "Site Collection Images", "Style Library", "AppPages", "Apps for SharePoint", "Apps for Office") | |
$global:permissions =@(); | |
$global:sharingLinks = @(); | |
Function PermissionObject($_object,$_type,$_relativeUrl,$_siteUrl,$_siteTitle,$_listTitle,$_memberType,$_parentGroup,$_memberName,$_memberLoginName,$_roleDefinitionBindings) | |
{ | |
$permission = New-Object -TypeName PSObject -Property $properties; | |
$permission.SiteUrl =$_siteUrl; | |
$permission.SiteTitle = $_siteTitle; | |
$permission.ListTitle = $_listTitle; | |
$permission.Type = $_type; | |
$permission.RelativeUrl = $_relativeUrl; | |
$permission.MemberType = $_memberType; | |
$permission.ParentGroup = $_parentGroup; | |
$permission.MemberName = $_memberName; | |
$permission.MemberLoginName = $_memberLoginName; | |
$permission.Roles = $_roleDefinitionBindings -join ","; | |
$global:permissions += $permission; | |
} | |
Function Extract-Guid ($inputString) { | |
$splitString = $inputString -split '\|' | |
return $splitString[2].TrimEnd('_o') | |
} | |
Function QueryUniquePermissionsByObject($_web,$_object,$_Type,$_RelativeUrl,$_siteUrl,$_siteTitle,$_listTitle) | |
{ | |
$roleAssignments = Get-PnPProperty -ClientObject $_object -Property RoleAssignments | |
foreach($roleAssign in $roleAssignments){ | |
Get-PnPProperty -ClientObject $roleAssign -Property RoleDefinitionBindings,Member; | |
$PermissionLevels = $roleAssign.RoleDefinitionBindings | Select -ExpandProperty Name; | |
#Get all permission levels assigned (Excluding:Limited Access) | |
if($excludeLimitedAccess -eq $true){ | |
$PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join "," | |
} | |
$Users = Get-PnPProperty -ClientObject ($roleAssign.Member) -Property Users -ErrorAction SilentlyContinue | |
#Get Access type | |
$AccessType = $roleAssign.RoleDefinitionBindings.Name | |
$MemberType = $roleAssign.Member.GetType().Name; | |
#Get the Principal Type: User, SP Group, AD Group | |
$PermissionType = $roleAssign.Member.PrincipalType | |
If($PermissionLevels.Length -gt 0) { | |
$MemberType = $roleAssign.Member.GetType().Name; | |
#Sharing link is in the format SharingLinks.03012675-2057-4d1d-91e0-8e3b176edd94.OrganizationView.20d346d3-d359-453b-900c-633c1551ccaa | |
If ($roleAssign.Member.Title -like "SharingLinks*") | |
{ | |
If ($Users) | |
{ | |
ForEach ($User in $Users) | |
{ | |
PermissionObject $_object $_Type $_RelativeUrl $_siteUrl $_siteTitle $_listTitle "Sharing Links" $roleAssign.Member.LoginName $user.Title $User.LoginName $AccessType; | |
} | |
} | |
} | |
ElseIf($MemberType -eq "Group" -or $MemberType -eq "User") | |
{ | |
$MemberName = $roleAssign.Member.Title; | |
$MemberLoginName = $roleAssign.Member.LoginName; | |
if($MemberType -eq "User") | |
{ | |
$ParentGroup = "NA"; | |
} | |
else | |
{ | |
$ParentGroup = $MemberName; | |
} | |
(PermissionObject $_object $_Type $_RelativeUrl $_siteUrl $_siteTitle $_listTitle $MemberType $ParentGroup $MemberName $MemberLoginName $PermissionLevels); | |
} | |
if($_Type -eq "Site" -and $MemberType -eq "Group") | |
{ | |
If($PermissionType -eq "SharePointGroup") { | |
#Get Group Members | |
$groupUsers = Get-PnPGroupMember -Identity $roleAssign.Member.LoginName | |
$groupUsers|foreach-object{ | |
if ($_.LoginName.StartsWith("c:0o.c|federateddirectoryclaimprovider|") -and $_.LoginName.EndsWith("_0")) { | |
$guid = Extract-Guid $_.LoginName | |
Get-PnPMicrosoft365GroupOwners -Identity $guid | ForEach-Object { | |
$user = $_ | |
(PermissionObject $_object "Site" $_RelativeUrl $_siteUrl $_siteTitle "" "GroupMember" $roleAssign.Member.LoginName $user.DisplayName $user.UserPrincipalName $PermissionLevels); | |
} | |
} | |
elseif ($_.LoginName.StartsWith("c:0o.c|federateddirectoryclaimprovider|")) { | |
$guid = Extract-Guid $_.LoginName | |
Get-PnPMicrosoft365GroupMembers -Identity $guid | ForEach-Object { | |
$user = $_ | |
(PermissionObject $_object "Site" $_RelativeUrl $_siteUrl $_siteTitle "" "GroupMember" $roleAssign.Member.LoginName $user.DisplayName $user.UserPrincipalName $PermissionLevels); | |
} | |
} | |
(PermissionObject $_object "Site" $_RelativeUrl $_siteUrl $_siteTitle "" "GroupMember" $roleAssign.Member.LoginName $_.Title $_.LoginName $PermissionLevels); | |
} | |
} | |
} | |
} | |
} | |
} | |
Function QueryUniquePermissions($_web) | |
{ | |
##query list, files and items unique permissions | |
Write-Host "Querying web $($_web.Title)"; | |
$siteUrl = $_web.Url; | |
Write-Host $siteUrl -Foregroundcolor "Red"; | |
$global:siteTitle = $_web.Title; | |
$ll = Get-PnPList -Includes BaseType, Hidden, Title,HasUniqueRoleAssignments,RootFolder -Connection $siteconn | Where-Object {$_.Hidden -eq $False -and $_.Title -notin $ExcludedLibraries } #$_.BaseType -eq "DocumentLibrary" | |
Write-Host "Number of lists $($ll.Count)"; | |
QueryUniquePermissionsByObject $_web $_web "Site" "" $siteUrl $siteTitle ""; | |
foreach($list in $ll) | |
{ | |
$listUrl = $list.RootFolder.ServerRelativeUrl; | |
#Exclude internal system lists and check if it has unique permissions | |
if($list.Hidden -ne $True) | |
{ | |
Write-Host $list.Title -Foregroundcolor "Yellow"; | |
$listTitle = $list.Title; | |
#Check List Permissions | |
if($list.HasUniqueRoleAssignments -eq $True) | |
{ | |
$Type = $list.BaseType.ToString(); | |
QueryUniquePermissionsByObject $_web $list $Type $listUrl $siteUrl $siteTitle $listTitle; | |
} | |
if($includeListsItems){ | |
$collListItem = Get-PnPListItem -PageSize 2000 -List $list | |
$count = $collListItem.Count | |
Write-Host "Number of items : $count within list $listTitle" | |
foreach($item in $collListItem) | |
{ | |
Get-PnPProperty -ClientObject $item -Property File,HasUniqueRoleAssignments; | |
if($item.HasUniqueRoleAssignments -eq $True) | |
{ | |
if($list.BaseType -eq "DocumentLibrary") | |
{ | |
$Type = $item.FileSystemObjectType; | |
$fileUrl = $item.FieldValues.FileRef; | |
} | |
else | |
{ | |
$Type = "item" | |
$fileUrl = "$siteurl/lists/$listTitle/AllItems.aspx?FilterField1=ID&FilterValue1=$($item.id)" | |
} | |
QueryUniquePermissionsByObject $_web $item $Type $fileUrl $siteUrl $siteTitle $listTitle; | |
} | |
} | |
} | |
} | |
} | |
} | |
if(Test-Path $directorypath){ | |
Connect-PnPOnline -Url $SiteCollectionUrl -Interactive | |
#array storing permissions | |
$web = Get-PnPWeb | |
#root web , i.e. site collection level | |
QueryUniquePermissions($web); | |
Write-Host "Permission count: $($global:permissions.Count)"; | |
$exportFilePath = Join-Path -Path $directorypath -ChildPath $([string]::Concat($siteTitle,"-Permissions_",$dateTime,".csv")); | |
Write-Host "Export File Path is:" $exportFilePath | |
Write-Host "Number of lines exported is :" $global:permissions.Count | |
$global:permissions | Select-Object SiteUrl,SiteTitle,Type,RelativeUrl,ListTitle,MemberType,MemberName,MemberLoginName,ParentGroup,Roles|Export-CSV -Path $exportFilePath -NoTypeInformation; | |
} | |
else{ | |
Write-Host "Invalid directory path:" $directorypath -ForegroundColor "Red"; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment