Identifying all the access a user has across a SharePoint Online tenant - PowerShell
Identifying all the access a user has across a SharePoint Online tenant can be a complex task due to the distributed nature of permissions across sites, site collections, lists, libraries, and individual items. However, you can use PowerShell, specifically the SharePoint Online Management Shell and the PnP PowerShell module, to help identify these permissions.
Here's a PowerShell script that outlines the process of identifying all the access a user has across the tenant in SharePoint Online:
Prerequisites
Install the SharePoint Online Management Shell:
- You can download it from the Microsoft Download Center.
Install the PnP PowerShell Module:
Install-Module SharePointPnPPowerShellOnline -Force
PowerShell Script
# Define the user to check permissions for
$userEmail = "user@example.com"
# Admin credentials to connect to SharePoint Online
$adminUsername = "admin@example.com"
$adminPassword = Read-Host -Prompt "Enter password" -AsSecureString
# Connect to SharePoint Online
$adminUrl = "https://yourtenant-admin.sharepoint.com"
Connect-SPOService -Url $adminUrl -Credential (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adminUsername, $adminPassword)
# Function to check user permissions on a site
function Get-SitePermissions($siteUrl) {
Write-Host "Checking site: $siteUrl"
Connect-PnPOnline -Url $siteUrl -Credentials (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adminUsername, $adminPassword)
$user = Get-PnPUser | Where-Object { $_.Email -eq $userEmail }
if ($user) {
$permissions = Get-PnPUserEffectivePermissions -User $user.Email
if ($permissions.HasPermissions("FullControl", "Edit", "Read")) {
Write-Host "User $userEmail has permissions on site $siteUrl" -ForegroundColor Green
Write-Host "Permissions: $permissions" -ForegroundColor Green
}
}
# Check permissions on lists and libraries
$lists = Get-PnPList
foreach ($list in $lists) {
$listPermissions = Get-PnPUserEffectivePermissions -List $list -User $userEmail
if ($listPermissions.HasPermissions("FullControl", "Edit", "Read")) {
Write-Host "User $userEmail has permissions on list $($list.Title) in site $siteUrl" -ForegroundColor Blue
Write-Host "Permissions: $listPermissions" -ForegroundColor Blue
}
}
# Disconnect from the site
Disconnect-PnPOnline
}
# Get all site collections
$siteCollections = Get-SPOSite -Limit All
# Check permissions for each site collection
foreach ($site in $siteCollections) {
Get-SitePermissions -siteUrl $site.Url
}
# Disconnect from SharePoint Online
Disconnect-SPOService
Explanation
Define the User and Admin Credentials:
$userEmailis the email of the user whose permissions you want to check.$adminUsernameand$adminPasswordare the admin credentials used to connect to SharePoint Online.
Connect to SharePoint Online Admin Center:
- Use
Connect-SPOServiceto connect to the SharePoint Online Admin Center.
- Use
Function to Check Permissions:
Get-SitePermissionsfunction checks user permissions on a site, including lists and libraries within the site.
Get All Site Collections:
- Retrieve all site collections using
Get-SPOSite.
- Retrieve all site collections using
Check Permissions for Each Site Collection:
- Iterate through each site collection and call
Get-SitePermissionsto check permissions.
- Iterate through each site collection and call
Notes
This script provides a basic structure. Depending on your environment and requirements, you may need to add additional checks and error handling.
Running this script might take a considerable amount of time depending on the number of site collections, sites, lists, and libraries in your tenant.
Ensure you have the necessary permissions to execute these commands and access the site collections.
This script helps identify the permissions of a user across the tenant in SharePoint Online, providing insights into the user's access rights.
Comments
Post a Comment