Requirement: Reset all customized permissions in all documents of a SharePoint Online document library.
By default, Permissions are inherited from their parents in all levels of SharePoint. E.g., Subsites inherit permissions from their parent site collection (or parent site), lists and libraries inherit permissions from the site, and items in the list inherit permissions from the list. So, If you make any change in permissions at the parent level, any child underneath automatically inherits the permission changes you made in the parent unless the child is using its own unique permissions.
At times, you may have to set up unique permissions at a granular level, and of course, you may have to reset the broken permissions as well.
How to Delete Unique Permissions in SharePoint?
To reset custom permissions on SharePoint list items or documents, follow these steps:
- Navigate to the SharePoint library where your documents are stored.
- Right-Click on the document and choose “Manage Access” from the menu.
- Click on the “Advanced” link at the bottom of the “Manage Access” Pane >> and click on the “Delete Unique Permissions” button from the ribbon. Confirm the prompt once!
Alright, now the permissions are set to Inherited from the parent library of the document. But wait, picking every individual document and repeating these steps to remove unique permissions is tedious, wouldn’t you agree? So, I wrote this PowerShell script to Reset Broken Inheritance on all items in a SharePoint List.
How do I get rid of limited access in SharePoint online?
Limited Access means the user has access to an underlying object. E.g. If you provide unique permission to a document, at the document library level, the specific user will have “Limited Access”. It provides the user limited permission to get to the item he has access. If you want to remove the limited access, you need to remove the unique permission on the items the user has access.
PowerShell to Remove Unique Permissions from a SharePoint Online List Item:
You need SharePoint Online Client SDK installed on your client machine to use this code: https://www.microsoft.com/en-us/download/details.aspx?id=42038. Here is how to remove all unique permissions in the SharePoint Online list item
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions16ISAPIMicrosoft.SharePoint.Client.dll"
Add-Type -Path "C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions16ISAPIMicrosoft.SharePoint.Client.Runtime.dll"
#Function to remove unique permissions and inherit from the parent
Function Remove-ListItemUniquePermissions
{
param
(
[Parameter(Mandatory=$true)] [string] $SiteURL,
[Parameter(Mandatory=$true)] [string] $ListName,
[Parameter(Mandatory=$true)] [string] $ItemID
)
Try {
$Cred= Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = $Credentials
#Remove unique permissions and reset inheritance
$List=$Ctx.Web.Lists.GetByTitle($ListName)
$ListItem=$List.GetItemByID($ItemID)
$ListItem.ResetRoleInheritance()
$Ctx.ExecuteQuery()
Write-Host "Unique Permissions are removed and inherited from the Parent!" -ForegroundColor Green
}
Catch {
write-host -f Red "Error Deleting Unique Permissions!" $_.Exception.Message
}
}
#Parameters
$SiteURL="https://crescent.sharepoint.com"
$ListName="Projects"
$ItemID="25"
#Call the function to remove unique permissions from a list
Remove-ListItemUniquePermissions -SiteURL $SiteURL -ListName $ListName -ItemID $ItemID PowerShell Script to Delete Unique Permissions for All List Items in SharePoint Online
Here is the SharePoint Online PowerShell to reset unique permissions:
#Load SharePoint Online Assemblies
Add-Type -Path "C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions16ISAPIMicrosoft.SharePoint.Client.dll"
Add-Type -Path "C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions16ISAPIMicrosoft.SharePoint.Client.Runtime.dll"
##Variables for Processing
$SiteUrl = "https://crescent.sharepoint.com/sites/Sales/"
$ListName= "Documents"
$UserName= "Salaudeen@crescent.com"
$Password ="Password goes here"
#Setup Credentials to connect
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($UserName,(ConvertTo-SecureString $Password -AsPlainText -Force))
#Set up the context
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl)
$Context.Credentials = $credentials
#Get the List
$List = $Context.web.Lists.GetByTitle($ListName)
#Get All List Items
$Query = New-Object Microsoft.SharePoint.Client.CamlQuery
$ListItems = $List.GetItems($Query)
$Context.Load($ListItems)
$Context.ExecuteQuery()
Write-host "Total Items Found:"$ListItems.Count
#Iterate through each list item
$ListItems | foreach {
#Delete Unique Permission
$_.ResetRoleInheritance()
}
$Context.ExecuteQuery()
Write-host "Broken Permissions are Deleted on All Items!" -ForegroundColor GreenWe can make two improvements to the above script:
- The above script doesn’t handle large lists with > 5000 items.
- The above script simply resets inheritance without checking if the list item has unique permissions.
So, let us resolve the above issues, and here is the updated script:
Delete Unique Permissions in SharePoint Online using PowerShell
Here is the PowerShell to reset unique permissions in large lists or document libraries (with more than 5000 items!)
#Load SharePoint Online Assemblies
Add-Type -Path "C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions16ISAPIMicrosoft.SharePoint.Client.dll"
Add-Type -Path "C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions16ISAPIMicrosoft.SharePoint.Client.Runtime.dll"
##Variables for Processing
$SiteUrl = "https://crescent.sharepoint.com"
$ListName= "Documents"
#Get Credentials to connect
$Cred= Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
#Set up the context
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl)
$Context.Credentials = $Credentials
#Get the List
$List = $Context.web.Lists.GetByTitle($ListName)
$Query = New-Object Microsoft.SharePoint.Client.CamlQuery
$Query.ViewXml = "<View Scope='RecursiveAll'><RowLimit>2000</RowLimit></View>"
#Batch process list items - to mitigate list threshold issue on larger lists
Do {
#Get items from the list in batches
$ListItems = $List.GetItems($Query)
$Context.Load($ListItems)
$Context.ExecuteQuery()
$Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
#Loop through each List item
ForEach($ListItem in $ListItems)
{
$ListItem.Retrieve("HasUniqueRoleAssignments")
$Context.ExecuteQuery()
if ($ListItem.HasUniqueRoleAssignments -eq $true)
{
#Reset Permission Inheritance
$ListItem.ResetRoleInheritance()
Write-host -ForegroundColor Yellow "Inheritence Restored on Item:" $ListItem.ID
}
}
$Context.ExecuteQuery()
} While ($Query.ListItemCollectionPosition -ne $null)
Write-host "Broken Permissions are Deleted on All Items!" -ForegroundColor GreenPnP PowerShell to Remove Unique Permissions from all Items in a List
To reset permissions on a list item, we can use the Set-PnPListItemPermission cmdlet with the “InheritPermissions” switch.
#Set Variables
$SiteURL = "https://crescent.sharepoint.com/sites/Marketing"
$ListName = "Documents"
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)
#Get all list items in batches
$ListItems = Get-PnPListItem -List $ListName -PageSize 500
#Iterate through each list item
ForEach($ListItem in $ListItems)
{
#Check if the Item has unique permissions
$HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property "HasUniqueRoleAssignments"
If($HasUniquePermissions)
{
$Msg = "Deleting Unique Permissions on {0} '{1}' at {2} " -f $ListItem.FileSystemObjectType,$ListItem.FieldValues["FileLeafRef"],$ListItem.FieldValues["FileRef"]
Write-host $Msg
#Delete unique permissions on the list item
Set-PnPListItemPermission -List $ListName -Identity $ListItem.ID -InheritPermissions
}
}Reset Unique Permissions for All files in a Folder using PnP PowerShell
This time, let’s use PnP PowerShell to reset unique permissions on all files stored in a SharePoint Online Folder:
#Parameters
$SiteURL = "https://crescent.sharepoint.com/sites/Marketing"
$FolderServerRelativeURL = "/sites/Marketing/Branding/2018"
#Connect to the site
Connect-PnPOnline -Url $SiteURL -Interactive
#Get the Folder from given URL
$Folder = Get-PnPFolder -Url $FolderServerRelativeURL -Includes ListItemAllFields.ParentList
$ParentList = $Folder.ListItemAllFields.ParentList.Title
#Get All Files from the Folder
$Files = Get-PnPListItem -List $ParentList -FolderServerRelativeUrl $Folder.ServerRelativeUrl | Where {$_.FileSystemObjectType -eq "File"}
#Traverse through each file in the folder
ForEach ($File in $Files)
{
#Check If File has Unique Permissions
$HasUniquePermissions = Get-PnPProperty -ClientObject $File -Property HasUniqueRoleAssignments
If($HasUniquePermissions)
{
#Reset Broken Inheritance
$File.ResetRoleInheritance()
$File.update()
Invoke-PnPQuery
Write-Host "Reset Unique Permissions on File $($File.FieldValues["FileRef"])" -ForegroundColor Green
}
}Similarly, you can reset unique permissions in SharePoint Online sites, lists, and folders with PowerShell as:
