Recently I had couple of customers asking me for a script where they can replace Everyone/Everyone except external users account in SPO with a different account/group.
Following script will copy permissions of an account to a new account.
- It will check for SharePoint Group membership
- It will check for SPWeb unique membership
- It will check for SPList unique membership
- It will check for SPFolder unique membership
- It will check for SPItem unique membership
After this script you can remove or even disable Everyone from showing in people picker.
Let me know your suggestions in comments. I will try to add your suggestions to my script.
[System.Reflection.Assembly]::LoadFile(“C:Program FilesSharePoint Online Management ShellMicrosoft.Online.SharePoint.PowerShellMicrosoft.SharePoint.Client.dll”) | Out-Null
[System.Reflection.Assembly]::LoadFile(“C:Program FilesSharePoint Online Management ShellMicrosoft.Online.SharePoint.PowerShellMicrosoft.SharePoint.Client.Runtime.dll”) | Out-Null
$username = “admin@MOD841120.onmicrosoft.com” #Replace this with SPO Admin
$password = “password” #Replace this with SPO Admin password
$password = ConvertTo-SecureString $password -AsPlainText -Force
$spoCred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($UserName, $Password)
$url = “https://mod841120.sharepoint.com/sites/DemoPerm” #URL of the SPO Site Collection
$FindUser = “c:0-.f|rolemanager|spo-grid-all-users/c1051fd0-af79-4b55-8710-a34798fbe37b” #User Id for External Users
$New = “industrytrends@MOD841120.onmicrosoft.com” #Group/User that you want to add
#No changes required from this point
$global:AllWebs = @()
Function Invoke-LoadMethod() {
param(
[Microsoft.SharePoint.Client.ClientObject]$Object = $(throw “Please provide a Client Object”),
[string]$PropertyName
)
$ctx = $Object.Context
$load = [Microsoft.SharePoint.Client.ClientContext].GetMethod(“Load”)
$type = $Object.GetType()
$clientLoad = $load.MakeGenericMethod($type)
$Parameter = [System.Linq.Expressions.Expression]::Parameter(($type), $type.Name)
$Expression = [System.Linq.Expressions.Expression]::Lambda(
[System.Linq.Expressions.Expression]::Convert(
[System.Linq.Expressions.Expression]::PropertyOrField($Parameter,$PropertyName),
[System.Object]
),
$($Parameter)
)
$ExpressionArray = [System.Array]::CreateInstance($Expression.GetType(), 1)
$ExpressionArray.SetValue($Expression, 0)
$clientLoad.Invoke($ctx,@($Object,$ExpressionArray))
}
function CheckGroup($SPOWeb , $UserID)
{
$User = $SPOWeb.EnsureUser($New)
$Context.Load($User)
$Context.ExecuteQuery()
$Groups = $SPOWeb.SiteGroups
$context.Load($Groups)
$context.ExecuteQuery()
foreach($Group in $Groups)
{
$context.Load($Group)
$context.ExecuteQuery()
$GroupUser = $Group.Users.GetById($UserID)
$context.Load($GroupUser)
try
{
$context.ExecuteQuery()
$Context.Load($Group)
$Context.Load($Group.Users.AddUser($User))
$Context.ExecuteQuery()
}
Catch
{
}
}
}
function Get-SPOWebs(){
param(
$Url = $(throw “Please provide a Site Collection Url”),
$Credential = $(throw “Please provide a Credentials”)
)
$context = New-Object Microsoft.SharePoint.Client.ClientContext($Url)
$context.Credentials = $spoCred
$web = $context.Web
$context.Load($web)
$context.ExecuteQuery()
$User = $web.SiteUsers.GetByLoginName($FindUser)
$context.Load($User)
try
{
$context.ExecuteQuery()
CheckGroup $Web $User.ID
$context.Load($web.webs)
$context.ExecuteQuery()
foreach($web in $web.Webs)
{
Get-SPOWebs -Url $web.Url -Credential $Credential
$global:AllWebs += $web.url
}
}
Catch
{
}
}
$global:AllWebs += $url
Get-SPOWebs -Url $Url -Credential $spoCred
function ReplaceUserInWeb($SPOW , $SPOWBinding)
{
$User = $SPOW.EnsureUser($New)
$Context.Load($User)
$Context.ExecuteQuery()
$Perm = $SPOw.RoleDefinitions.GetByName($SPOWBinding)
$Context.Load($Perm)
$Context.ExecuteQuery()
$Roleassignment = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Context)
$Roleassignment.Add($Perm)
$Context.Load($SPOW.RoleAssignments.Add($User,$Roleassignment))
$SPOW.update()
$Context.ExecuteQuery()
}
function ReplaceUserInList($SPOW , $SPOLBinding , $SPOListID)
{
$User = $SPOW.EnsureUser($New)
$Context.Load($User)
$Context.ExecuteQuery()
$List = $SPOW.Lists.GetById($SPOListID)
$context.Load($List)
$context.ExecuteQuery()
$Perm = $SPOw.RoleDefinitions.GetByName($SPOLBinding)
$Context.Load($Perm)
$Context.ExecuteQuery()
$Roleassignment = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Context)
$Roleassignment.Add($Perm)
$Context.Load($List.RoleAssignments.Add($User,$Roleassignment))
$List.update()
$Context.ExecuteQuery()
}
function ReplaceUserInListItem($SPOW , $SPOLBinding, $ListID,$ItemID)
{
$User = $SPOW.EnsureUser($New)
$Context.Load($User)
$Context.ExecuteQuery()
$List = $SPOW.Lists.GetById($ListID)
$context.Load($List)
$context.ExecuteQuery()
$ListItem = $List.GetItemById($ItemID)
$context.Load($ListItem)
$context.ExecuteQuery()
$Perm = $SPOw.RoleDefinitions.GetByName($SPOLBinding)
$Context.Load($Perm)
$Context.ExecuteQuery()
$Roleassignment = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Context)
$Roleassignment.Add($Perm)
$Context.Load($ListItem.RoleAssignments.Add($User,$Roleassignment))
$ListItem.update()
$Context.ExecuteQuery()
}
function GetListItemsRoleBinding($SPOW , $UserID , $ListID,$ItemID)
{
$LIBindings = @()
$List = $SPOW.Lists.GetById($ListID)
$context.Load($List)
$context.ExecuteQuery()
$ListItem = $List.GetItemById($ItemID)
$context.Load($ListItem)
$context.ExecuteQuery()
$SPOLIRole = $ListItem.RoleAssignments.GetByPrincipalId($UserID)
$context.Load($SPOLIRole)
$context.ExecuteQuery()
$LIRoleBindings = $SPOLIRole.RoleDefinitionBindings
$context.Load($LIRoleBindings)
$context.ExecuteQuery()
foreach($LIRoleBinding in $LIRoleBindings)
{
$context.load($LIRoleBinding)
$context.ExecuteQuery()
if($LIRoleBinding.Name -eq “Limited Access”)
{
}
else
{
$LIBindings += $LIRoleBinding.Name
}
}
return $LIBindings
}
function GetListRoleBinding($SPOW , $UserID , $ListID)
{
$LBindings = @()
$List = $SPOW.Lists.GetById($ListID)
$context.Load($List)
$context.ExecuteQuery()
$SPOLRole = $List.RoleAssignments.GetByPrincipalId($UserID)
$context.Load($SPOLRole)
$context.ExecuteQuery()
$LRoleBindings = $SPOLRole.RoleDefinitionBindings
$context.Load($LRoleBindings)
$context.ExecuteQuery()
foreach($LRoleBinding in $LRoleBindings)
{
$context.load($LRoleBinding)
$context.ExecuteQuery()
if($LRoleBinding.Name -eq “Limited Access”)
{
}
else
{
$LBindings += $LRoleBinding.Name
}
}
$LBindings.count
return $LBindings
}
function GetWebRoleBinding($SPOW , $UserID )
{
$Bindings = @()
$SPOWRole = $SPOW.RoleAssignments.GetByPrincipalId($UserID)
$context.Load($SPOWRole)
$context.ExecuteQuery()
$RoleBindings = $SPOWRole.RoleDefinitionBindings
$context.Load($RoleBindings)
$context.ExecuteQuery()
foreach($RoleBinding in $RoleBindings)
{
$context.load($RoleBinding)
$context.ExecuteQuery()
if($RoleBinding.Name -eq “Limited Access”)
{
}
else
{
$Bindings += $RoleBinding.Name
}
}
return $Bindings
}
foreach($Web in $AllWebs)
{
$context = New-Object Microsoft.SharePoint.Client.ClientContext($web)
$context.Credentials = $spoCred
$SPOWeb = $context.Web
$context.Load($SPOWeb)
$context.ExecuteQuery()
Invoke-LoadMethod -Object $SPOWeb -PropertyName “HasUniqueRoleAssignments”
$context.ExecuteQuery()
$SPOWebUser = $spoweb.SiteUsers.GetByLoginName($FindUser)
$context.Load($SPOWebUser)
try{
$context.ExecuteQuery()
}
catch
{
write-host “User does not Exist in the site collection”
}
if ($SPOWeb.HasUniqueRoleAssignments -eq $true)
{
$SPOWebRoles = $SPOWeb.RoleAssignments.GetByPrincipalId($SPOWebUser.Id)
$context.Load($SPOWebROles)
try{
$context.ExecuteQuery()
$GetWBindings = GetWebRoleBinding $SPOWeb $SPOWebUser.Id
foreach ($GetWBinding in $GetWBindings)
{
$ReplaceUser = ReplaceUserInWeb $SPOWeb $GetWBinding
}
}
catch
{
}
}
else
{
}
$Lists = $spoWeb.Lists
$Context.Load($Lists)
$context.ExecuteQuery()
foreach($List in $Lists)
{
$Context.Load($List)
Invoke-LoadMethod -Object $List -PropertyName “HasUniqueRoleAssignments”
$context.ExecuteQuery()
if (($List.HasUniqueRoleAssignments -eq $true) -and ($List.Hidden -eq $false) )
{
$ListRoles = $List.RoleAssignments.GetByPrincipalId($SPOWebUser.Id)
$context.Load($ListROles)
try
{
$context.ExecuteQuery()
$GetLBindings = $null
$GetLBindings = GetListRoleBinding $SPOWeb $SPOWebUser.Id $List.id
foreach ($GetLBinding in $GetLBindings)
{
$Type = $GetLBinding.GetType()
if($Type.Name -eq “String”)
{
$ReplaceLUser = ReplaceUserInList $SPOWeb $GetLBinding $List.ID
}
}
}
catch
{
}
}
else
{
}
$qry = [Microsoft.SharePoint.Client.CamlQuery]::CreateAllItemsQuery()
$ListItems = $List.GetItems($qry)
$context.Load($ListItems)
$Context.ExecuteQuery()
foreach($ListItem in $ListItems)
{
$Context.Load($ListItem)
Invoke-LoadMethod -Object $ListItem -PropertyName “HasUniqueRoleAssignments”
$context.ExecuteQuery()
if ($ListItem.HasUniqueRoleAssignments -eq $true)
{
$ListItemRoles = $ListItem.RoleAssignments.GetByPrincipalId($SPOWebUser.Id)
$context.Load($ListItemRoles)
try
{
$context.ExecuteQuery()
$GetLIBindings = $null
$GetLIBindings = GetListItemsRoleBinding $SPOWeb $SPOWebUser.Id $List.id $ListItem.ID
foreach ($GetLIBinding in $GetLIBindings)
{
$Type = $GetLIBinding.GetType()
if($Type.Name -eq “String”)
{
$ReplaceLUser = ReplaceUserInListItem $SPOWeb $GetLIBinding $List.ID $ListItem.ID
}
}
}
catch
{
}
}
}
}
}
$context.Dispose()