Latest Posts

Exporting OneDrive Permission Reports using PnP PowerShell

Posted on by Rishan Solutions

Loading

Managing OneDrive for Business permissions is crucial to ensure data security and compliance. With PnP PowerShell, admins can:
✔ Retrieve OneDrive site permissions
✔ List users and groups with access
✔ Identify external users
✔ Export permission details to a CSV report

This guide provides step-by-step instructions on exporting OneDrive permission reports using PnP PowerShell.

Step 1: Install & Update PnP PowerShell

Before running the scripts, ensure you have PnP PowerShell installed. Open PowerShell as Administrator and run:

Install-Module -Name PnP.PowerShell -Force -AllowClobber

To update:

Update-Module -Name PnP.PowerShell

Step 2: Connect to SharePoint Online (OneDrive Admin Center)

Since OneDrive for Business is part of SharePoint Online, connect to the SharePoint Admin Center:

$adminUrl = "https://yourtenant-admin.sharepoint.com"
Connect-PnPOnline -Url $adminUrl -Scopes "Sites.FullControl.All" -Interactive

For app-based authentication:

$clientId = "your-client-id"
$tenantId = "your-tenant-id"
$clientSecret = "your-client-secret"

Connect-PnPOnline -Url $adminUrl -ClientId $clientId -ClientSecret $clientSecret -Tenant $tenantId

Step 3: Retrieve OneDrive Sites

To list all OneDrive sites in your tenant:

$oneDriveSites = Get-PnPTenantSite -IncludeOneDriveSites | Where-Object { $_.Url -like "*-my.sharepoint.com/personal/*" }
$oneDriveSites

Step 4: Retrieve OneDrive Permission Details

Get OneDrive Permissions for a Specific User

To list all permissions of a specific user in OneDrive:

$oneDriveUrl = "https://yourtenant-my.sharepoint.com/personal/user_yourdomain_com"
Connect-PnPOnline -Url $oneDriveUrl -Interactive

$permissions = Get-PnPListItemPermission -List "Documents"
$permissions

Step 5: Export OneDrive Permissions to CSV

To generate a full report of all users and groups with access to OneDrive files, use:

$reportPath = "C:\Reports\OneDrive_Permission_Report.csv"
$permissionReport = @()

foreach ($site in $oneDriveSites) {
    Connect-PnPOnline -Url $site.Url -Interactive
    $listItems = Get-PnPListItem -List "Documents"

    foreach ($item in $listItems) {
        $permissions = Get-PnPListItemPermission -List "Documents" -Identity $item.Id

        foreach ($perm in $permissions) {
            $permissionReport += [PSCustomObject]@{
                OneDriveSite = $site.Url
                FileName     = $item.FieldValues.FileLeafRef
                FileUrl      = $item.FieldValues.FileRef
                UserOrGroup  = $perm.PrincipalName
                Role         = $perm.RoleDefinitionBindings
            }
        }
    }
}

$permissionReport | Export-Csv -Path $reportPath -NoTypeInformation
Write-Host "OneDrive permission report exported to $reportPath"

OneDriveSite → OneDrive URL
FileName → Name of the file/folder
FileUrl → Full file path
UserOrGroup → Name of the user or group with access
Role → Permission level (Read, Edit, Owner, etc.)

Step 6: Retrieve External Users with Access

To list external users who have access to OneDrive:

$externalUsers = @()

foreach ($site in $oneDriveSites) {
    Connect-PnPOnline -Url $site.Url -Interactive
    $listItems = Get-PnPListItem -List "Documents"

    foreach ($item in $listItems) {
        $permissions = Get-PnPListItemPermission -List "Documents" -Identity $item.Id

        foreach ($perm in $permissions) {
            if ($perm.PrincipalName -match "@") {  # Checks for external email domains
                $externalUsers += [PSCustomObject]@{
                    OneDriveSite = $site.Url
                    FileName     = $item.FieldValues.FileLeafRef
                    FileUrl      = $item.FieldValues.FileRef
                    ExternalUser = $perm.PrincipalName
                    Role         = $perm.RoleDefinitionBindings
                }
            }
        }
    }
}

$externalUsers | Export-Csv -Path "C:\Reports\OneDrive_ExternalUsers.csv" -NoTypeInformation
Write-Host "External user access report exported."

Step 7: Automate OneDrive Permission Reporting

1. Open Task Scheduler

  • Click Start, search for Task Scheduler, and open it.
  • Click Create Basic Task.
  • Name it “OneDrive Permission Report”.

2. Set Trigger

  • Choose Weekly or another frequency.
  • Set execution time.

3. Set Action

  • Select Start a Program.
  • In Program/Script, enter: powershell.exe
  • In Arguments, enter: -File "C:\Scripts\OneDrivePermissionReport.ps1"
  • Click Finish.

This will generate the OneDrive permission report automatically on a scheduled basis.

Step 8: Review & Monitor Permissions

To manually check permissions for a file/folder, use:

$oneDriveUrl = "https://yourtenant-my.sharepoint.com/personal/user_yourdomain_com"
Connect-PnPOnline -Url $oneDriveUrl -Interactive

$permissions = Get-PnPListItemPermission -List "Documents" -Identity 1
$permissions

✔ Identify users with edit/owner roles
✔ Find external users
✔ Ensure secure data access

Leave a Reply

Your email address will not be published. Required fields are marked *