SharePoint Online - Site Permissions Report for all Webs - With Group Users

This script generates a CSV report of all site permissions for a given sharepoint online site collection url. It includes permissions of subsites. Unless the permissions are broken subsite will have its parent web permissions. Prerequisites:SharePoint Client DLLs - would be avail

 
 
 
 
 
4.8 Star
(4)
2,829 times
Add to favorites
SharePoint
3/30/2019
E-mail Twitter del.icio.us Digg Facebook
  • sign-in issue
    1 Posts | Last post March 04, 2020
    • I get:
      Exception calling "ExecuteQuery" with "0" argument(s): "The sign-in name or password does not match one in the
      Microsoft account system."
      At C:\admin\scripts\SPO-GetAllSCPermissions\SPO-GetAllSCPermissions.ps1:23 char:5
      +     $ctx.ExecuteQuery()
      +     ~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
          + FullyQualifiedErrorId : IdcrlException
      
      I'm 100% sure it is not the credentials.
      I'm using Windows 10 - PowerShell 5.1 (14393 Build).
      
      Any suggestions ?
      
  • Exception calling
    5 Posts | Last post August 20, 2019
    • Exception calling "ExecuteQuery" with "0" argument(s): "The remote server returned an error: (403) Forbidden."
      At C:\Scripts\SPO-GetAllSCPermissions.ps1:18 char:5
      +     $ctx.ExecuteQuery()
      +     ~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
          + FullyQualifiedErrorId : WebException
       
      
      The collection has not been initialized. It has not been requested or the request has not been executed. It may need to be explicitly requested.
      
      I had to replace the credentials call 
       $ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($admin, $pass) 
      
      with 
      
      connect-sposervice   since we use MFA for our admin logins.  Will this affect the code anywhere else? and how would I go about fixing this error.  The client DLLs were loaded as of today.
    • Thanks for you question. 
      I never tested this with MFA.. I feel, technically it should not affect the remaining code.
    • So I figured out a way around MFA, you can use your App password with your admin account and then the script will run correctly.  For all that have run into this issue
    • Glad to hear its working fine. This is useful for other users who uses MFA.
    • @alex - I've been running the code with Connect-SPO Service... What do you mean by App Password with your Admin Account? When I'm promoted to sign in I use my Global Admin Account with the correct Password 
  • Exception Calling + Collection not initalized
    1 Posts | Last post August 20, 2019
    • I'm running into the errors below. I've gone through the steps spoken on. Any recommendations/suggestions to fix this?
      
      Exception calling "ExecuteQuery" with "0" argument(s): "The remote server returned an error: (403) Forbidden."
      At C:\Users\vavacare\Documents\HSMATestSitePermissions.ps1:31 char:5
      +     $ctx.ExecuteQuery()
      +     ~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
          + FullyQualifiedErrorId : WebException
       
      
      The collection has not been initialized. It has not been requested or the request has not been executed. It may need to be explicitly requested.
      At C:\Users\vavacare\Documents\HSMATestSitePermissions.ps1:75 char:18
      +         foreach ($web in $web.Webs) {
      +                  ~~~~
          + CategoryInfo          : OperationStopped: (:) [], CollectionNotInitializedException
          + FullyQualifiedErrorId : Microsoft.SharePoint.Client.CollectionNotInitializedException
  • thank you for script, but getting this error
    2 Posts | Last post April 29, 2019
    • Exception calling "ExecuteQuery" with "0" argument(s): "The remote server returned an error: (401) Unauthorized."
      +     $ctx.ExecuteQuery()
      +     ~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
          + FullyQualifiedErrorId : WebException
       
      
      The collection has not been initialized. It has not been requested or the request has not been executed. It may need to be explicitly requested.
    • Please verify the credentials and ensure the latest version of Client DLLs are loaded.
  • In the script the command is not getting recognized
    6 Posts | Last post November 28, 2018
    • Get-SPOAllSitePermisions : The term 'Get-SPOAllSitePermisions' is not recognized as the name of a cmdlet, function,
      script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
      correct and try again.
      At line:1 char:1
      + Get-SPOAllSitePermisions
      + ~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (Get-SPOAllSitePermisions:String) [], CommandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
    • Try adding the following to the top  of the script:
      
      
      #Add SharePoint PowerShell SnapIn if not already added
      if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
      Add-PSSnapin "Microsoft.SharePoint.PowerShell"
      }
      Clear
      
      Add-Type –Path "C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.dll" 
      Add-Type –Path "C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.Runtime.dll" 
    • Looks like the script doesn't display the permissions on the site that doesn't have unique permission. How do I modify the script to report all sites with and without unique permissions?
    • Yes.. that's correct. Since the permissions are same as root web. You can take root web permissions into consideration..
      if you still want to replicate the inherited permissions for all sites.. just remove the "if" condition.. "if($web.HasUniqueRoleAssignments -eq $true)"
    • Instead of single site collection "Get-SPOAllSitePermissions "<your site collection url here>"
      
      How would I make it to call all site collections in the tenant?
    • You can refer my other script https://gallery.technet.microsoft.com/scriptcenter/SharePoint-Online-List-all-40d8e3d5 to iterate through all site collections.. but you need to be SCA for all these site collections.