Forum Discussion

Christophe Humbert's avatar
Christophe Humbert
Iron Contributor
Dec 27, 2017
Solved

Get Site Permissions with PnP PowerShell

How can I retrieve site permissions on a site or subsite using PnP PowerShell?

 

Example: https://$orgName.sharepoint.com/sites/IT/Atlas

 

Via the UI: Site settings > Site Permissions

 

With PnP PowerShell, the following didn't work for me:

 

Connect-PnPOnline -Url "https://$orgName.sharepoint.com/sites/IT/Atlas" -Credentials $userCredential
$web = Get-PnPWeb -Includes RoleAssignments

[Edit] The above code actually seems to work, as $web.RoleAssignments.Count returns 5. My issue is that I don't know how to take it from here, to enumerate the 5 members and their roles.

RoleAssignments.Member returns 5 items but I can't figure out how to get the names and roles.

RoleAssignments.Groups only returns the SharePoint groups.

  • René Modery's avatar
    René Modery
    Jan 04, 2018
    The following worked for me:

    $cred = get-credential
    Connect-PnPOnline -Url "https://$orgname.sharepoint.com" -Credentials $cred
    $web = Get-PnPWeb -Includes RoleAssignments
    foreach($ra in $web.RoleAssignments) {
    $member = $ra.Member
    $loginName = get-pnpproperty -ClientObject $member -Property LoginName
    $rolebindings = get-pnpproperty -ClientObject $ra -Property RoleDefinitionBindings
    write-host "$($loginName) - $($rolebindings.Name)"
    write-host
    }
  • Christophe Humbert's avatar
    Christophe Humbert
    Iron Contributor
    Jan 04, 2018

    Thanks all for the replies.

     

    I am marking René's reply as best response as it uses PnP, but the other CSOM worked as well.

    For the record, below the code I came up with just before René posted his reply (I used join because a member might be assigned multiple roles):

     

    $web= Get-PnPWeb -Includes RoleAssignments
$ctx= Get-PnPContext
foreach ($role in $web.RoleAssignments) {
$ctx.Load($role.RoleDefinitionBindings)
$ctx.Load($role.Member)
$ctx.ExecuteQuery()
$role.Member.Title
$role.RoleDefinitionBindings.Name -join "; "
}

     

  • René Modery's avatar
    René Modery
    MVP
    Jan 04, 2018
    The following worked for me:

    $cred = get-credential
    Connect-PnPOnline -Url "https://$orgname.sharepoint.com" -Credentials $cred
    $web = Get-PnPWeb -Includes RoleAssignments
    foreach($ra in $web.RoleAssignments) {
    $member = $ra.Member
    $loginName = get-pnpproperty -ClientObject $member -Property LoginName
    $rolebindings = get-pnpproperty -ClientObject $ra -Property RoleDefinitionBindings
    write-host "$($loginName) - $($rolebindings.Name)"
    write-host
    }
  • Manidurai Mohanamariappan's avatar
    Manidurai Mohanamariappan
    Iron Contributor
    Jan 03, 2018

    You can try this script

    $roles= Get-PnPWeb -Includes RoleAssignments
    $ctx=Get-PnPContext
foreach ( $role in $roles.RoleAssignments)
{
$ctx.Load($role.Member)
$ctx.ExecuteQuery()
$role.Member.LoginName
}
  • kevmcdonk's avatar
    kevmcdonk
    MVP
    Jan 03, 2018
    There may be a quicker way but something along the lines of adding:

    $context = get-pnpcontext
    $context.load($web.roleassignments)
    $context.executequery()

    • kevmcdonk's avatar
      kevmcdonk
      MVP
      Jan 03, 2018

      Odd. It works directly in CSOM - see below. The issue seems to be with Get-PnPWeb not returning the context. I haven't got the latest version set up on my PC to test but can't see any obvious issue. I also noticed that you can get the count. I'd use CSOM fully for now and raise an issue with details on https://github.com/SharePoint/PnP-PowerShell/issues.

       

      PS C:\SourceCode\Caburn Hope\MigrationScripts> $context = New-Object Microsoft.SharePoint.Client.ClientContext($url)
      PS C:\SourceCode\Caburn Hope\MigrationScripts> $context.Credentials = $creds
      PS C:\SourceCode\Caburn Hope\MigrationScripts> $web = $context.Web
      PS C:\SourceCode\Caburn Hope\MigrationScripts> $context.Load($web)
      PS C:\SourceCode\Caburn Hope\MigrationScripts> $context.ExecuteQuery()
      PS C:\SourceCode\Caburn Hope\MigrationScripts> $groups = $web.SiteGroups
      PS C:\SourceCode\Caburn Hope\MigrationScripts> $context.Load($groups)
      PS C:\SourceCode\Caburn Hope\MigrationScripts> $context.ExecuteQuery()
      PS C:\SourceCode\Caburn Hope\MigrationScripts> $groups

      Id Title LoginName
      -- ----- ---------
      3 Excel Services Viewers Excel Services Viewers
      7 McGraw Hill Members McGraw Hill Members
      5 McGraw Hill Owners McGraw Hill Owners
      6 McGraw Hill Visitors McGraw Hill Visitors


      PS C:\SourceCode\Caburn Hope\MigrationScripts> $roleDefs = $web.RoleDefinitions
      PS C:\SourceCode\Caburn Hope\MigrationScripts> $context.Load($roleDefs)
      PS C:\SourceCode\Caburn Hope\MigrationScripts> $context.ExecuteQuery()
      PS C:\SourceCode\Caburn Hope\MigrationScripts> $roleDefs

      Name RoleTypeKind Hidden Order
      ---- ------------ ------ -----
      Full Control Administrator False 1
      Design WebDesigner False 32
      Edit Editor False 48
      Contribute Contributor False 64
      Read Reader False 128
      Limited Access Guest True 160
      View Only None False 2147483647

Resources