In SharePoint Online, managing site collection permissions ensures users and groups have the appropriate access to perform their tasks while maintaining security. Using PnP PowerShell, you can automate the process of granting, modifying, and removing permissions for users and groups at the site collection level.
Key Topics Covered:
✔️ Checking site collection permissions
✔️ Granting permissions to users and groups
✔️ Removing user access
✔️ Breaking and resetting permission inheritance
✔️ Assigning unique permissions
Prerequisites
Before starting, ensure you have:
PnP PowerShell installed
SharePoint Admin or Site Collection Admin rights
The URL of the site collection you want to manage
Step 1: Install and Import PnP PowerShell
If you haven’t installed PnP PowerShell, run:
Install-Module -Name PnP.PowerShell -Scope CurrentUser -AllowClobber -Force
Then, import the module:
Import-Module PnP.PowerShell
PnP PowerShell is ready!
Step 2: Connect to SharePoint Online
Use the following command to connect to your SharePoint Online site:
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com/sites/yoursite" -Interactive
🔹 Replace "yourtenant" with your SharePoint tenant name
🔹 Replace "yoursite" with your actual site name
Connected successfully!
Step 3: Check Site Collection Permissions
To list all users and groups with access to the site collection:
Get-PnPUser
To check permissions of a specific user:
Get-PnPUser -Identity "user@yourdomain.com"
🔹 Replace "user@yourdomain.com" with the actual user’s email.
Permissions checked!
Step 4: Granting Permissions to a User or Group
To grant permissions to a user at the site collection level:
# Define variables
$userEmail = "user@yourdomain.com"
$permissionLevel = "Contribute"
# Grant permission
Set-PnPWebPermission -User $userEmail -AddRole $permissionLevel
🔹 This assigns the Contribute permission level to the user.
🔹 Other common permission levels: Read, Edit, Full Control
Permission granted successfully!
Step 5: Granting Permissions to a SharePoint Group
To assign permissions to a SharePoint group:
# Define variables
$groupName = "Site Members"
$permissionLevel = "Edit"
# Assign permission
Set-PnPGroupPermissions -Identity $groupName -AddRole $permissionLevel
Replace "Site Members" with the actual SharePoint group name.
Group permission assigned!
Step 6: Removing a User’s Access
To remove a user’s access from the site collection:
# Define user email
$userEmail = "user@yourdomain.com"
# Remove user permissions
Remove-PnPUser -LoginName $userEmail
User access removed!
Step 7: Breaking Permission Inheritance
By default, site collections inherit permissions from parent sites. You can break this inheritance to apply unique permissions:
Set-PnPWebInheritance -CopyRoleAssignments $false -ClearSubscopes $true
This breaks inheritance and removes inherited permissions.
Permissions are now unique to this site collection!
Step 8: Resetting Permission Inheritance
To restore inheritance, removing all unique permissions:
Reset-PnPWebInheritance
🔹 This restores permissions from the parent site.
Permission inheritance restored!
Step 9: Assigning Unique Permissions to a SharePoint Group
To assign unique permissions to a SharePoint group at the site collection level:
# Define variables
$groupName = "Custom Admins"
$permissionLevel = "Full Control"
# Assign unique permissions
Set-PnPGroupPermissions -Identity $groupName -AddRole $permissionLevel
Group now has unique permissions!
Step 10: Checking User Permissions on a Site
To verify a user’s permissions:
Get-PnPUserEffectivePermissions -User "user@yourdomain.com"
This lists all permissions assigned to the user.
User permissions checked!
Common Errors & Solutions
| Error | Cause | Solution |
|---|---|---|
Access Denied | Insufficient permissions | Ensure you are a Site Collection Admin |
User not found | Incorrect email or user not added to the site | Verify user exists in SharePoint |
Group not found | Wrong group name | Use Get-PnPGroup to check available groups |
Cannot modify built-in permissions | System restriction | Only custom permissions can be modified |