microsoft-365/sharepoint-inher.ps1
|
# Import the PnP.PowerShell module Import-Module PnP.PowerShell # Variables $SiteURL = "https://jranck.sharepoint.com/sites/I-Drive" $ClientId = "deccb19c-bfba-483c-84aa-ee7076b19053" # List of folders to process $Folders = @( "/Performance Reviews/Estimating", "/Performance Reviews/Accounting", "/Performance Reviews/Administrative", "/Performance Reviews/Business Development", "/Performance Reviews/Labor", "/Performance Reviews/Marketing and Communications", "/Performance Reviews/Operations", "/Performance Reviews/PMA", "/Performance Reviews/Project Management", "/Performance Reviews/Purchasing", "/Performance Reviews/Safety", "/Performance Reviews/Solar", "/Performance Reviews/Warehouse and Fleet" ) # Connect to SharePoint Online using the Azure AD app Connect-PnPOnline -Url $SiteURL -Interactive -ClientId $ClientId foreach ($Folder in $Folders) { $Files = Get-PnPFolderItem -FolderSiteRelativeUrl $Folder -ItemType File foreach ($File in $Files) { # Ensure ListItemAllFields is loaded $File.Context.Load($File.ListItemAllFields) $File.Context.ExecuteQuery() if ($File.Name -like "*.jre") { Write-Host "File is a JRE:" $File.Name continue } if ($null -eq $File.ListItemAllFields.Id) { Write-Host "File has no ListItemAllFields.Id:" $File.Name continue } $ListItem = Get-PnPListItem -List $Folder -Id $File.ListItemAllFields.Id if ($ListItem.HasUniqueRoleAssignments -eq $false) { # Break inheritance if needed # Set-PnPListItemPermission -List $Folder -Identity $ListItem.Id -BreakInheritance -CopyRoleAssignments Write-Host "Disabled permissions inheritance for file:" $File.Name } else { Write-Host "File already has unique permissions:" $File.Name } # Load role assignments for the list item $File.Context.Load($ListItem.RoleAssignments) $File.Context.ExecuteQuery() # Get all groups that have permissions on this item foreach ($RoleAssignment in $ListItem.RoleAssignments) { # Load the member info for each role assignment $File.Context.Load($RoleAssignment.Member) $File.Context.Load($RoleAssignment.RoleDefinitionBindings) $File.Context.ExecuteQuery() # Debug info to see what type of principal we're dealing with # Write-Host "Member principal type: $($RoleAssignment.Member.PrincipalType), Name: $($RoleAssignment.Member.Title)" $GroupTitle = $RoleAssignment.Member.Title $LoginName = $RoleAssignment.Member.LoginName # Check if the member is a security group and matches our criteria # For security groups, we need to check the login name since the PrincipalType might be "SecurityGroup" or sometimes "User" if ($RoleAssignment.Member.PrincipalType -eq "SecurityGroup" -and $GroupTitle -like "*SG" -and $GroupTitle -ne "Information Technology SG") { Write-Host "Found security group with permissions:" $GroupTitle "on file:" $File.Name Write-Host "Login name: $LoginName" try { # Remove the permission using the login name # Set-PnPListItemPermission -List $Folder -Identity $ListItem.Id -User $LoginName -RemoveRole "Read" # Set-PnPListItemPermission -List $Folder -Identity $ListItem.Id -User $LoginName -RemoveRole "Contribute" # Set-PnPListItemPermission -List $Folder -Identity $ListItem.Id -User $LoginName -RemoveRole "Full Control" Write-Host "Removed permissions for security group:" $GroupTitle "on file:" $File.Name } catch { Write-Host "Error removing permissions for $GroupTitle ($LoginName): $_" -ForegroundColor Red } } } } } Write-Host "Permissions check completed for all files in the folders." |