Blog

March 3, 2026

How to Audit Specific User Permissions Across All SharePoint Online Sites Using PowerShell

Introduction

Managing user access in SharePoint Online can be challenging – especially when you want to audit permissions for specific users across all site collections.

We use a PowerShell script:

  • Retrieves permissions for multiple users
  • Identifies direct and group-based permissions
  • Scan all accessible SharePoint sites
  • Exports results to an Excel (.xlsx) report

We will guide you step by step on how to configure and run the script.

Overview of the blog in image - Managing SharePoint Online User Permissions with PowerShell

Pre-Requisites:

  1. Admin Credentials:

    You must login using a SharePoint Administrator account.

  2. Azure AD Application Details

    Collect the following values from the Azure AD App Registration:

    • Client ID
    • Tenant ID

  3. Permission to All SharePoint Sites

    Only site you can access will return data.

  4. Users.csv File

    The file contains the list of user email addresses you want to check

    Example Users.csv

    User Email csv file image

  5. Script and CSV File in the Same Folder.

    • GetSpecificUsersPermission.ps1
    • Users.csv

Configure the Script:

  • Open the GetSpecificUsersPermission.ps1 file and update:
  • AdminSiteURL → your admin URL
  • https://yourtenant-admin.sharepoint.com
  • Client ID → your registered application’s Client ID
  • Tenant ID → your Azure AD Tenant ID
  • CSV file name if you changed it.

PowerShell Script: GetSpecificUsersPermission.ps1


# Parameters
$AdminSiteURL = "https://yourtenant-admin.sharepoint.com"
$ClientId = "ClientId"
$TenantId = "TenantId"
$usersCSV = "users.csv"

# Get the folder where this script is located
$scriptFolder = $PSScriptRoot

$ReportOutput = Join-Path -Path $scriptFolder -ChildPath "SpecificUsersPermissionReport.csv"

$UsersCsvPath = Join-Path -Path $scriptFolder -ChildPath $usersCSV

Write-Host "CSV will be saved to: $ReportOutput"
Write-Host "Reading users from: $UsersCsvPath"

$UsersToCheck = Import-Csv -Path $UsersCsvPath | Select-Object -ExpandProperty UserEmail

# Connect to Admin Center
$AdminConnection = Connect-PnPOnline -Url $AdminSiteURL -ClientId $ClientId `
-Tenant $TenantId -Interactive -ReturnConnection

# Get all site collections
$Sites = Get-PnPTenantSite -Connection $AdminConnection

$Results = @()

foreach ($Site in $Sites) {
	Write-Host "Processing site: $($Site.Url)" -ForegroundColor Cyan

	# Connect to the actual site
	$SiteConnection = Connect-PnPOnline -Url $Site.Url -ClientId $ClientId `
	-Tenant $TenantId

	# Get the root web and role assignments
	$Web = Get-PnPWeb -Connection $SiteConnection -Includes `
	RoleAssignments, HasUniqueRoleAssignments

	Get-PnPProperty -ClientObject $Web -Property RoleAssignments

	foreach ($RoleAssignment in $Web.RoleAssignments) {

		Get-PnPProperty -ClientObject $RoleAssignment -Property `
		RoleDefinitionBindings, Member

		# Direct user
		if ($RoleAssignment.Member.PrincipalType -eq "User") {

			$UserEmail = ($RoleAssignment.Member.LoginName -split '\|')[-1]

			if ($UsersToCheck -contains $UserEmail) {

				$Results += [PSCustomObject]@{
					SiteURL           = $Site.Url
					UserOrGroupName   = $RoleAssignment.Member.Title
					Type              = "Direct User"
					PermissionLevels  = ($RoleAssignment.RoleDefinitionBindings |
										  Select -ExpandProperty Name) -join ", "
				}
			}
		}

		# SharePoint Group
		elseif ($RoleAssignment.Member.PrincipalType -eq "SharePointGroup") {

			try {
				$Group = Get-PnPGroup -Identity $RoleAssignment.Member.Title `
				-Includes Users -Connection $SiteConnection

				foreach ($User in $Group.Users) {

					$UserEmail = ($User.LoginName -split '\|')[-1]

					if ($UsersToCheck -contains $UserEmail) {

						$Results += [PSCustomObject]@{
							SiteURL           = $Site.Url
							UserOrGroupName   = $User.Title
							Type              = "User (via Group: $($RoleAssignment.Member.Title))"
							PermissionLevels  = ($RoleAssignment.RoleDefinitionBindings |
												  Select -ExpandProperty Name) -join ", "
						}
					}
				}
			}
			catch {
				Write-Warning "Cannot access group $($RoleAssignment.Member.Title) in site $($Site.Url). Skipping."
			}
			finally {
				if ($SiteConnection) {
					Disconnect-PnPOnline -Connection $SiteConnection
				}
			}
		}
	}
}

if ($AdminConnection) {
	Disconnect-PnPOnline
}

# Export results to CSV
$Results | Export-Csv -Path $ReportOutput -NoTypeInformation

Write-Host "Report generated successfully at $ReportOutput"

How to Run the Script:

  1. Open PowerShell

  2. Navigate to your script folder:

    Cd “C:\YourFolder”

  3. Run the script:

    .\GetSpecificUsersPermission.ps1

  4. Enter your admin credentials
  5. Complete browser authentication
  6. Wait for the report to be generated

Output Report:

The script generates an Excel report containing:

  • Site URL
  • User Email
  • Direct Permissions
  • Group memberships
  • Role definitions
  • Permission levels

You will find the .xlsx report in the same folder as the script

Conclusion:

This approach gives SharePoint administrators a quick and efficient way to:

  • Audit Permissions.
  • Verify access.
  • View direct & group permissions.
  • Export clean reports for governance.
  • Just update the script, run it and your Excel report is ready.

If you have any questions you can reach out our SharePoint Consulting team here .

Posted by
Share to Facebook Share to X Share to Google+ E-mail This Share This to Linkedin
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)