Get SharePoint Groups or Security Groups and Permissions for each Sub Web.

Regular Contributor




I want produce  a report or the SharePoint Groups and or Security Groups on each of the Sub Webs ( one level only)  in an SharePoint online intranet. Now, before I start creating a custom object and exporting to CSV, I thought I would have a go with the PnPCommandlets. In the code below, I just testing the owner groups, before looking at the other groups.  I am not sure this the best approach so be intersting in hearing about any suggested improvements. 



 $subWebs = Get-PnPSubWebs

 Foreach ($subWeb in $subWebs)
   write-host -ForegroundColor DarkYellow $subWeb.Title

   Connect-PnPOnline $subWeb.Url -Credentials $cred
   $ownerGroup = (Get-pnpweb -Includes AssociatedOwnerGroup).AssociatedOwnerGroup
   $memberGroup = (Get-pnpweb -Includes AssociatedMemberGroup).AssociatedMemberGroup
   $vistorGroup = (Get-pnpweb -Includes AssociatedVisitorGroup).AssociatedVisitorGroup

   $groupTitle =  $ownerGroup.Title 
   $groupPermissions = (Get-PnPGroupPermissions -Identity  $groupTitle )
   write-host $groupTitle 
   $groupPermissions | ForEach {Write-Host $ ' '  $_.RoleTypeKind}



7 Replies



Sorry for the delayed response but I seem to have stumbled upon a issue in both the link you mentioned and in my  orignal code, when trying to evaluate groups per web. I will illustrate what I mean:


1) First I get a list of sub webs in my Intranet

Connect-PnPOnline $webUrl -Credentials $cred

2) Now I want to iterate though my list of sub webs and get all groups aka site permissions 

  foreach($subweb in $subwebs)
    Connect-PnPOnline $subWeb.Url -Credentials $cred
    # just doing one more check to see we are actually on the correct sub site
    $thisWeb = Get-PnPWeb
    $groups=Get-PNPGroup -Identity $thisWeb.Title

In theory, it should provide me with only the groups in my current web.  Acurally it shows me all the Site Groups, regardless of what web I am connected to. 


Again, getting the owner/member/visitor groups will bring back only appropriate role groups at the top level site.  Also if you have multiple owner/member/visitor groups assigned ot the current web; these are ignored, just the first for each role is  returned.

$ownerGroup = (Get-pnpweb  -Includes AssociatedOwnerGroup).AssociatedOwnerGroup
$memberGroup = (Get-pnpweb -Includes AssociatedMemberGroup).AssociatedMemberGroup
$vistorGroup = (Get-pnpweb -Includes AssociatedVisitorGroup).AssociatedVisitorGroup

If I can't resolve this I think I will have to use csom ;-(







Hi Daniel


I have fallen over the same problem when I use Get-PnPGroup I get all of the groups in the site collection whereas I just want the groups for a particular web / subweb.


Is this a bug in Get-PnPGroup ?


@ErwinVanHuen @VesaJuvenon


Yep, been there. My advice is to install the excellent audit tool... I can't remember the exact name but it has droid in the name.. You run it from localhost on your laptop. I asked them to include support for groups assigned to a Web.. They said that was in development. You can export to. CSV. Can discuss later but I am on a beach in Wales!


It's AdminDroid. You can check out the interactive demo here.

@Robert Luck wrote:


It's AdminDroid. You can check out the interactive demo here.

Thanks @Robert Luck the name did escape me monentarily.  Ideally this should be something we should get via the PnPCommandlet esp when considering there is -Web parementer.   

best response confirmed by Daniel Westerdale (Regular Contributor)


It works --->


Connect-PnPOnline - <<Give details here>>
Invoke-PnPQuery -ErrorAction Stop
ForEach($group in $context.Web.RoleAssignments.Groups)
Invoke-PnPQuery -ErrorAction Stop
$perm = Get-PnPGroupPermissions -Identity $group.Title
if($perm.Name.Count -gt 0) {
for($i=0; $i -lt $perm.Count;$i++){
Set-PnPGroup -Identity $group.Title -RemoveRole $perm[$i].Name
Set-PnPGroup -Identity $group.Title -AddRole "Read"