Upcoming Webinar - A Security Debate Zero Trust or Trust but Verify Register Now

How to Get a SharePoint Online Permissions Report

by Josh Van Cott

SharePoint Online is a powerful platform for collaborating and sharing information throughout the business, including with partners, customers, and other employees.

Because of how easy it is to use, companies often share sensitive data on this platform, which means that you must ensure it is secure.

Unfortunately, SharePoint Online has complex infrastructure that isn’t particularly easy to keep secure. Each SharePoint Online site needs to have its own policies and workflows, including permissions.

Understanding SharePoint Online permissions is critical to ensuring that you are operating on a policy of least privilege where users only have access to the data they need to do their jobs, nothing more.

How to Check SharePoint Online Permissions for a Particular User

It’s very easy to see what permissions any user has on a particular site. This functionality is built into SharePoint Online. The process is as follows:

  1. Go to “Site Settings”.
  2. Click on “Site Permissions”.
  3. Click on “Check Permissions”.

Unfortunately, this method is not viable for admins wanting to get a list of access permissions for all users, so that you can spot users that may potentially have excessive permissions.

How to Use PowerShell to Get a SharePoint Online Permissions Report

The best native method for producing a SharePoint Online permissions report is to run a PowerShell script. Scripts can be found online but to implement them correctly you will need a significant amount of time and PowerShell experience. Below are the basic steps required for doing this:

  1. Download and install the SharePoint Online Client Components SDK.
  2. Open the PowerShell Integrated Scripting Environment (ISE)
  3. Run the following script:
    #SPO-specific cmdlets require sharepoint-online module
    Install-Module -NameMicrosoft.Online.SharePoint.PowerShell
    $ServiceURL ="https://enterprise-admin.sharepoint.com"
    $URL = "https://enterprise.sharepoint.com"
    $Path = "C:\Temp\GroupsReport.csv"
    $Cred = Get-Credential
    #Connect to SharePoint Online
    Connect-SPOService -url$ServiceURL -Credential$Cred
    #Generating Report
    $GroupsData = @()
    #get sharepoint online groups powershell
    $SiteGroups =Get-SPOSiteGroup -Site$URL
    ForEach($Group in $SiteGroups) {
    $GroupsData +=New-Object PSObject-Property @{
    'Group Name' =$Group.Title
    'Permissions' =$Group.Roles -join ","
    'Users' = $Group.Users -join ","
    }
    }
    #Export the data to CSV
    $GroupsData |Export-Csv $Path-NoTypeInformation

    NOTE: In the $Url and $Path variables, you will need to input your specific SharePoint site address and output path respectively.
  4. You should be able to now see a report that lists users, group names and permissions.

How to Get a SharePoint Online Permissions Report Using Lepide

The native method for producing a SharePoint Online permissions report may seem like a simple one, but the actual time it will take you to do is significant. This method is also only useful to spot users with excessive permissions at that state in time. You will not be able to spot permission changes as they happen using PowerShell.

Using Lepide SharePoint Online Auditor (part of Lepide Data Security Platform), you can easily see who your privileged users are. You can also filter, search and sort your audited platforms to display SharePoint Online permission changes in a matter of clicks:

Whenever permissions change that could lead to over-privileged users, you will receive real time alerts straight to your mobile device or email.

If you’d like to see the SharePoint Online functionality in your environment, start a free trial of the Lepide SharePoint Online Auditor today.

Download Lepide SharePoint Online Auditor