Small Tricks and Tips : Microsoft 365 – PnP PowerShell – Breaking permission inheritance on subsites, all lists and list items

fig : PowerShell - snap of complete script and output
fig : PowerShell - snap of complete script and output

Hi All,

Greetings for the day!!!

Today new learning using – PnP PowerShell

Background / Use Cases

  • We have scenario where we are migrating SharePoint Online sub sites only and not complete site collection
  • So before migrating we need to make respective sub sites read only so users wont able to update the content
  • But there is no OOB way to lock / make read only sub sites only
  • So we have an approach is break the inheritance on sub sites including on all lists and listitems
  • Next, set all user permissions to read only at each level – sub sites / Lists / ListItems

So here in this article I’ll be sharing first scenario – In SharePoint online – breaking permission inheritance on Sub Sites, Lists and list items using PnP PowerShell

Prerequisites

Details

Connect-PnPOnline -Url <SubSiteURL> -Interactive

Example : 

Connect-PnPOnline -Url  https://knowledgejunction1.sharepoint.com/sites/Demo/PermissionsDemo          -Interactive

In above code we are connecting to sub site – https://knowledgejunction1.sharepoint.com/sites/Demo/PermissionsDemo

  • Permissions before breaking Sub Site level permission inheritance
fig : Microsoft 365 - SharePoint Online subsite - inheriting permissions from parent site
fig : Microsoft 365 – SharePoint Online subsite – inheriting permissions from parent site
  • Permissions before breaking List level permission inheritance
fig : Microsoft 365 - SharePoint Online list in sub site- inheriting permissions from parent site
fig : Microsoft 365 – SharePoint Online list in sub site- inheriting permissions from parent site
  • Permissions before breaking List Item level permission inheritance
fig : Microsoft 365 - SharePoint Online list item in list- inheriting permissions from parent list
fig : Microsoft 365 – SharePoint Online list item in list- inheriting permissions from parent list
  • Now lets break the inheritance at each level – Sub-Site, List and ListItem
  • For every object there is unique property to check if unique permissions are there or not – HasUniqueRoleAssignments
  • And to break permission inheritance, every object has a common function – BreakRoleInheritance()
  • Breaking permission inheritance at sub site level – To perform respective operation we need to connect the SharePoint online sub-site. In previous code segment we already connected
  • Next step is to get the respective sub-site / web – Get-PnPWeb
        #Get the web
        $Web = Get-PnPWeb

  • As we get respective web object for given sub-site, next to check if web has uniqe permissions or not – Web.HasUniqueRoleAssignments
        #Remove unique permissions
        if(!$web.HasUniqueRoleAssignments)
           {
             #if not then break the inheritance
           }
  • If web has not unique permissions then break the permissions
         #Remove unique permissions
        if(!$web.HasUniqueRoleAssignments)
           {
             $Web.BreakRoleInheritance($false,$false)
           }

  • Breaking permission inheritance at List level
  • We will read the List – Get-PnPList
$documentLibrary = Get-PnPList -Identity "Shared Documents"
  • As a next step, we will check in permission inheritance on given list already broken or not –
if(!documentLibrary.HasUniqueRoleAssignments)
  • If permission inheritance for document library is not broken then we will broke the permission inheritance using – BreakRoleInheritance function
                    if(!$documentLibrary HasUniqueRoleAssignments){
                            $documentLibrary .BreakRoleInheritance($false,$false)
                    }#if(!$documentLibrary.HasUniqueRoleAssignments)
  • Breaking permission inheritance at listi items level – we will get all listitems using CMDLET – Get-PnPListItem
    • For list item we will use Get-PnPProperty CMDLET to read the “HasUniqueRoleAssignments” property
                #going through all the list items - if permissions are inherited, breaking them
                $listitems = Get-PnPListItem -List $documentLibrary.Title

                #Iterate through each list item
                ForEach($ListItem in $ListItems)
                {
                    #Check if the Item has unique permissions
 $HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property "HasUniqueRoleAssignments"
                    If(!$HasUniquePermissions)
                    {   
                        $ListItem.BreakRoleInheritance($false,$false)     
                    }#If(!$HasUniquePermissions)
                }#ForEach($ListItem in $ListItems)

  • After executing the complete script
  • Respective Sub-Site level permissions will be
fig : Microsoft 365 - SharePoint Online subsite- breaking permission inheritance
fig : Microsoft 365 – SharePoint Online subsite- breaking permission inheritance
  • Respective List level (document library) permissions will be
fig : Microsoft 365 - SharePoint Online list - breaking permission inheritance
fig : Microsoft 365 – SharePoint Online list – breaking permission inheritance
  • List items permissions will be
fig : Microsoft 365 - SharePoint Online list item in list- breaking permission inheritance
fig : Microsoft 365 – SharePoint Online list item in list- breaking permission inheritance

Complete Script

  • In below script we are reading the URLs of list of sub-sites from CSV file
#Loop through list of subsites  - read from CSV file
#If there is no unique permission - break the inheritance


#Parameters - CSV file path from which we will be reading URLof CSV file
$CSVFilePath = "C:\PS\Making Subsite - readonly\subsites.csv"

Try {
 
    #Read from CSV file and delete
    Import-CSV $CSVFilePath | ForEach-Object {
        Write-Host "Processing subsite" - $_.SubSiteURL

        #Connect PnP Online
        Connect-PnPOnline -Url $_.SubSiteURL -Interactive
  
        #Get the web
        $Web = Get-PnPWeb
 
        #Remove unique permissions
        if(!$web.HasUniqueRoleAssignments)
           {
             #break the permission inheritance on respective sub-site   
             $Web.BreakRoleInheritance($false,$false)
           }
        Invoke-PnPQuery
        
       #get all lists from the current sub-site
       Get-PnPList |ForEach-Object {
            
            #avoid lists which we do not want to process
            if($_.Title -ne "Composed Looks" -and
               $_.Title -ne "Master Page Gallery" -and 
               $_.Title -ne "Site Assets" -and
               $_.Title -ne "Site Pages" -and
               $_.Title -ne "Web Template Extensions" ) {

                    Write-Host "Processing List" $_.Title
                    
                    #check - current list has unique permissions
                    if(!$_.HasUniqueRoleAssignments){
                            #if not - break the permission inheritancd
                            $_.BreakRoleInheritance($false,$false)
                    }#if(!$_.HasUniqueRoleAssignments)
                    
                    #going through all the list items - if permissions are inherited, breaking them
                    $listitems = Get-PnPListItem -List $_.Title
                    
                    #Iterate through each list item
                    ForEach($ListItem in $ListItems)
                    {
                        #Check if the Item has unique permissions
                        $HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property "HasUniqueRoleAssignments"
                        If(!$HasUniquePermissions)
                        {   
                            $ListItem.BreakRoleInheritance($false,$false)     
                        }#If(!$HasUniquePermissions)
                    }#ForEach($ListItem in $ListItems)
            }#if(! $_.Title -eq "Composed Looks"
        }#Get-PnPList |ForEach-Object
         Invoke-PnPQuery
    }#foreach
}
catch {
    write-host "Error: $($_.Exception.Message)" -foregroundcolor Red
    $error1 = New-Object PSObject -Property @{ Exceptions = "Error: $($_.Exception.Message)"}
    $error1 | Export-Csv -Append -Path "C:\Users\u1086350\Desktop\PS\Making Subsite - readonly\ErrorLogs.csv"
}
fig : Sample CSV file - list of subsites
fig : Sample CSV file – list of subsites
fig : PowerShell - snap of complete script and output
fig : PowerShell – snap of complete script and output

If you want to start your Microsoft 365 PowerShell journey – please have a look at my recent book – Microsoft 365 Power Shell hand book for Administrators and Beginners and 100 Power Shell Interview Questions

fig : Microsoft 365 PowerShell handbook - specially for Administrators and Beginners
fig : Microsoft 365 PowerShell handbook – specially for Administrators and Beginners

Thanks for reading !!! HAVE A FANTASTIC LEARNING AHED!!!

Prasham Sabadra

LIFE IS VERY BEAUTIFUL :) ENJOY THE WHOLE JOURNEY :) Founder of Knowledge Junction and live-beautiful-life.com, Author, Learner, Passionate Techie, avid reader. Certified Professional Workshop Facilitator / Public Speaker. Scrum Foundation Professional certificated. Motivational, Behavioral , Technical speaker. Speaks in various events including SharePoint Saturdays, Boot camps, Collages / Schools, local chapter. Can reach me for Microsoft 365, Azure, DevOps, SharePoint, Teams, Power Platform, JavaScript.

You may also like...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: