Bulk Managing SharePoint Online Permissions with PnP PowerShell

Posted: February 12, 2026 |0 comments | Tags: , , ,

SharePoint Online permissions tend to accumulate over time — stale site memberships, over-privileged guest accounts, and broken inheritance chains create both compliance risk and confusion. PnP PowerShell gives you a concise, cross-site toolset for auditing and cleaning up permissions at scale without touching the SharePoint admin UI.

Prerequisites

Install the PnP PowerShell module and connect to your SharePoint tenant with site collection administrator credentials.

Install-Module PnP.PowerShell -Scope CurrentUser
Connect-PnPOnline -Url "https://contoso.sharepoint.com" -Interactive

Auditing All Site Collection Memberships

Export every unique permission assignment across all site collections to a CSV for compliance review.

$sites = Get-PnPTenantSite | Select-Object -ExpandProperty Url
$report = foreach ($site in $sites) {
    Connect-PnPOnline -Url $site -Interactive
    $groups = Get-PnPSiteGroup
    foreach ($group in $groups) {
        $members = Get-PnPGroupMember -Identity $group.Title
        foreach ($member in $members) {
            [PSCustomObject]@{
                Site       = $site
                Group      = $group.Title
                Member     = $member.Title
                LoginName  = $member.LoginName
            }
        }
    }
}
$report | Export-Csv "SPO-Permissions-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Removing a User from All Sites

When an employee leaves, remove them from every SharePoint site collection in a single loop.

$userUPN = "[email protected]"
foreach ($site in $sites) {
    Connect-PnPOnline -Url $site -Interactive
    Remove-PnPUser -Identity $userUPN -ErrorAction SilentlyContinue
    Write-Host "Removed $userUPN from $site"
}

Enforcing Unique Permissions on Sensitive Libraries

Ensure libraries containing sensitive documents break inheritance and restrict access to approved groups only.

Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/Finance" -Interactive
Set-PnPListPermission -Identity "Contracts" -AddRole "Finance Team" -Group "Finance Owners"
Set-PnPListPermission -Identity "Contracts" -RemoveRole "Members"

Summary

PnP PowerShell dramatically simplifies SharePoint Online permission management at scale. Building these scripts into a weekly scheduled task — or a GitHub Actions workflow triggered on HR system changes — keeps your permission model clean, compliant, and auditable without any manual portal work.

Submit a Comment

Your email address will not be published. Required fields are marked *