0

My company has more than 200 SharePoint site in SharePoint online. and we have also thousands of SharePoint users. as company rule, whenever a user lefts the company, the user account must be removed from the SharePoint site. one user could have a different permission in different many SharePoint sites. let me say a user: sebey@abc.com has different permission in SharePoint sites Site1,Site2,Site3,Site4,Site5,Site6,Site7. Currently to check the user permission: we should go to each site and check the user's permission but Now we want a simple solutions , just we put the user then the user's permission will be checked in all our SharePoint sites and lists the output for all sites the user has access.

Going to each SharePoint site and checking the permission of the user in each site is not best solutions in our case.

so do you know any solutions for this case? it could be using PowerShell scripts or any trusted third party tools as well?

Cheers!

currently we use checking a user permission per site but this is not a good solutions when you have hundreds of sites and thousands of users.

Sebey
  • 1
  • 2
  • What code are you currently using to check each site on at a timer? Can you add a list and just enumerate through the server? – jdweng Mar 25 '23 at 12:41
  • I am using the normal interface based checking user permission. – Sebey Mar 26 '23 at 18:18

1 Answers1

0

This seems easy but in fact, it isn't . What I would do is create a script using PowerShell and CLI for Microsoft 365. I would approach this problem like:

  1. Get all sites from my tenant: $allSites = m365 spo site list | ConvertFrom-Json | Select-Object Url
  2. Foreach over the collection (nothing special here )
  3. For every site list all users that are 'in' this site $allUsersOnSite = m365 spo user list --webUrl "https://tenanttocheck.sharepoint.com/sites/someSite" | ConvertFrom-Json | Select-Object Email (here keep in mind not every account has email, like some internal service SP account don't have emial set so you alternatively may get LoginName property instead of Email
  4. Check if the user I am looking for is in this collection of users for given site like: $allUsersOnSite | Where-Object LoginName -match "<ThisIsTheLoginNameYouAreLookingFor>". If the returned collection is larger than 1 then it means my user had 'some' permission to that site and I should remove him
  5. Then I would remove the user account from that site using m365 spo user remove --webUrl "https://tenanttocheck.sharepoint.com/sites/someSite" --loginName "LoginNameOfTheUserIWantToDelete" --confirm (the --confirm is added so I will not need to confirm every removal in the script

Done ✅. I hope my idea will give you a good starting point to get started . Let me know what was the result and if it was helpful (usually in SharePoint it is not 'that' easy )

BTW. If you will have any success (either using CLI for Microsoft 365 or PnP PowerShell or whatever) you may consider contributing your script to the PnP script sampe repo to help out other folks in the community that may have similar case

Adam
  • 810
  • 7
  • 10