SharePoint Online User Permissions Report

SharePoint Online User Permissions Report

4.5/5 - (4 votes)

This week, I had a customer ask about generating a list of all sites a user had access to as part of their security and employee termination process.  SharePointPnPPowerShell seemed like a good place to start. But then, I decided, what if I wanted to find all the places a particular had a particular type of permission?  So, I took my customer’s need, married it with my what if, and away we went!

Sharepoint PnP PowerShell dramatically reduces the complexity of many SharePoint queries. What we would have had to do with CSOM:

$url =""
$context = New-Object Microsoft.SharePoint.Client.ClientContext($url)
$Users = $context.Web.SiteUsers

foreach ($user in $Users)
     $PermissionKindObj=New-Object Microsoft.SharePoint.Client.PermissionKind
     $Permissions = $context.Web.GetUserEffectivePermissions($user.LoginName)

     foreach ($permissionKind in [system.enum]::GetValues($PermissionKindType))
          $Has = $permissions.Value.Has($permissionKind)
          # do some stuff with it

But, with SharePoint PNP, we get to do it a lot easier. 🙂

$web = Get-PnPWeb
 $UserEffectivePermission = $web.GetUserEffectivePermissions($user)

Much better. Woot!

So, at any rate, I’ve enumerated all of the permissions in the type library, so you can choose whichever site permissions you want to check for the user across the entire tenant.  Kick ass!

You can then open the corresponding report in Excel or your favorite spreadsheet tool.

As far as parameters go, I give you the normal things:

  • Credential – It’s not special–just a standard PSCredential object.
  • Identity – Enter the identity of the user to check.  I validate against Net.Mail.MailAddress, so use format.
  • PermissionToCheck – This parameter shockingly identifies which permissions you want to look for.  The default is ViewPages (which is, to say, “what pages can the user look at.”  I’ve enumerated all of the permissions stored in SharePoint.Client.PermissionKind, so pick any of them.  You can also use “All” and “AllViewPermissions” to display all effective permissions a user has, or just any of the “View” permissions.
  • Tenant – Specify the tenant name as either ‘’ or ‘tenant.’

You can pick up the script at

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese. View all posts by Aaron Guilmette

Reader Comments

  1. Hi Aaron,

    Thank you.

    Is there any way we can generate permissions report for the usual permission set (Read, Contribute, Full Control)

    Also, can we do this for all users on all sites within a tenant?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Exit mobile version