# SharePoint Online User Permissions Report

•
•
•
•
•
•

This week, I had a customer ask about generating a list of all sites a user had access to as part of their security and employee termination process.  SharePointPnPPowerShell seemed like a good place to start. But then, I decided, what if I wanted to find all the places a particular had a particular type of permission?  So, I took my customer’s need, married it with my what if, and away we went!

Sharepoint PnP PowerShell dramatically reduces the complexity of many SharePoint queries. What we would have had to do with CSOM:

$url ="https://contoso-admin.sharepoint.com"$context = New-Object Microsoft.SharePoint.Client.ClientContext($url)$Users = $context.Web.SiteUsers$context.Load($userCollection)$context.ExecuteQuery()

foreach ($user in$Users)
{
$PermissionKindObj=New-Object Microsoft.SharePoint.Client.PermissionKind$PermissionKindType=$PermissionKindObj.getType()$Permissions = $context.Web.GetUserEffectivePermissions($user.LoginName)
$context.ExecuteQuery() foreach ($permissionKind in [system.enum]::GetValues($PermissionKindType)) {$Has = $permissions.Value.Has($permissionKind)
# do some stuff with it
}
}


But, with SharePoint PNP, we get to do it a lot easier. 🙂

$web = Get-PnPWeb$UserEffectivePermission = $web.GetUserEffectivePermissions($user)
Invoke-PnPQuery

Much better. Woot!

So, at any rate, I’ve enumerated all of the permissions in the type library, so you can choose whichever site permissions you want to check for the user across the entire tenant.  Kick ass!

You can then open the corresponding report in Excel or your favorite spreadsheet tool.

As far as parameters go, I give you the normal things:

• Credential – It’s not special–just a standard PSCredential object.
• Identity – Enter the identity of the user to check.  I validate against Net.Mail.MailAddress, so use user@domain.com format.
• PermissionToCheck – This parameter shockingly identifies which permissions you want to look for.  The default is ViewPages (which is, to say, “what pages can the user look at.”  I’ve enumerated all of the permissions stored in SharePoint.Client.PermissionKind, so pick any of them.  You can also use “All” and “AllViewPermissions” to display all effective permissions a user has, or just any of the “View” permissions.
• Tenant – Specify the tenant name as either ‘tenant.onmicrosoft.com’ or ‘tenant.’

You can pick up the script at https://gallery.technet.microsoft.com/SharePoint-User-Access-d8e3f74b.