powershellsharepoint-online

SharePoint Online - finding direct assignments


We have 600+ SharePoint sites and we are going to migrate them to an entirely new hybrid domain environment. We are currently attempting a configuration of a cross-tenant access scenario. I am attempting to find any users who have been directly assigned to any of our SharePoint sites. I don't want to go user by user (3000+ users) to find direct assignments unless I absolutely have to. I would rather look at the sites and determine if a user is not assigned as a part of a group. So far I am not finding a SPO cmdlet that will identify the direct assigned users.

Has anyone done this before, and if so would you be willing to share your methods and experience? I can assign all of the current users/groups but would rather clean up before migrating the sites from the old tenant to the new tenant. I have successfully assigned my account in the new tenant as an #EXT user to an existing site in the old tenant. But we are wanting to avoid direct assignments it at all possible.

I am pulling the sites into a collection with Get-SPOSite, and users/groups for each site with Get-SPOUser. From there I need to identify direct assignments and that isn't clear. TIA.


Solution

  • To find any users who have been directly assigned to any of the SharePoint sites, you can use the Get-SPOUser cmdlet to get a list of all users for each site, and then use the Get-SPOGroup cmdlet to get a list of all groups for each site. You can then compare the users against the members of each group to determine if any users are not assigned as part of a group. Here's an example PowerShell script that should accomplish this:

    $sites = Get-SPOSite
    foreach ($site in $sites) {
        $users = Get-SPOUser -Site $site.Url
        $groups = Get-SPOGroup -Site $site.Url
        foreach ($user in $users) {
            $isAssigned = $false
            foreach ($group in $groups) {
                $members = Get-SPOGroup -Site $site.Url -Group $group.Title | Select-Object -ExpandProperty Users
                if ($members -contains $user.LoginName) {
                    $isAssigned = $true
                    break
                }
            }
            if (!$isAssigned) {
                Write-Output "User $($user.LoginName) is not assigned to a group on site $($site.Url)"
            }
        }
    }
    

    This script will loop through all SharePoint sites in your tenant, and for each site it will get a list of all users and groups. It will then loop through each user, and for each user it will loop through each group to see if the user is a member of that group. If the user is not a member of any group, it will output a message indicating that the user is not assigned to a group on that site.