Ensuring that users have the correct permissions in SharePoint Online is crucial for security and collaboration. With PnP PowerShell, you can:
✔️ Check if a user or group has access to a site, list, or item
✔️ Retrieve the specific roles assigned to the user
✔️ Identify missing permissions that may cause access issues
Prerequisites
Before you begin, ensure that:
PnP PowerShell is installed
You have SharePoint Admin or Site Owner rights
You have the SharePoint site URL and user details
Step 1: Install and Import PnP PowerShell
If you haven’t installed PnP PowerShell, run:
Install-Module -Name PnP.PowerShell -Scope CurrentUser -AllowClobber -Force
Then, import the module:
powershellCopyEditImport-Module PnP.PowerShell
PnP PowerShell is ready!
Step 2: Connect to SharePoint Online
Use the following command to connect to your SharePoint Online site:
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com/sites/yoursite" -Interactive
🔹 Replace "yourtenant" with your SharePoint tenant name
🔹 Replace "yoursite" with your actual site name
Connected successfully!
Step 3: Check User Permissions on a SharePoint Site
To check what permissions a user or group has on a site:
# Define variables
$userEmail = "user@yourtenant.com"
# Check user permissions
Get-PnPUserEffectivePermissions -User $userEmail | Format-List
This command returns all permissions the user has on the site.
You now know the user’s site permissions!
Step 4: Check User Permissions on a SharePoint List
To check permissions on a specific list or library:
# Define variables
$listName = "Project Documents"
$userEmail = "user@yourtenant.com"
# Get user permissions on the list
Get-PnPUserEffectivePermissions -User $userEmail -List $listName | Format-List
This command displays all list-level permissions for the user.
You now know the user’s list permissions!
Step 5: Check User Permissions on a List Item
To check permissions on a specific list item or document:
# Define variables
$listName = "Project Documents"
$itemId = 5
$userEmail = "user@yourtenant.com"
# Get user permissions on the list item
Get-PnPUserEffectivePermissions -User $userEmail -List $listName -Identity $itemId | Format-List
This command shows item-level permissions, which may differ from list-level permissions.
You now know the user’s item-level permissions!
Step 6: Get All Users and Their Roles on a SharePoint Site
To list all users and their assigned roles:
# Get all users and roles on the site
Get-PnPSiteGroup | ForEach-Object {
Write-Host "Group: " $_.Title
Get-PnPGroupMembers -Identity $_.Title
}
This command displays all SharePoint groups and their members.
You now have a full list of users and groups!
Step 7: Identify If a User Lacks Necessary Permissions
If a user cannot access a site or item, they might lack required permissions. Run:
# Check if the user has specific permissions
$userEmail = "user@yourtenant.com"
$siteUrl = "https://yourtenant.sharepoint.com/sites/yoursite"
Get-PnPUserEffectivePermissions -User $userEmail -Url $siteUrl | Select-String "Denied"
🔹 If "Denied" appears, the user lacks certain permissions.
Now you know if the user is blocked from accessing the site!
Common Errors & Solutions
| Error | Cause | Solution |
|---|---|---|
User not found | Incorrect email format or user doesn’t exist | Ensure the email is correct and the user is added to the site |
List not found | Incorrect list name | Run Get-PnPList to check the correct list name |
Access Denied | Insufficient admin rights | Ensure you have Site Owner or SharePoint Admin permissions |
No permissions returned | The user has no access | Assign necessary permissions using Grant-PnPListItemPermission |