Set custom permissions for a site in SharePoint Online with PowerShell

This is the last part of this series 10/10 where we will be setting custom permissions for a site in SharePoint Online with PowerShell. This is part of the following series:

We will be collecting all available web templates in part 1 so we can use this to create a new site in part 2. In part 3 we will be creating a web for the newly created site. We then want to create a couple of site columns in part 4 which we will combine to a content type in part 5. This content type will be added (part 8) to our newly created document library in part 7 using a list template from part 6. After everything is set we will be setting the view in part 9 for this list to show the added columns we got from adding the content type. We only want to set permissions for myself so I’ll will be breaking the inheritance and setting permissions in part 10.

Set custom permissions for a site in SharePoint Online

This script will first break inheritance of the site and then create three groups (owner, member and visitor) and add these to the site with the specified permissions. We will first start by opening the SharePoint Online Management Shell as administrator which can be downloaded at https://www.microsoft.com/en-us/download/details.aspx?id=35588.

image

You will need to change the first variables to match your Office 365 tenant and copy this bit to PowerShell.

function update-SPOnlineSitePermissions {
  #variables that needs to be set before starting the script
  $webURL = "https://spfire.sharepoint.com/sites/BlogDemo/MyFirstWeb"
  $adminUrl = "https://spfire-admin.sharepoint.com"
  $userName = "mpadmin@spfire.onmicrosoft.com"
  $members = "i:0#.f|membership|mpadmin@spfire.onmicrosoft.com"</pre>
# Let the user fill in their password in the PowerShell window
$password = Read-Host "Please enter the password for $($userName)" -AsSecureString

# set SharePoint Online credentials
$SPOCredentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($userName, $password)

# Creating client context object
$context = New-Object Microsoft.SharePoint.Client.ClientContext($webURL)
$context.credentials = $SPOCredentials
$web = $context.web
$context.load($web)

$web.breakroleinheritance($false, $false)
$web.update()
#send the request containing all operations to the server
try{
$context.executeQuery()
write-host "info: Broken inheritance for $($web.title)" -foregroundcolor green
}
catch{
write-host "info: $($_.Exception.Message)" -foregroundcolor red
}

#Create new groups
$siteGroups = "$($web.title) visitors", "$($web.title) members", "$($web.title) owners"
foreach ($siteGroup in $siteGroups){
if ($siteGroup -like "*visitors")
{
$gci = New-Object Microsoft.SharePoint.Client.GroupCreationInformation
$gci.Title = $siteGroup
$siteGroup = $Context.Web.SiteGroups.Add($gci)
$PermissionLevel = $Context.Web.RoleDefinitions.GetByName("Read")

#Bind Permission Level to Group
$RoleDefBind = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Context)
$RoleDefBind.Add($PermissionLevel)
$Assignments = $Context.Web.RoleAssignments
$RoleAssignOneNote = $Assignments.Add($siteGroup,$RoleDefBind)
$Context.Load($siteGroup)
#send the request containing all operations to the server
try{
$context.executeQuery()
write-host "info: Added visitors group" -foregroundcolor green
}
catch{
write-host "info: $($_.Exception.Message)" -foregroundcolor red
}
}

if ($siteGroup -like "*members")
{
$gci = New-Object Microsoft.SharePoint.Client.GroupCreationInformation
$gci.Title = $siteGroup
$siteGroup = $Context.Web.SiteGroups.Add($gci)
$PermissionLevel = $Context.Web.RoleDefinitions.GetByName("Edit")

#Bind Permission Level to Group
$RoleDefBind = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Context)
$RoleDefBind.Add($PermissionLevel)
$Assignments = $Context.Web.RoleAssignments
$RoleAssignOneNote = $Assignments.Add($siteGroup,$RoleDefBind)
$Context.Load($siteGroup)
#send the request containing all operations to the server
try{
$context.executeQuery()
write-host "info: Added members group" -foregroundcolor green
}
catch{
write-host "info: $($_.Exception.Message)" -foregroundcolor red
}
}

if ($siteGroup -like "*owners")
{
$gci = New-Object Microsoft.SharePoint.Client.GroupCreationInformation
$gci.Title = $siteGroup
$siteGroup = $Context.Web.SiteGroups.Add($gci)
$PermissionLevel = $Context.Web.RoleDefinitions.GetByName("Full Control")

#Bind Permission Level to Group
$RoleDefBind = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Context)
$RoleDefBind.Add($PermissionLevel)
$Assignments = $Context.Web.RoleAssignments
$RoleAssignOneNote = $Assignments.Add($siteGroup,$RoleDefBind)
$Context.Load($siteGroup)
#send the request containing all operations to the server
try{
$context.executeQuery()
write-host "info: Added owners group" -foregroundcolor green
}
catch{
write-host "info: $($_.Exception.Message)" -foregroundcolor red
}
}
}

#add user to group
$spGroups = $Web.SiteGroups
$context.Load($spGroups)
$spGroup=$spGroups.GetByName("$($web.title) members")

$spUser = $context.Web.EnsureUser($members)
$context.Load($spUser)
$spUserToAdd=$spGroup.Users.AddUser($spUser)
$context.Load($spUserToAdd)
try{
$context.executeQuery()
write-host "info: Added user to members group" -foregroundcolor green
}
catch{
write-host "info: $($_.Exception.Message)" -foregroundcolor red
}
}
update-SPOnlineSitePermissions

image_thumb7

You will be asked to enter the password and press enter

image

Verify if the groups have been created

image

Leave a Reply

Your email address will not be published. Required fields are marked *