Introduction
Using the PnP PowerShell module, you can assign permissions to an existing group within the Microsoft 365 environment. It can be a SharePoint group, security group or Microsoft 365 group. Keep in mind that claims can make it a bit complex. For a detailed explanation, have a look at the Claims Deep Dive article.
Get available roles
Use Get-PnPRoleDefinition
to retrieve all available roles you can add or remove on a SharePoint Online site.
Get-PnPRoleDefinition | select name, RoleTypeKind, description
Add permissions for a SharePoint Online list
The following cmdlets add permissions for an existing SharePoint list. In case you would like to break the permission inheritance on a list from its parent first, you can use Set-PnPList -BreakRoleInheritance.
To a SharePoint group
The following cmdlet adds permissions to an existing SharePoint group for a list called ‘test1’. You can use the group name directly.
Set-PnPListPermission -Identity test1 -User "MyGroupName" -AddRole 'Contribute'
To a security group
The following cmdlet adds permissions to an existing security group. You need to use the group ID.
Set-PnPListPermission -Identity test1 -User "c:0t.c|tenant|6510e196-d412-41de-a2e3-f99e8c0ffb4a" -AddRole 'Contribute'
OR
Set-PnPListPermission -Identity test1 -User "sichgroup3" -AddRole 'Read'
You can retrieve the security group ID by going to Entra ID » Groups
or by using Get-PnPAzureADGroup
cmdlet:
To Microsoft 365 group
The following cmdlet adds permissions to the members of an existing Microsoft 365 group. You need to use the group ID. You can retrieve the Microsoft 365 group ID by going to Entra ID » Groups or by using Get-PnPAzureADGroup
cmdlet.
Set-PnPListPermission -Identity test1 -User "c:0o.c|federateddirectoryclaimprovider|2b7a7a59-7c52-4e42-a8f9-0675fe1ab62a" -AddRole 'Contribute'
Some examples how to retrieve a Microsoft 365 group using PnP cmdlets:
Get-PnPAzureADGroup | where {$_.GroupTypes -eq "Unified"}
Get-PnPAzureADGroup | where {$_.DisplayName -eq "test"}
To Everyone group
Everyone group is special. Use c:0(.s|true
. For more information on this specific claim, have a look at SharePoint Claims Deep Dive.
Set-PnPListPermission -Identity test1 -User "c:0(.s|true" -AddRole 'Contribute'
To Everyone Except External users
Everyone except external users group also has its special naming. Use c:0-.f|rolemanager|spo-grid-all-users/7110ff4b-10a6-4895-9169-2237e60672c7
for Everyone except external users. Keep in mind, that your Everyone except external users will have a different ID.
Set-PnPListPermission -Identity test1 -User "c:0-.f|rolemanager|spo-grid-all-users/7110ff4b-10a6-4895-9169-2237e60672c7" -AddRole 'Contribute'
One of the places where you can see the ID of your Everyone except external users group is SharePoint Online Site permissions.
Add permissions for a SharePoint Online web (site collection)
The following cmdlets are used to add permissions to an existing SharePoint Online web. If your structure includes subsites, you have the option to break role inheritance on them. However, with the introduction of hub sites, most modern SharePoint designs would typically use the web to represent an entire site collection.
To a SharePoint group
The following cmdlet adds permissions to an existing SharePoint group. You can use the group name directly.
Set-PnPWebPermission -Group "test345" -AddRole "Contribute"
To security group
Set-PnPWebPermission -User "c:0t.c|tenant|6510e196-d412-41de-a2e3-f99e8c0ffb4a" -AddRole 'Contribute'
OR
Set-PnPWebPermission -User "sichgroup3" -AddRole 'Read'
You can retrieve the security group ID by going to Entra ID » Groups
or by using Get-PnPAzureADGroup
cmdlet:
To Microsoft 365 group members
The following cmdlet adds permissions for the web to the members of an existing Microsoft 365 group. You need to use the group ID. You can retrieve the Microsoft 365 group ID by going to Entra ID » Groups or by using Get-PnPAzureADGroup
cmdlet.
Set-PnPWebPermission -User "c:0o.c|federateddirectoryclaimprovider|76d0f375-335e-40d7-af94-de2116a0990a" -AddRole 'Contribute'
Some examples how to retrieve a Microsoft 365 group using PnP cmdlets:
Get-PnPAzureADGroup | where {$_.GroupTypes -eq "Unified"}
Get-PnPAzureADGroup | where {$_.DisplayName -eq "test"}
To Everyone group
Everyone group is special. Use c:0(.s|true
. For more information on this specific claim, have a look at SharePoint Claims Deep Dive.
Even though it is a group, use -User parameter.
Set-PnPWebPermission -User "c:0(.s|true" -AddRole 'Contribute'
To Everyone Except External users
Everyone except external users group also has its special naming. Use c:0-.f|rolemanager|spo-grid-all-users/7110ff4b-10a6-4895-9169-2237e60672c7
for Everyone except external users. Keep in mind, that your Everyone except external users will have a different ID.
Even though it is a group, use -User parameter.
Set-PnPWebPermission -User "c:0-.f|rolemanager|spo-grid-all-users/7110ff4b-10a6-4895-9169-2237e60672c7" -AddRole 'Contribute'
One of the places where you can see the ID of your Everyone except external users group is SharePoint Online Site permissions.
See Also
Mike Smith’s SharePoint 2013 and SharePoint Online Built-In Accounts