Microsoft 365 : SharePoint Online – Change user permissions using PowerShell

by · Published · Updated

.

“Be stronger than your excuses”

.

Hello Everyone,

Hope you all are doing well.

In this article we are going to discuss how to change user permissions of a SharePoint Online site using PowerShell.

We have good list of articles on SharePoint Online using PowerShell, please have a look.

https://knowledge-junction.in/category/technology-articles/powershell-cmdlets/sharepoint-online-powershell-cmdlets/

So without getting late, let’s get started.

Background

In our organization, one of our project requirement is to change the user permissions on the basis of permission levels using PowerShell. So we are started using PowerShell script to change the permissions of a user and showing the process.

Details

  • We need SharePoint Site URL, user account, permissions to add and permissions to remove.
  • Open PowerShell ISE.
  • Now ran the PowerShell with the following cmdlet to change the user permissions.

Note: The line starting with “#” are just description heading or comment.

Prerequisites

  • Install PowerShell ISE / PowerShell / Visual Studio Code if its not installed.
  • Install SharePoint Online Management Shell if its not installed.
#Install SharePoint Online Management Shell if its not installed
Install-Module -Name Microsoft.Online.SharePoint.PowerShell

Detailed Steps – PowerShell script

  • Load the SharePoint Online CSOM Assemblies.
#Load SharePoint CSOM Assemblies

Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"

Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

  • Set variables for Site URL, User account, Permission to remove and Permission to add.
#Variables for Processing
$SiteURL = "https://osinfotech.sharepoint.com/sites/subsite"
$UserAccount="i:0#.f|membership|khasims@osinfotech.onmicrosoft.com"
$PermissionToRemove="Edit"
$PermissionToAdd="Contribute"

  • Setup the credentials of the user to connect SharePoint Online
#Setup Credentials to connect
$Credentials = Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Credentials.UserName,$Credentials.Password)

  • Use try to monitor the errors
#Monitor the errors 
Try {}

  • Setup the context with site URL and credentials.
#Setup the context
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Context.Credentials = $Credentials

  • Get all the users details of a SharePoint Online site
#Get all Users of the site
$Users = $Context.Web.SiteUsers
$Context.Load($Users)
$Context.ExecuteQuery()

  • Get all the users with login name
#Get user accounts
$UserAccounts =  $Users | Select -ExpandProperty LoginName

  • Check the given user is already exist in the site
#Check if the given user exists in the site
If($UserAccounts -Contains $UserAccount)

  • Get the user with login name
#Get the User
$User = $Context.Web.SiteUsers.GetByLoginName($UserAccount)

  • Set variables for permission to add and permission to add.
#Get Permission Levels to add and remove
$RoleDefToAdd = $Context.web.RoleDefinitions.GetByName($PermissionToAdd)
$RoleDefToRemove = $Context.web.RoleDefinitions.GetByName($PermissionToRemove)

  • Set variable for role assignment on the web.
#Get the User's role assignment on the web
$RoleAssignment = $Context.web.RoleAssignments.GetByPrincipal($User)

  • Remove the permission and add permission to the user
#Add/remove permission levels to the role assignment
$RoleAssignment.RoleDefinitionBindings.Add($RoleDefToAdd)
$RoleAssignment.RoleDefinitionBindings.Remove($RoleDefToRemove)
$RoleAssignment.Update()
$Context.ExecuteQuery()

  • Print the details, if the permissions updated successfully.
#Print if user permissions updated successfully
write-host  -f Green "User permissions updated Successfully!"

  • Print the details, if the user doesn’t not exist on the site.
else
    {
        #Print if user doesn't exist
        Write-host -f Yellow "User Doesn't exist in the site!"
    }

  • Catch the errors from the main Try block
#Catch the errors
Catch {}

  • Print the error details, if the permissions were not updated
#Print error details
write-host -f Red "Error Updating User Permissions!" $_.Exception.Message

Complete PowerShell Script

<#
======================================================================================================================================
Name:           Change the permissions of a SharePoint Online site user through PowerShell
Description:    This script helps to change the permissions of a SharePoint Online user in an Organization through PowerShell
Version:        1.0
======================================================================================================================================
#>

#Install SharePoint Online Management Shell if its not installed
#Install-Module -Name Microsoft.Online.SharePoint.PowerShell

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
  
#Variables for Processing
$SiteURL = "https://osinfotech.sharepoint.com/sites/subsite"
$UserAccount="i:0#.f|membership|khasims@osinfotech.onmicrosoft.com"
$PermissionToRemove="Edit"
$PermissionToAdd="Contribute"
 
#Setup Credentials to connect
$Credentials = Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Credentials.UserName,$Credentials.Password)

#Monitor the errors 
Try {
    #Setup the context
    $Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Context.Credentials = $Credentials
 
    #Get all Users of the site
    $Users = $Context.Web.SiteUsers
    $Context.Load($Users)
    $Context.ExecuteQuery()
     
    #Get user accounts
    $UserAccounts =  $Users | Select -ExpandProperty LoginName
 
    #Check if the given user exists in the site
    If($UserAccounts -Contains $UserAccount)
    {
        #Get the User
        $User = $Context.Web.SiteUsers.GetByLoginName($UserAccount)
 
        #Get Permission Levels to add and remove
        $RoleDefToAdd = $Context.web.RoleDefinitions.GetByName($PermissionToAdd)
        $RoleDefToRemove = $Context.web.RoleDefinitions.GetByName($PermissionToRemove)
         
        #Get the User's role assignment on the web
        $RoleAssignment = $Context.web.RoleAssignments.GetByPrincipal($User)
         
        #Add/remove permission levels to the role assignment
        $RoleAssignment.RoleDefinitionBindings.Add($RoleDefToAdd)
        $RoleAssignment.RoleDefinitionBindings.Remove($RoleDefToRemove)
        $RoleAssignment.Update()
        $Context.ExecuteQuery()
 
        #Print if user permissions updated successfully
        write-host  -f Green "User permissions updated Successfully!"
    }
    else
    {
        #Print if user doesn't exist
        Write-host -f Yellow "User Doesn't exist in the site!"
    }
}

#Handle the errors
Catch {
        #Print error details
        write-host -f Red "Error Updating User Permissions!" $_.Exception.Message
}

.

Credits : Salaudeen Rajack

.

Hope this article will help us to change the permissions of a SharePoint Online user through PowerShell.

Also get my article updates on my social media handles.

LinkedIn – https://www.linkedin.com/in/khasim-shaik-8784a1232/

Twitter – https://twitter.com/KhasimShaik2009

Facebook – https://www.facebook.com/profile.php?id=100078255554660

Thank you for your support, will catch up with new article soon.

Keep learning and keep smiling.

Tags:

Khasim Shaik

SharePoint & Power Platform Developer at OS InfoTech

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Microsoft 365

Subscribe now to keep reading and get access to the full archive.

Continue reading