Managing Unique Permissions on SharePoint List Items using PnP PowerShell

By default, SharePoint list items inherit permissions from their parent list. However, you may need to:
✔️ Break inheritance for specific list items to set custom permissions
✔️ Grant unique permissions to users or groups
✔️ Restore inheritance to remove custom permissions

Using PnP PowerShell, you can efficiently manage item-level permissions in SharePoint.

---

Prerequisites

Before proceeding, ensure that:
PnP PowerShell is installed
You have Site Owner or Admin permissions
You know the SharePoint site URL, list name, and item ID

---

Step 1: Install and Import PnP PowerShell

If PnP PowerShell is not installed, install it using:

Install-Module -Name PnP.PowerShell -Scope CurrentUser -AllowClobber -Force

Then, import the module:

Import-Module PnP.PowerShell

PnP PowerShell is ready!

---

Step 2: Connect to SharePoint Online

To connect to a SharePoint Online site, use:

# Connect to SharePoint Online
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com/sites/yoursite" -Interactive

🔹 Replace "yourtenant" with your SharePoint tenant name
🔹 Replace "yoursite" with your actual site name

Connected successfully!

---

Step 3: Break Permission Inheritance on a List Item

To set unique permissions on a list item, you must first break inheritance:

# Define variables
$listName = "Project Documents"
$itemId = 5  # Replace with the actual item ID

# Break inheritance and remove existing permissions
Set-PnPListItemPermission -List $listName -Identity $itemId -BreakInheritance -CopyRoleAssignments $false -ClearSubscopes $true

Write-Host "Permissions inheritance broken for item ID '$itemId' in list '$listName'."

🔹 -CopyRoleAssignments $false: Removes all existing permissions
🔹 -ClearSubscopes $true: Ensures all item-level permissions are reset

The list item now has unique permissions!

---

Step 4: Grant Custom Permissions to a User or Group

Once inheritance is broken, assign new permissions:

# Define variables
$listName = "Project Documents"
$itemId = 5
$userEmail = "user@yourtenant.com"
$role = "Contribute"  # Other roles: Read, Edit, Full Control

# Assign permissions to the user
Set-PnPListItemPermission -List $listName -Identity $itemId -User $userEmail -AddRole $role

Write-Host "Assigned '$role' permissions to '$userEmail' for item ID '$itemId'."

The user now has custom permissions on the list item!

---

Step 5: Remove User Permissions from a List Item

To remove a specific user’s access:

# Define variables
$listName = "Project Documents"
$itemId = 5
$userEmail = "user@yourtenant.com"

# Remove permissions for the user
Set-PnPListItemPermission -List $listName -Identity $itemId -User $userEmail -RemoveRole "Contribute"

Write-Host "Removed 'Contribute' permissions from '$userEmail' for item ID '$itemId'."

The user no longer has permissions on this item!

---

Step 6: Restore Permission Inheritance

To reset permissions and inherit from the parent list:

# Define variables
$listName = "Project Documents"
$itemId = 5

# Reset permissions to inherit from the parent list
Set-PnPListItemPermission -List $listName -Identity $itemId -ResetInheritance

Write-Host "Permissions reset and inherited from the list for item ID '$itemId'."

The item now inherits permissions from the parent list!

---

Common Errors & Solutions

Error	Cause	Solution
List not found	Incorrect list name	Use Get-PnPList to list available lists
Item not found	Incorrect item ID	Use Get-PnPListItem to list items
Access Denied	Insufficient permissions	Ensure you have Admin or Site Owner rights
User or group not found	Incorrect email/group name	Use Get-PnPUser or Get-PnPGroup