Lesson 5: Working with IT for Permission Management

Understand when to involve IT support and how automated tools can help maintain permissions at scale

⏱️ 10 minutes 👥 Business Focus 📊 Awareness Level

🤝 When to Involve Your IT Team

As a business user, you can handle most day-to-day permission management through SharePoint's interface. However, certain scenarios require IT support or automated tools:

🔔 Escalate to IT When You Need:

  • Bulk user management: Adding/removing 20+ users at once
  • Cross-site permissions: Consistent access across multiple sites
  • Automated reporting: Regular permission audits and compliance reports
  • Complex scenarios: Temporary access, scheduled changes, or custom requirements
  • Troubleshooting: When standard tools can't identify permission issues

Installing Required PowerShell Modules

Modern SharePoint permission management requires both PnP PowerShell and Microsoft Graph PowerShell for managing Entra groups:

# Install PnP PowerShell for SharePoint management
Install-Module -Name PnP.PowerShell -Force -AllowClobber

# Install Microsoft Graph PowerShell for Entra group management (recommended)
Install-Module -Name Microsoft.Graph -Force -AllowClobber

# Verify installations
Get-Module -Name PnP.PowerShell -ListAvailable
Get-Module -Name Microsoft.Graph -ListAvailable

# Connect to SharePoint
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com/sites/yoursite" -Interactive

# Connect to Microsoft Graph (for Entra group management)
Connect-MgGraph -Scopes "Group.Read.All","Group.ReadWrite.All"
💡 2025 Best Practice: Use Microsoft Graph PowerShell to manage Entra (Azure AD) groups, then assign those groups to SharePoint sites. This provides better scalability and unified management across Microsoft 365.
💡 Valencia Business Tip: Set up a dedicated "SharePoint Admin" machine or use Windows PowerShell ISE for better script management. Save frequently used connection commands for quick access.

📋 Essential Permission Commands

Master these core commands to handle 90% of your permission management tasks:

1. Getting Current Permissions

Before making changes, always understand the current state:

# Get all site permissions
$sitePermissions = Get-PnPSiteGroup
$sitePermissions | Format-Table Title, Users, Roles

# Get detailed permissions for a specific group
Get-PnPGroupMember -Identity "Site Members"
What this does: Lists all SharePoint groups and their members. Essential for understanding current access levels before making changes. 
# Get permissions for a specific library
$libraryPermissions = Get-PnPListPermission -Identity "Documents"
$libraryPermissions

# Check if library has unique permissions
$list = Get-PnPList -Identity "Documents"
$list.HasUniqueRoleAssignments
What this does: Shows who has access to specific libraries and whether they have broken inheritance from the site level. 
# Get all permissions for a specific user
$userEmail = "maria.garcia@company.com"
Get-PnPUserEffectivePermissions -Identity $userEmail -List "Documents"

# Find all groups a user belongs to
Get-PnPUser -Identity $userEmail | Select-Object Groups
What this does: Shows exactly what permissions a specific user has, including inherited permissions through groups.

👥 Bulk User Management Scripts

These scripts save hours when managing large teams or multiple site collections:

Adding Multiple Users to Groups

Scenario: Your Valencia office hired 10 new marketing team members who need access to marketing sites.

🛠️ SCRIPT PLACEHOLDER - Add Multiple Users to Group
Content to create:
• Read users from CSV file (Name, Email, Group)
• Loop through users and add to appropriate groups
• Error handling for duplicate users
• Progress reporting and logging
• Email notification to new users
Save as: Add-BulkUsersToGroups.ps1
💡 Best Practice: Always test with 2-3 users before running bulk operations. Use the -WhatIf parameter when available to see what would happen without making changes.

Creating Department Groups

Scenario: Setting up consistent group structures across multiple department sites.

🛠️ SCRIPT PLACEHOLDER - Create Department Groups
Content to create:
• Create groups with naming convention (Dept_Contributors, Dept_Viewers)
• Set appropriate permission levels
• Add group descriptions
• Configure group settings (visibility, etc.)
• Apply to multiple sites in a loop
Save as: New-DepartmentGroups.ps1

📊 Permission Reporting and Auditing

For compliance and security audits, you need detailed permission reports:

Comprehensive Permission Report

Use case: Generate detailed reports for GDPR compliance or security audits.

🛠️ SCRIPT PLACEHOLDER - Permission Audit Report
Content to create:
• Scan all sites in tenant (or specified collection)
• Export user permissions to CSV
• Include inheritance status
• Flag external users
• Group membership details
• Last access information
Save as: Export-PermissionReport.ps1 
# CRITICAL: Monitor unique permissions (broken inheritance)
# WARNING: Unique permissions are NOT best practice - monitor closely!

# Find all items with broken inheritance (MAJOR CONCERN)
$brokenInheritance = Get-PnPList | Where-Object {$_.HasUniqueRoleAssignments -eq $true}
Write-Warning "Found $($brokenInheritance.Count) items with broken inheritance - this should be minimized!"
$brokenInheritance | Select-Object Title, DefaultViewUrl | Export-Csv "BrokenInheritance_$(Get-Date -Format 'yyyyMMdd').csv"

# Check for external users (security risk)
$externalUsers = Get-PnPUser | Where-Object {$_.Email -like "*#ext#*"}
$externalUsers | Select-Object Title, Email, Groups | Export-Csv "ExternalUsers_$(Get-Date -Format 'yyyyMMdd').csv"

# Alert if too many unique permissions found
if ($brokenInheritance.Count -gt 20) {
    Write-Error "ALERT: $($brokenInheritance.Count) items with unique permissions exceeds recommended limit of 20!"
}

🚀 Advanced Permission Scenarios

Project-Based Temporary Access

Valencia Business Scenario: Give external consultants temporary access to project folders that automatically expires.

🛠️ SCRIPT PLACEHOLDER - Temporary Project Access
Content to create:
• Create project-specific folders with unique permissions
• Add external users with expiration dates
• Schedule cleanup script to remove expired access
• Email notifications before expiration
• Logging for compliance tracking
Save as: New-TemporaryProjectAccess.ps1

⚠️ Security Warning

Always implement cleanup processes for temporary access. Set calendar reminders and automated scripts to review and remove expired permissions.

Cross-Site Permission Synchronisation

Scenario: Keep user access consistent across related sites (main site, project sites, archive sites).

🛠️ SCRIPT PLACEHOLDER - Cross-Site Sync
Content to create:
• Define master site for group membership
• Sync groups across multiple related sites
• Handle different permission levels per site
• Conflict resolution for existing permissions
• Progress reporting and error handling
Save as: Sync-CrossSitePermissions.ps1

✅ PowerShell Best Practices for Permission Management

1. Always Test First

# Use -WhatIf parameter when available
Remove-PnPGroupMember -Identity "Site Members" -LoginName "user@company.com" -WhatIf

# Test on a single user before bulk operations
$testUser = "test.user@company.com"
Add-PnPGroupMember -Identity "Marketing Team" -LoginName $testUser

2. Implement Comprehensive Logging

# Start logging
$logFile = "C:\Logs\PermissionChanges_$(Get-Date -Format 'yyyyMMdd_HHmm').txt"
Start-Transcript -Path $logFile

# Your permission changes here
Write-Host "Adding user $userEmail to group $groupName" -ForegroundColor Green

# Stop logging
Stop-Transcript

3. Error Handling for Production Scripts

try {
    Add-PnPGroupMember -Identity "Site Members" -LoginName $userEmail
    Write-Host "Successfully added $userEmail" -ForegroundColor Green
}
catch {
    Write-Warning "Failed to add $userEmail : $($_.Exception.Message)"
    # Log error for review
    Add-Content -Path $errorLog -Value "$userEmail : $($_.Exception.Message)"
}
💡 Valencia Business Tip: Create a standard script template with logging, error handling, and progress reporting. This makes your scripts more reliable and easier to troubleshoot.

🔧 Common PowerShell Issues and Solutions

Issue: "Access Denied" Errors

Symptoms: Scripts fail with permission errors even when you're a site owner.

Solutions:

  1. Verify you're connected to the correct site
  2. Check if you have SharePoint Administrator rights
  3. Use -Force parameter where available
  4. Try connecting with different authentication methods

Issue: Script Runs Slowly

Symptoms: Permission scripts take very long to complete.

Optimisation tips:

  • Use batch operations instead of individual commands
  • Filter results early in the pipeline
  • Avoid unnecessary Get- commands in loops
  • Process sites in parallel where possible

Issue: Users Not Found

# Verify user exists before adding to groups
$user = Get-PnPUser -Identity $userEmail -ErrorAction SilentlyContinue
if ($user) {
    Add-PnPGroupMember -Identity $groupName -LoginName $userEmail
} else {
    Write-Warning "User $userEmail not found in SharePoint"
}

📁 Script Templates for Your Valencia Business

These templates provide a starting point for common permission management tasks:

📄 New Employee Setup

Automatically add new hires to appropriate groups based on department and role.

New-EmployeeAccess.ps1

🚪 Employee Departure

Remove departing employee access from all sites and groups systematically.

Remove-EmployeeAccess.ps1

📊 Monthly Audit

Generate monthly permission reports for compliance and security review.

Monthly-PermissionAudit.ps1

🔄 Group Synchronisation

Keep department groups synchronised across multiple SharePoint sites.

Sync-DepartmentGroups.ps1
💡 Implementation Tip: Start with one template, customise it for your Valencia business needs, test thoroughly, then gradually implement others. Build a library of tested scripts for common scenarios.

🎯 Key Takeaways

← Previous: Microsoft Copilot & Permissions Next: Troubleshooting & Best Practices →