SharePoint Online is a powerful platform for collaborating and sharing information throughout the business, including with partners, customers, and other employees.
Because of how easy it is to use, companies often share sensitive data on this platform, which means that you must ensure it is secure.
Unfortunately, SharePoint Online has complex infrastructure that isn’t particularly easy to keep secure. Each SharePoint Online site needs to have its own policies and workflows, including permissions.
Understanding SharePoint Online permissions is critical to ensuring that you are operating on a policy of least privilege where users only have access to the data they need to do their jobs, nothing more.
How to Use PowerShell to Get a SharePoint Online Permissions Report
The best native method for producing a SharePoint Online permissions report is to run a PowerShell script. Scripts can be found online but to implement them correctly you will need a significant amount of time and PowerShell experience. Below are the basic steps required for doing this:
- Download and install the SharePoint Online Client Components SDK.
- Open the PowerShell Integrated Scripting Environment (ISE)
- Run the following script:
#Parameters
$SiteURL = "https://Adminlep.sharepoint.com/sites/ShashiTeam1_04Apr23"
$ReportOutput = "C:\Tempdir\SitePermissionRpt.csv"
#Connect to Site
Connect-PnPonline -Url $SiteURL -UseWebLogin
#Get the web
$Web = Get-PnPWeb -Includes RoleAssignments
#Loop through each permission assigned and extract details
$PermissionData = @()
ForEach ($RoleAssignment in $Web.RoleAssignments)
{
#Get the Permission Levels assigned and Member
Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member#Get the Permission Levels assigned
$PermissionLevels = ($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name | Where {$_ -ne "Limited Access"}) -join ","
$PermissionType = $RoleAssignment.Member.PrincipalType#Leave Principals with no Permissions
If($PermissionLevels.Length -eq 0) {Continue}#Collect Permission Data
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty PermissionLevels($PermissionLevels)
$PermissionData += $Permissions
}
$PermissionData
$PermissionData | Export-csv -path $ReportOutput -NoTypeInformation
NOTE: In the $Url and $Path variables, you will need to input your specific SharePoint site address and output path respectively. - You should be able to now see a report that lists users, group names and permissions.
Check SharePoint Online Permissions for a Particular User using Site Settings
It’s very easy to see what permissions any user has on a particular site. This functionality is built into SharePoint Online. The process is as follows:
- Go to “Site Settings”.
- Click on “Site Permissions”.
- Click on “Check Permissions”.
- Type in the name of the user or group you want to check permissions for
- Click Check Now. A list of permissions for that user will be displayed:
Note- Unfortunately, this method is not viable for admins wanting to get a list of access permissions for all users, so that you can spot users that may potentially have excessive permissions.
Get SharePoint Online Permissions Report Using Lepide Auditor
The native method for producing a SharePoint Online permissions report may seem like a simple one, but the actual time it will take you to do is significant.
Using Lepide SharePoint Online Auditor, you can easily gete a report to show current SharePoint Permissions:
To run this report:
- Click the Permissions & Privileges icon
- Select Permissions by SharePoint Objects from the tree structure on the left
- Choose a tenant name and click Generate Report
- This report shows the permissions for the selected object. In this example, the selected object is Patient Details and the user permissions are listed in the lower section of the report
- The report can be filtered, saved and exported
Using Lepide Auditor for SharePoint Online, you can also get report for All Permissions Changes:
To run this report:
- Click the User & Entity Behavior Analytics icon
- Select All Modifications in SharePoint Online from the tree structure on the left
- Choose a date range and click Generate Report
- This report includes information about who made the change, when it was made and what the change was
- The report can be filtered, saved and exported
Note– Whenever permissions change that could lead to over-privileged users, you will receive real time alerts straight to your mobile device or email.