M365Permissions PowerShell Module

What does it do?

The M365Permissions PowerShell module creates a 360° view of permissions individual users or groups have (including externals).

It will then generate a full report (XLSX by default) that contains ALL unique permissions.

What resources are supported?

  • Onedrive For Business
  • Sharepoint Online
  • Teams
  • EntraID admin & PIM roles
  • EntraID group ownership / membership
  • EntraID hidden webhooks
  • Exchange Admin Roles
  • Exchange Send On Behalf rights
  • Exchange mailbox rights (including subfolders)
  • Exchange Send As rights (incl non-mailbox objects)
  • PowerBI workspaces, reports, datasets

Examples

SpO/Team permissions
Entra role report
mailbox folder permissions audit

Authentication / Access rights

The module uses the safe Entra Delegated Permission Flow for authentication so your credentials/tokens stay with you and not with me or anyone else. Depending on which resources you wish to report on, different permissions are required for the running account. On first run or sometimes after module upgrades you’ll be prompted to accept all potentially required delegated permissions.

Result

The module exports to Excel by default (CSV or to screen is optional).

It runs in append mode, tabs are added per resource.

To view a resultant set of rights for a given user or group (e.g. externals), you can either use one of the built in table filters OR pivot one or more tables manually. For convenience when including an Entra scan, all users and groups are also reported in a separate tab for additional cross referencing options.

Performance

Depending on the workload the module uses the fastest API’s available uses 5 concurrent threads by default. Especially for large libraries it can go up to 100000 items per minute, but for e.g. mailbox or onedrive workloads where there are lots of separate api calls the speed will go down to hundreds of items per minute.

To speed things up after importing the module you can run each resource specific command in parallel in separate PowerShell windows, example:

Get-AllSpOPermissions -IncludeOnedriveSites -ExcludeOtherSites
Get-AllSpOPermissions
Get-AllEntraPermissions
Get-AllExOPermissions -includeFolderLevelPermissions
Get-AllPBIPermissions

Install

Install-PSResource -Name M365Permissions -Repository PSGallery

How to run

#Run for EVERYTHING in your tenant:
Get-AllM365Permissions -ExpandGroups -includeCurrentUser

#Get xlsx reports for the INT-Finance Department Team and show all individual users:

Get-SpOPermissions -teamName "INT-Finance Department" -ExpandGroups

#Get all permission for a specific Sharepoint site:

Get-SpOPermissions -TeamSiteUrl "https://tenant.sharepoint.com/sites/site" -ExpandGroups

#Get ALL SpO sites including Onedrive:
Get-AllSpOPermissions -TeamSiteUrl "https://tenant.sharepoint.com/sites/site" -ExpandGroups  -includeOnedriveSites

Configuration

You can run set-M365PermissionsConfig before calling any other function to finetune how this module behaves. Supported parameters:

  • maxThreads default 5, min 1, max ???

Interpreting the data

Relative in-depth knowledge of Entra, Sharepoint, Exchange etc is required, but contextual knowledge of an environment is also mandatory (e.g. which groups or sites are sensitive, which mailboxes and users etc etc).

But to get you started, few easy filters that almost always warrant a look:

  • ExO permissions for the ‘Default’ PrincipalName, especially anything other than ‘AvailabilityOnly’. Default means everyone can access it.
  • Entra role assignments for principalType ‘servicePrincipal’
  • Entra role assignments for sensitive roles
  • SpO items of type ‘ORG-WIDE’
  • SpO items of type ‘ANYONE’
  • PowerBI items of principalName ‘Whole Organization’

Issues and Feature requests

Please use Github to report issue or create feature requests. Please participate if you can code yourself. For those who add significant contributions to this project, I will lift the commercial use restriction (case by case review).

Notes

Required PS modules: PnP.PowerShell, ImportExcel

Running multiple times will append data if you don’t move the (xlsx, csv) file, turning the report into a multi-location report. Note though that when you open the xlsx, excel will lock the file and prevent additions. Make a copy first if you want a sneak peak while the scan is running.

Rate limiting

Microsoft may throttle a scan in certain situations, e.g. your user is also running other scripts at the same time or you’re doing many concurrent tasks.

Mike Oneill has a great tip on temporarily increasing the limits for Exchange Online (useful when using -includeFolderLevelPermissions)

Microsoft 365, Azure, Automation & Code