SharePoint Online Permissions: How to Find User Access Across All Sites

posted in SharePoint on by

SharePoint Online offers a highly granular and efficient permission system, but it can also be overwhelming and complex. One of the biggest challenges for administrators is that even with the SharePoint Administrator role, they do not automatically have access to all sites. Instead, they must manually assign themselves as Owner or Member before making any modifications.

Over time, this limitation leads to a buildup of orphaned permissions, making it difficult to track user access across multiple sites. To simplify this process, we provide a PowerShell script that helps administrators scan all existing sites and locate a specific user’s permissions. Additionally, the script generates a CSV report for further analysis.

2025-03-30_20-46

Why This Script is Useful

Managing SharePoint permissions manually can be time-consuming and prone to errors. With this script, you can:

  • Iterate through all existing SharePoint sites

  • Identify where a specific user has permissions

  • Streamline permission audits and security checks

Prerequisites

Before running this script, ensure you have an app registration set up in the Application Context with the following permission:

  • Sites.FullControl.All in the SharePoint permission group (Note: This is not part of the Microsoft Graph permission group.)

How to create this app-registration you can find in my other blog here

PowerShell Script to Locate a User Across SharePoint Sites

# Set Config Parameters
$AdminSiteURL = "https://THISISMYURL-admin.sharepoint.com/"
$SearchedUser = "supervisor@DEMO.onmicrosoft.com"
$clientID = "9fec39d5-ca65-466e-a196-XXXXXXXXXXXX"
$ThumbPrint = "XXXXXXXXXXXX81E94E13B3618286380CEBE"
$TenantID = "5f940f2f-XXXX-4380-XXXX-01099cXXXX"
$CSVPfad = "C:\temp\report.csv"

# Connect to the site
Connect-PnPOnline -Url $AdminSiteURL -ClientId $clientID -Thumbprint $ThumbPrint -Tenant $TenantID

$allPersonalSites = Get-PnPTenantSite -IncludeOneDriveSites -Filter "Url -notlike '-my.sharepoint.com/personal/'"
$EntryList = @()

foreach ($user in $allPersonalSites) {
    Connect-PnPOnline -Url $user.Url -ClientId $clientID -Thumbprint $ThumbPrint -Tenant $TenantID
    Write-Host "$($user.Url) in progress..." -ForegroundColor Yellow

    $siteAdmins = Get-PnPSiteCollectionAdmin
    $groups = Get-PnPGroup | Where-Object { $_.LoginName -match "Owners|Members|Visitors" }

    foreach ($admin in $siteAdmins) {
        if ($admin.Email -eq $SearchedUser) {
            Write-Host "SiteCollectionAdmin found" -ForegroundColor Green
            $EntryList += [PSCustomObject]@{ URL = $user.Url; FoundUser = $admin.Email; Type = "SiteCollectionAdmin" }
        }
    }

    foreach ($group in $groups) {
        $groupMembers = Get-PnPGroupMember -Identity $group

        foreach ($member in $groupMembers) {
            if ($member.LoginName -like "*$SearchedUser*") {
                $type = if ($group.LoginName -like "*Owners*") { "SiteOwner" } elseif ($group.LoginName -like "*Members*") { "SiteMember" } else { "SiteVisitor" }
                Write-Host "$type found" -ForegroundColor Green
                $EntryList += [PSCustomObject]@{ URL = $user.Url; FoundUser = $member.Email; Type = $type }
            }
        }
    }
}

$EntryList | export-csv -Path $CSVPfad -Encoding unicode

How It Works

  1. Authenticates with SharePoint Online using the app registration credentials.

  2. Retrieves all SharePoint site collections in the tenant.

  3. Scans each site for permissions associated with the specified user.

  4. Generates a CSV report with the user’s access details, including site URLs and assigned roles.

Leave a Reply

Your email address will not be published. Required fields are marked *