Add SharePoint site permissions to a group using PnP

2024-08-01

Introduction

Using the PnP PowerShell module, you can assign permissions to an existing group within the Microsoft 365 environment. It can be a SharePoint group, security group or Microsoft 365 group. Keep in mind that claims can make it a bit complex. For a detailed explanation, have a look at the Claims Deep Dive article.


Get available roles

Use Get-PnPRoleDefinition to retrieve all available roles you can add or remove on a SharePoint Online site.

Get-PnPRoleDefinition | select name, RoleTypeKind, description



Add permissions for a SharePoint Online list

The following cmdlets add permissions for an existing SharePoint list. In case you would like to break the permission inheritance on a list from its parent first, you can use Set-PnPList -BreakRoleInheritance.


To a SharePoint group

The following cmdlet adds permissions to an existing SharePoint group for a list called ‘test1’. You can use the group name directly.

Set-PnPListPermission -Identity test1 -User "MyGroupName" -AddRole 'Contribute'



To a security group

The following cmdlet adds permissions to an existing security group. You need to use the group ID.

Set-PnPListPermission -Identity test1 -User "c:0t.c|tenant|6510e196-d412-41de-a2e3-f99e8c0ffb4a" -AddRole 'Contribute'

OR

Set-PnPListPermission -Identity test1 -User "sichgroup3" -AddRole 'Read'

You can retrieve the security group ID by going to Entra ID » Groups


or by using Get-PnPAzureADGroup cmdlet:



To Microsoft 365 group

The following cmdlet adds permissions to the members of an existing Microsoft 365 group. You need to use the group ID. You can retrieve the Microsoft 365 group ID by going to Entra ID » Groups or by using Get-PnPAzureADGroup cmdlet.

Set-PnPListPermission -Identity test1 -User "c:0o.c|federateddirectoryclaimprovider|2b7a7a59-7c52-4e42-a8f9-0675fe1ab62a" -AddRole 'Contribute'

Some examples how to retrieve a Microsoft 365 group using PnP cmdlets:

  • Get-PnPAzureADGroup | where {$_.GroupTypes -eq "Unified"}


  • Get-PnPAzureADGroup | where {$_.DisplayName -eq "test"}



To Everyone group

Everyone group is special. Use c:0(.s|true. For more information on this specific claim, have a look at SharePoint Claims Deep Dive.

Set-PnPListPermission -Identity test1 -User "c:0(.s|true" -AddRole 'Contribute'


To Everyone Except External users

Everyone except external users group also has its special naming. Use c:0-.f|rolemanager|spo-grid-all-users/7110ff4b-10a6-4895-9169-2237e60672c7 for Everyone except external users. Keep in mind, that your Everyone except external users will have a different ID.

Set-PnPListPermission -Identity test1 -User "c:0-.f|rolemanager|spo-grid-all-users/7110ff4b-10a6-4895-9169-2237e60672c7" -AddRole 'Contribute'

One of the places where you can see the ID of your Everyone except external users group is SharePoint Online Site permissions.





Add permissions for a SharePoint Online web (site collection)

The following cmdlets are used to add permissions to an existing SharePoint Online web. If your structure includes subsites, you have the option to break role inheritance on them. However, with the introduction of hub sites, most modern SharePoint designs would typically use the web to represent an entire site collection.


To a SharePoint group

The following cmdlet adds permissions to an existing SharePoint group. You can use the group name directly.

Set-PnPWebPermission -Group "test345" -AddRole "Contribute"



To security group

Set-PnPWebPermission  -User "c:0t.c|tenant|6510e196-d412-41de-a2e3-f99e8c0ffb4a" -AddRole 'Contribute'

OR

Set-PnPWebPermission  -User "sichgroup3" -AddRole 'Read'

You can retrieve the security group ID by going to Entra ID » Groups


or by using Get-PnPAzureADGroup cmdlet:



To Microsoft 365 group members

The following cmdlet adds permissions for the web to the members of an existing Microsoft 365 group. You need to use the group ID. You can retrieve the Microsoft 365 group ID by going to Entra ID » Groups or by using Get-PnPAzureADGroup cmdlet.

Set-PnPWebPermission  -User "c:0o.c|federateddirectoryclaimprovider|76d0f375-335e-40d7-af94-de2116a0990a" -AddRole 'Contribute'

Some examples how to retrieve a Microsoft 365 group using PnP cmdlets:

  • Get-PnPAzureADGroup | where {$_.GroupTypes -eq "Unified"}


  • Get-PnPAzureADGroup | where {$_.DisplayName -eq "test"}



To Everyone group

Everyone group is special. Use c:0(.s|true. For more information on this specific claim, have a look at SharePoint Claims Deep Dive. Even though it is a group, use -User parameter.

Set-PnPWebPermission -User "c:0(.s|true" -AddRole 'Contribute'


To Everyone Except External users

Everyone except external users group also has its special naming. Use c:0-.f|rolemanager|spo-grid-all-users/7110ff4b-10a6-4895-9169-2237e60672c7 for Everyone except external users. Keep in mind, that your Everyone except external users will have a different ID. Even though it is a group, use -User parameter.

Set-PnPWebPermission -User "c:0-.f|rolemanager|spo-grid-all-users/7110ff4b-10a6-4895-9169-2237e60672c7" -AddRole 'Contribute'

One of the places where you can see the ID of your Everyone except external users group is SharePoint Online Site permissions.





See Also

Mike Smith’s SharePoint 2013 and SharePoint Online Built-In Accounts

Understanding login name format of SharePoint

SharePoint Claims Deep Dive