-1

I am trying to use CSOM to audit certain SPOL site collections and find which groups and sites have the "Everyone" permission group in use. Does anyone know if this is possible?

ItsBradMorgan
  • 86
  • 2
  • 7

2 Answers2

1

Here is an example on how to add permissions to "everyone" groupe in SharePoint using CSOM:

var user = item.ParentList.ParentWeb.EnsureUser("c:0(.s|true");
var roleBindings = new RoleDefinitionBindingCollection(context);
roleBindings.Add(item.ParentList.ParentWeb.RoleDefinitions.GetByType(roleType));
item.RoleAssignments.Add(principal, roleBindings);
context.ExecuteQuery();

In your case, you have to iterate every site collection and find the login: "c:0(.s|true" which represent the value of the group "Everyone" in SharePoint.

Rafik
  • 49
  • 3
1
  • To enumerate across site collections you could utilize Tenant.GetSiteProperties method
  • Everyone user login name is represented in SPOL in claims format as c:0(.s|true value

Example

The following example enumerates across site collections and prints those group name where Everyone user is a member of: 

Add-Type -Path "c:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
Add-Type -Path "c:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\SharePoint Client Components\16.0\Assemblies\Microsoft.Online.SharePoint.Client.Tenant.dll"

function Get-Sites { 
    param ([string]$TenantName, [System.Net.ICredentials] $Credentials) 

    $tenantUrl = "https://$TenantName-admin.sharepoint.com/"  
    $ctx = New-Object Microsoft.SharePoint.Client.ClientContext($tenantUrl)  
    $ctx.Credentials = $Credentials 
    $tenant = New-Object Microsoft.Online.SharePoint.TenantAdministration.Tenant($ctx) 
    $sites = $tenant.GetSiteProperties(0, $true) 
    $ctx.Load($sites) 
    $ctx.ExecuteQuery() 
    $ctx.Dispose() 
    return $sites     
} 


function Get-Users { 
    param ([string]$SiteUrl, [System.Net.ICredentials] $Credentials) 

    $ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl)  
    $ctx.Credentials = $Credentials 
    $result = $ctx.Web.SiteUsers
    $ctx.Load($result) 
    $ctx.ExecuteQuery() 
    $ctx.Dispose() 
    return $result
} 



function Expand-UserGroups { 
    param ([Microsoft.SharePoint.Client.User]$User) 

    $ctx = $User.Context
    $ctx.Load($User.Groups) 
    $ctx.ExecuteQuery() 
} 






$tenantName = "contoso";  #put your tenant name here
$userName = "jdoe@contoso.onmicrosoft.com" #put your user name
$password = "" #put your password
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $securePassword)   
$sites = Get-Sites -TenantName $tenantName -Credentials $credentials

$everyoneGroupName = "c:0(.s|true"

$sites | % {
   #Write-Host $_.Url
   $users = Get-Users -SiteUrl $_.Url -Credentials $credentials

   $result = $users | where {$_.LoginName -eq $everyoneGroupName}
   $result | % {
       Expand-UserGroups -User $_
       $_.Groups | % {  Write-Host $_.LoginName  }
   }    
}
Vadim Gremyachev
  • 57,952
  • 20
  • 129
  • 193
  • 1
    Vadim, this is a great answer! Thank you! I am wondering can this script also enumerate across sub-sites within the collections? – ItsBradMorgan Jul 18 '17 at 14:02