Sharepoint permission auditing

When auditing a Sharepoint environment, an important component is permissions;

  • invited users
  • sharing links
  • inherited permissions
  • unique permissions
  • broken inheritance
  • sites, webs
  • lists, libraries

I’ve heavily modified Salaudeen┬áRajack’s work to share a more fully featured and faster PowerShell auditing script that will dump all unique permissions (up to item level, recursively) for all sharepoint sites (including O365 group sites). For files, folders, sites, libraries, etc etc.

It retrieves membership of groups so the resulting CSV file contains all permissions, with exception of the “Everyone” group, which is listed as a group instead.

You can find the script here:


  • the script uses device based logon, just follow the prompts.
  • don’t forget to first set permissions on all sites for your admin account, see script header for an example
  • requires the PnP module
  • you can exclude specific sites or users from the report if needed, configure siteIgnoreList or principalIgnoreList for that
  • Runtime on an environment with over 1000 sites and millions of objects was about 6 hours. If you environment is too large, contact me and I can perhaps introduce e.g. multi-threading.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Adam Weldon
Adam Weldon
8 months ago

Can’t tell you how amazing it is to have stumbled across this!

Question: What if the account is set to “Additional Admin” rather than owner? I am assuming it will still work?

Reason being is the client’s environment, they do not want to see an admin in the members of the Team Site – by adding the admin as an additional admin of a SharePoint site we can avoid the admin being a true “member/owner” of the site.

6 months ago

I have just stumbled on this great script that I would like to test.
However, I am a PowerShell newbie.
How would I modified the authentication with AppId, CertThumbprint, TenantId if I do not want use DeviceCode
Thanks in advance

Michael Melling
Michael Melling
6 months ago

In my environment the “SharedWithUsers:SW” was very unreliably populated in the MetaInfo. So your script, whilst very speedy, only gave very partial results. I don’t doubt the accuracy of the results I did get however; they just are far from complete.

Looking at this article:

Shared With column displays users who no longer have access to a document – SharePoint | Microsoft Docs

it would seemt that this propery is somewhat hit and miss and perhaps best avoided.