Last Updated on November 16, 2023
Need to check permissions for a specific user?
In this short guide, I will walk you through the steps for checking user permissions in SharePoint Online — manually and through PowerShell.
Let’s get started.
Table of Contents:
First off, let’s discuss the concept of site permissions in SharePoint and what it truly means.
Basically, permissions are a set of access controls that determine what actions users can do within a SharePoint environment.
These include actions like:
- Creating content
- Editing content
- Deleting content
- Viewing content
- Managing site settings
- Managing security
There are then permission levels that define a collection of individual permissions given to users or groups.
Related: SharePoint Permissions Explained: How Permission Levels Work
Sign up for exclusive updates, tips, and strategies
The good news here is that it’s really quite easy to check user access or permissions within the site collection.
Navigate towards the SharePoint site first > gear icon > site permissions:
The right panel will then open for site permissions options for you.
Click the advanced permissions settings button at the bottom:
Note: You can also get here from the SharePoint site settings page.
Don’t be surprised if the page went back to a classic-looking interface.
This page contains the groups that have access to the page.
From here, click the check permissions button from the ribbon:
This will open another window where you can check Sharepoint permissions.
Related: How to Enable Item Level Permissions in SharePoint
Enter the name of the user/group you want to check and click check now:
It will then provide the permission levels available to the user or SharePoint group you entered.
It will look like this:
This is an effective method to check permissions on a user or group — though you will have to do it one at a time.
You can also view the permissions of the group on sites, lists, and items under the site collection.
Go back to the classic site permissions page and click on a group.
You will then be able to see the members of that group.
Click the settings header > view group permissions.
A window will show you the permission assignments of the group:
Note: Unfortunately, only users in the SharePoint security group can view this collection for protection and security.
This also only works on the sites (or subsites) under that site collection — so you need to do this one per site collection.
How to use PowerShell to get user permissions
Many users are asking if it’s possible to do the checking in bulk — since it’s clearly cumbersome to do it one at a time.
Well, there is a method using a PowerShell script (credits to this site) that will at least lighten the burden by exporting the findings into a CSV file.
The caveat though is that:
- You need to enter the specific user in each run
- The script doesn’t scan security groups in Active Directory
All you need to do is copy the code below and change the following parameter values:
- Site URL (the site collection to check)
- User account (only change the email part)
- Report file (location of the file)
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
#Set parameter values
$SiteURL="https://mrsharepoint.sharepoint.com/sites/demo"
$UserAccount="i:0#.f|membership|"
$ReportFile="C:\Temp\SitePermissions.csv"
$BatchSize = 500
#sharepoint online powershell to get user permissions Applied on a particular Object, such as: Web, List, Folder or Item
Function Get-Permissions([Microsoft.SharePoint.Client.SecurableObject]$Object)
{
#Determine the type of the object
Switch($Object.TypedObject.ToString())
{
"Microsoft.SharePoint.Client.Web" { $ObjectType = "Site" ; $ObjectURL = $Object.URL }
"Microsoft.SharePoint.Client.ListItem"
{
$ObjectType = "List Item/Folder"
#Get the URL of the List Item
$Object.ParentList.Retrieve("DefaultDisplayFormUrl")
$Ctx.ExecuteQuery()
$DefaultDisplayFormUrl = $Object.ParentList.DefaultDisplayFormUrl
$ObjectURL = $("{0}{1}?ID={2}" -f $Ctx.Web.Url.Replace($Ctx.Web.ServerRelativeUrl,''), $DefaultDisplayFormUrl,$Object.ID)
}
Default
{
$ObjectType = "List/Library"
#Get the URL of the List or Library
$Ctx.Load($Object.RootFolder)
$Ctx.ExecuteQuery()
$ObjectURL = $("{0}{1}" -f $Ctx.Web.Url.Replace($Ctx.Web.ServerRelativeUrl,''), $Object.RootFolder.ServerRelativeUrl)
}
}
#Get permissions assigned to the object
$Ctx.Load($Object.RoleAssignments)
$Ctx.ExecuteQuery()
Foreach($RoleAssignment in $Object.RoleAssignments)
{
$Ctx.Load($RoleAssignment.Member)
$Ctx.executeQuery()
#Check direct permissions
if($RoleAssignment.Member.PrincipalType -eq "User")
{
#Is the current user is the user we search for?
if($RoleAssignment.Member.LoginName -eq $SearchUser.LoginName)
{
Write-Host -f Cyan "Found the User under direct permissions of the $($ObjectType) at $($ObjectURL)"
#Get the Permissions assigned to user
$UserPermissions=@()
$Ctx.Load($RoleAssignment.RoleDefinitionBindings)
$Ctx.ExecuteQuery()
foreach ($RoleDefinition in $RoleAssignment.RoleDefinitionBindings)
{
$UserPermissions += $RoleDefinition.Name +";"
}
#Send the Data to Report file
"$($ObjectURL) `t $($ObjectType) `t $($Object.Title)`t Direct Permission `t $($UserPermissions)" | Out-File $ReportFile -Append
}
}
Elseif($RoleAssignment.Member.PrincipalType -eq "SharePointGroup")
{
#Search inside SharePoint Groups and check if the user is member of that group
$Group= $Web.SiteGroups.GetByName($RoleAssignment.Member.LoginName)
$GroupUsers=$Group.Users
$Ctx.Load($GroupUsers)
$Ctx.ExecuteQuery()
#Check if user is member of the group
Foreach($User in $GroupUsers)
{
#Check if the search users is member of the group
if($user.LoginName -eq $SearchUser.LoginName)
{
Write-Host -f Cyan "Found the User under Member of the Group '$($RoleAssignment.Member.LoginName)' on $($ObjectType) at $($ObjectURL)"
#Get the Group's Permissions on site
$GroupPermissions=@()
$Ctx.Load($RoleAssignment.RoleDefinitionBindings)
$Ctx.ExecuteQuery()
Foreach ($RoleDefinition in $RoleAssignment.RoleDefinitionBindings)
{
$GroupPermissions += $RoleDefinition.Name +";"
}
#Send the Data to Report file
"$($ObjectURL) `t $($ObjectType) `t $($Object.Title)`t Member of '$($RoleAssignment.Member.LoginName)' Group `t $($GroupPermissions)" | Out-File $ReportFile -Append
}
}
}
}
}
Try {
#Get Credentials to connect
$Cred= Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = $Credentials
#Get the Web
$Web = $Ctx.Web
$Ctx.Load($Web)
$Ctx.ExecuteQuery()
#Get the User object
$SearchUser = $Web.EnsureUser($UserAccount)
$Ctx.Load($SearchUser)
$Ctx.ExecuteQuery()
#Write CSV- TAB Separated File) Header
"URL `t Object `t Title `t PermissionType `t Permissions" | out-file $ReportFile
Write-host -f Yellow "Searching in the Site Collection Administrators Group..."
#Check if Site Collection Admin
If($SearchUser.IsSiteAdmin -eq $True)
{
Write-host -f Cyan "Found the User under Site Collection Administrators Group!"
#Send the Data to report file
"$($Web.URL) `t Site Collection `t $($Web.Title)`t Site Collection Administrator `t Site Collection Administrator" | Out-File $ReportFile -Append
}
#Function to Check Permissions of All List Items of a given List
Function Check-SPOListItemsPermission([Microsoft.SharePoint.Client.List]$List)
{
Write-host -f Yellow "Searching in List Items of the List '$($List.Title)..."
$Query = New-Object Microsoft.SharePoint.Client.CamlQuery
$Query.ViewXml = "<View Scope='RecursiveAll'><Query><OrderBy><FieldRef Name='ID' Ascending='TRUE'/></OrderBy></Query><RowLimit Paged='TRUE'>$BatchSize</RowLimit></View>"
$Counter = 0
#Batch process list items - to mitigate list threshold issue on larger lists
Do {
#Get items from the list in Batch
$ListItems = $List.GetItems($Query)
$Ctx.Load($ListItems)
$Ctx.ExecuteQuery()
$Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
#Loop through each List item
ForEach($ListItem in $ListItems)
{
$ListItem.Retrieve("HasUniqueRoleAssignments")
$Ctx.ExecuteQuery()
if ($ListItem.HasUniqueRoleAssignments -eq $true)
{
#Call the function to generate Permission report
Get-Permissions -Object $ListItem
}
$Counter++
Write-Progress -PercentComplete ($Counter / ($List.ItemCount) * 100) -Activity "Processing Items $Counter of $($List.ItemCount)" -Status "Searching Unique Permissions in List Items of '$($List.Title)'"
}
} While ($Query.ListItemCollectionPosition -ne $null)
}
#Function to Check Permissions of all lists from the web
Function Check-SPOListPermission([Microsoft.SharePoint.Client.Web]$Web)
{
#Get All Lists from the web
$Lists = $Web.Lists
$Ctx.Load($Lists)
$Ctx.ExecuteQuery()
#Get all lists from the web
ForEach($List in $Lists)
{
#Exclude System Lists
If($List.Hidden -eq $False)
{
#Get List Items Permissions
Check-SPOListItemsPermission $List
#Get the Lists with Unique permission
$List.Retrieve("HasUniqueRoleAssignments")
$Ctx.ExecuteQuery()
If( $List.HasUniqueRoleAssignments -eq $True)
{
#Call the function to check permissions
Get-Permissions -Object $List
}
}
}
}
#Function to Check Webs's Permissions from given URL
Function Check-SPOWebPermission([Microsoft.SharePoint.Client.Web]$Web)
{
#Get all immediate subsites of the site
$Ctx.Load($web.Webs)
$Ctx.executeQuery()
#Call the function to Get Lists of the web
Write-host -f Yellow "Searching in the Web "$Web.URL"..."
#Check if the Web has unique permissions
$Web.Retrieve("HasUniqueRoleAssignments")
$Ctx.ExecuteQuery()
#Get the Web's Permissions
If($web.HasUniqueRoleAssignments -eq $true)
{
Get-Permissions -Object $Web
}
#Scan Lists with Unique Permissions
Write-host -f Yellow "Searching in the Lists and Libraries of "$Web.URL"..."
Check-SPOListPermission($Web)
#Iterate through each subsite in the current web
Foreach ($Subweb in $web.Webs)
{
#Call the function recursively
Check-SPOWebPermission($SubWeb)
}
}
#Call the function with RootWeb to get site collection permissions
Check-SPOWebPermission $Web
Write-host -f Green "User Permission Report Generated Successfully!"
}
Catch {
write-host -f Red "Error Generating User Permission Report!" $_.Exception.Message
}Related: How to Change the SharePoint Site URL (Rename Site Address)
Unable to check user permissions?
Did you have problems in checking the permissions of users and groups in your tenant?
If yes, there are four things you can do:
- Make sure you’re logged in to the correct SharePoint site
- Make sure that you have the right permissions to check user permissions
- Try refreshing the page in case of technical issues or temporary glitches
- Contact your SharePoint administrator if nothing worked
Do you have any questions regarding SharePoint permissions? If so, feel free to include them in your comment.
For business inquiries, please use the site’s contact form to reach out and I’ll get back to you asap.
Amazing post
How to grant user name list and export to word or excel file.?
Nice piece!