<#
******-----------------------------------------------------------------------******
Author -> Shiv Mangal Singh
Date -> 29th January - 2021
Description -> This Script will generate the Full Control user's permission rport acrosss sub sites along with SharePoint online Site collection.
->
Path of csv file -->$FileUrl ="D:\PowerShell\Report\Sitecol_Web_Report25.csv"
--> $currentLogPath ="D:\shiv\Powershell\Onlinelog_16August2017.csv"
Tenant Site URL -->$SiteURL="https://work.sharepoint.com/sites/test"
******-----------------------------------------------------------------------******
#>
Add-Type -Path "C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.Runtime.dll"
#Variables for SharePoint Online site collection
$SiteURL="https://work.sharepoint.com/sites/test"
$FileUrl ="D:\PowerShell\Report\Sitecol_Web_Report.csv"
##Setup Authentication Manager
$AuthenticationManager = New-Object OfficeDevPnP.Core.AuthenticationManager
$ctx = $AuthenticationManager.GetWebLoginClientContext($SiteUrl)
$ctx.Load($ctx.Web)
$ctx.ExecuteQuery()
Write-Host $ctx.Web.Title -ForegroundColor Yellow
# Create header for Report in CSV file
"Site Collection `t Permission Type/ Group Name `t Login Name `t Permission " | out-file $FileUrl
# Access the Site collection
$rootWeb = $ctx.Web
# Load the Site collection
$ctx.Load($rootWeb)
$spWebs=$rootWeb.Webs
$ctx.Load($spWebs)
$ctx.ExecuteQuery()
function GetSitesOwners($Web)
{
# Load the role
$WebRoleAssignments = $Web.RoleAssignments
$ctx.Load($WebRoleAssignments)
$ctx.ExecuteQuery()
# Load the site group
$SiteGroup=$Web.SiteGroups
$ctx.Load($SiteGroup)
# Execute Query to the server
$ctx.ExecuteQuery()
# Get direct/explicit users permission from site collection
foreach($WebRoleAssignment in $WebRoleAssignments)
{
$ctx.Load($WebRoleAssignment.Member)
$ctx.Load($WebRoleAssignment.RoleDefinitionBindings)
$ctx.ExecuteQuery()
if($WebRoleAssignment.Member.PrincipalType -eq [Microsoft.SharePoint.Client.Utilities.PrincipalType]::User)
{
Write-Host $WebRoleAssignment.Member.LoginName
#Get the Permissions assigned to user
$WebUserPermissions=@()
foreach ($RoleDefinition in $WebRoleAssignment.RoleDefinitionBindings)
{
$ctx.Load($RoleDefinition)
$ctx.ExecuteQuery()
# Exclue 'Limited Access'
if($RoleDefinition.Name -like "*Full*")
{
$WebUserPermissions += $RoleDefinition.Name +";"
}
}
# split login name
$UsersLoginName =$WebRoleAssignment.Member.LoginName.split('|')[2]
if($WebUserPermissions)
{
"$($Web.Url)`t Direct Permission `t $($UsersLoginName) `t $($WebUserPermissions)" | Out-File $FileUrl -Append
}
}
}
# Ended loop direct users permission list from site
#Get users permission list from SharePoint group
foreach($grpUser in $SiteGroup)
{
try
{
$ctx.Load($grpUser)
$ctx.ExecuteQuery()
$siteuser = $grpUser.Users
$ctx.Load($siteuser)
$ctx.ExecuteQuery()
$grpWebRoleAssignment = $Web.RoleAssignments.GetByPrincipal($grpUser)
foreach($WebRoleAssignment in $grpWebRoleAssignment)
{
$ctx.Load($WebRoleAssignment)
$RoleDefinitions =$WebRoleAssignment.RoleDefinitionBindings
$ctx.Load($RoleDefinitions)
$ctx.ExecuteQuery()
$WebUserPermissions=@()
foreach ($RoleDefinition in $RoleDefinitions)
{
if($RoleDefinition.Name -like "*Full*")
{
$WebUserPermissions += $RoleDefinition.Name +";"
}
}
# Iterate users
$FullControlOwner =@()
foreach($user in $siteuser)
{
$ctx.Load($user)
$ctx.ExecuteQuery()
write-host $user.Title -BackgroundColor yellow
$FullControlOwner +=$user.Title + ";"
}
if($WebUserPermissions)
{
"$($Web.Url) `t $($grpUser.Title) `t $($FullControlOwner) `t $($WebUserPermissions)" | Out-File $FileUrl -Append
}
}
}
catch [System.Exception]
{
$Errormessage =$_.Exception.Message
Write-Host "Can not find the user in this SharePoint group ID" "[$Errormessage]" -ForegroundColor Cyan
}
}
}
GetSitesOwners($rootWeb)
#********************** checking for sub sites***************************************#
# $spWebs for all sub sites
foreach($subsite in $spWebs)
{
# Invoke-LoadMethod is a function to get unique sub site details
#Invoke-LoadMethod -Object $subsite -PropertyName "HasUniqueRoleAssignments"
$ctx.Load($subsite)
$ctx.Load($subsite.Webs)
$ctx.ExecuteQuery()
GetSitesOwners($subsite)
# checked one level of sub sites
foreach($Subsiteonelevel in $subsite.Webs)
{
try
{
# Invoke-LoadMethod -Object $Subsiteonelevel -PropertyName "HasUniqueRoleAssignments"
$ctx.Load($Subsiteonelevel)
$ctx.ExecuteQuery()
GetInnerSubsite($Subsiteonelevel)
}
catch
{
if($_.Exception.Message -like '*(401) Unauthorized*' -or $_.Exception.Message -like '*Access denied*')
{
LogMessage("You need permission to access this site: "+ $Subsiteonelevel.Url)
}
else
{
LogError $_.Exception.Message $_.Exception.GetType().FullName $_.InvocationInfo.PositionMessage
}
}
} # closing one level of sub sites
}
#**************Recrusive Sub Sites **********************************************************#
function GetInnerSubsite($subWeb)
{
try
{
# Invoke-LoadMethod -Object $subWeb -PropertyName "HasUniqueRoleAssignments"
$ctx.Load($subWeb)
$ctx.Load($subWeb.Webs)
$ctx.ExecuteQuery()
GetSitesOwners($subWeb)
}
catch
{
if($_.Exception.Message -like '*(401) Unauthorized*' -or $_.Exception.Message -like '*Access denied*')
{
LogMessage("You need permission to access this site: "+ $subWeb.Url)
}
else
{
LogError $_.Exception.Message $_.Exception.GetType().FullName $_.InvocationInfo.PositionMessage
}
}
foreach($subsubinnersite in $subWeb.Webs)
{
try
{
# Invoke-LoadMethod -Object $subsubinnersite -PropertyName "HasUniqueRoleAssignments"
$ctx.Load($subsubinnersite)
$ctx.ExecuteQuery()
GetInnerSubsite($subsubinnersite)
}
catch
{
if($_.Exception.Message -like '*(401) Unauthorized*' -or $_.Exception.Message -like '*Access denied*')
{
LogMessage("You need permission to access this site: "+ $subsubinnersite.Url)
}
else
{
LogError $_.Exception.Message $_.Exception.GetType().FullName $_.InvocationInfo.PositionMessage
}
}
}
}
#Ended users permission reports