SharePoint Online：使用 PowerShell 从文件夹权限中删除用户或组

要求：从 SharePoint Online 中的文件夹权限中删除用户。

如何从 SharePoint Online 中的文件夹权限中删除用户？

想要限制对 SharePoint Online 中文件夹的访问？此博文将向您展示如何从 SharePoint Online 中的文件夹权限中删除用户或组。我们还将看到 PowerShell 可以快速撤销特定用户对文件夹的访问权限。

要从 SharePoint Online 文件夹的权限中删除用户或组，请执行以下步骤：

1. 导航到目标文件夹所在的 SharePoint Online 列表或库。
2. 从特定文件夹的上下文菜单中单击“详细信息”>> 在“详细信息”窗格中，单击“管理访问”，然后单击“高级”链接。这将带您进入“高级权限”页面。

3. 在功能区中，单击“停止继承权限”按钮并确认提示。

   

4. 现在，您将获得对该文件夹拥有权限的用户和组的列表。当您破坏权限时，SharePoint 会从其父级复制权限（在我们的例子中为列表/库！）

5. 选择要从文件夹中删除权限的用户和组并确认提示。

   

6. 就这样。我们已从文件夹权限中删除了用户。

使用 PowerShell 从文件夹权限中删除用户

以下是我的 PowerShell，用于从 SharePoint Online 中的文件夹中删除用户权限：

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

Function Remove-SPOUserPermissionsFromList()
{
  param
    (
        [Parameter(Mandatory=$true)] [string] $SiteURL,
        [Parameter(Mandatory=$true)] [string] $FolderURL,
        [Parameter(Mandatory=$true)] [string] $UserAccount
    )
 
    Try {
        #Get credentials to connect
        $Cred= Get-Credential
        $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
 
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $Credentials
        $Web = $Ctx.web
 
        #Get the Folder
        $Folder = $Web.GetFolderByServerRelativeUrl($FolderURL)
        $Ctx.Load($Folder)
        $Ctx.ExecuteQuery()
     
        #Break Permission inheritence - Keep all existing list permissions & Don't keep Item level permissions
        $Folder.ListItemAllFields.BreakRoleInheritance($True,$False)
        $Ctx.ExecuteQuery()
        Write-host -f Yellow "Folder's Permission inheritance broken..."
      
        #Get the SharePoint User object from the site
        $User = $Web.EnsureUser($UserAccount)
        $Ctx.load($User)

        #Get permissions assigned to the folder
        $Ctx.Load($Folder.ListItemAllFields.RoleAssignments)
        $Ctx.ExecuteQuery()

        #Check if the user has permission on the list
        [Bool]$UserFound = $False
        ForEach($RoleAssignment in $Folder.ListItemAllFields.RoleAssignments)
        {
            $ctx.Load($RoleAssignment.Member)
            $Ctx.ExecuteQuery()

            #remove user permission from folder
            If($RoleAssignment.Member.LoginName -eq $User.LoginName)
            {
                $Folder.ListItemAllFields.RoleAssignments.GetByPrincipal($User).DeleteObject()
                $Ctx.ExecuteQuery()
                $UserFound = $True
                Write-host "User Permissions Removed from the List Successfully!" -ForegroundColor Green  
            }
        }
        #If user doesn't exist in list permissions
        If($UserFound -eq $False) { Write-host "User Not found in List Permissions!" -ForegroundColor Red}
    }
    Catch {
       write-host -f Red "Error Removing permissions from the Folder!" $_.Exception.Message
    }
}

#Config Variables
$SiteURL="https://crescent.sharepoint.com"
$FolderURL="/Project Docs/Active"
$UserAccount="[email protected]"

#Call the function to remove user permissions from a list
Remove-SPOUserPermissionsFromList -SiteURL $SiteURL -FolderURL $FolderURL -UserAccount $UserAccount

此 PowerShell 删除用户对给定参数的文件夹权限。

使用 PowerShell 删除组的文件夹权限

同样，使用此 PowerShell 脚本从文件夹的权限中删除 SharePoint 组。

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

Function Remove-SPOGroupPermissionsFromList()
{
  param
    (
        [Parameter(Mandatory=$true)] [string] $SiteURL,
        [Parameter(Mandatory=$true)] [string] $FolderURL,
        [Parameter(Mandatory=$true)] [string] $GroupName
    )
 
    Try {
        #Get credentials to connect
        $Cred= Get-Credential
        $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
 
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $Credentials
        $Web = $Ctx.web
 
        #Get the Folder
        $Folder = $Web.GetFolderByServerRelativeUrl($FolderURL)
        $Ctx.Load($Folder)
        $Ctx.ExecuteQuery()
     
        #Break Permission inheritence - Keep all existing list permissions & Don't keep Item level permissions
        $Folder.ListItemAllFields.BreakRoleInheritance($True,$False)
        $Ctx.ExecuteQuery()
        Write-host -f Yellow "Folder's Permission inheritance broken..."
      
        #Get the SharePoint Site Group object
        $Group =$Web.SiteGroups.GetByName($GroupName)
        $Ctx.load($Group)

        #Get permissions assigned to the folder
        $Ctx.Load($Folder.ListItemAllFields.RoleAssignments)
        $Ctx.ExecuteQuery()

        #Check if the Group has permission on the list
        [Bool]$GroupFound = $False
        ForEach($RoleAssignment in $Folder.ListItemAllFields.RoleAssignments)
        {
            $ctx.Load($RoleAssignment.Member)
            $Ctx.ExecuteQuery()

            #remove Group permission from folder
            If($RoleAssignment.Member.LoginName -eq $Group.LoginName)
            {
                $Folder.ListItemAllFields.RoleAssignments.GetByPrincipal($Group).DeleteObject()
                $Ctx.ExecuteQuery()
                $GroupFound = $True
                Write-host "Group Permissions Removed from the List Successfully!" -ForegroundColor Green  
            }
        }
        #If Group doesn't exist in list permissions
        If($GroupFound -eq $False) { Write-host "Group Not found in List Permissions!" -ForegroundColor Red}
    }
    Catch {
       write-host -f Red "Error Removing Group permissions from the Folder!" $_.Exception.Message
    }
}

#Config Variables
$SiteURL="https://crescent.sharepoint.com"
$FolderURL="/Project Docs/Active"
$GroupName="Team Site Visitors"

#Call the function to remove Group permissions from a list
Remove-SPOGroupPermissionsFromList -SiteURL $SiteURL -FolderURL $FolderURL -GroupName $GroupName

这将使用 PowerShell 从文件夹权限中删除 SharePoint Online 组。这是关于使用 PowerShell 向 SharePoint Online 文件夹授予权限的另一篇文章：使用 PowerShell 在 SharePoint Online 中设置文件夹权限

PnP PowerShell 从 CSV 文件中删除用户的文件夹权限

我们有一个包含 URL 列表的 CSV 文件，并且想要从所有这些文件夹中删除特定用户。 CSV 文件只有一列，标题为“URL”，大约有 100 多行。

#Config Variables
$SiteURL = "https://crescent.sharepoint.com/sites/legal"
$ListName="Work"
$CSVFile = "C:\Temp\Folders.csv"
$UserAccount = "i:0#.f|membership|[email protected]"

Try {
    #Connect to PnP Online
    Connect-PnPOnline -Url $SiteURL -Interactive

    #Get content from CSV file
    Import-Csv $CSVFile | ForEach-Object {
        Write-host "Processing Folder:"$_.URL
        #Get the Folder from URL
        $Folder = Get-PnPFolder -Url $_.URL

        #Get Folder Item
        $FolderItem = Get-PnPProperty -ClientObject $Folder -Property ListItemAllFields
        $HasUniquePerm =  Get-PnPProperty -ClientObject $FolderItem -Property HasUniqueRoleAssignments

        #Break Permission Inheritance
        If(!$HasUniquePerm)
        {
            $FolderItem.BreakRoleInheritance($True, $True)
            Write-host "`tFolder's Permission Inheritance Broken!"
        }
        #Get the User
        $User = Get-PnPUser -Identity $UserAccount -ErrorAction Stop

        #Get Permissions from the Folder
        $RoleAssignments = Get-PnPProperty -ClientObject $FolderItem -Property RoleAssignments

        #Remove user from folder permissions
        [Bool]$UserFound = $false
        ForEach($RoleAssignment in $RoleAssignments)
        {
           $Member =  Get-PnPProperty -ClientObject $RoleAssignment -Property Member
           If($Member.LoginName -eq $User.LoginName)
           {
                $UserFound = $True
                $FolderItem.RoleAssignments.GetByPrincipal($User).DeleteObject()
                Invoke-PnPQuery
           }
        }
        
        If($UserFound) { Write-host "`tRemoved user from Folder Permission!" }  
    }
}
Catch {
    write-host -f Red "Error Removing user from Folder:" $_.Exception.Message
}