Grant an Azure AD Group SharePoint Online Library Permissions with PowerShell

It is possible to automate setting SharePoint Online document library permissions using the PowerShell SharePointPnPPowerShellOnline module. However in the module examples it is not clear how to add Azure Active Directory groups directly to list and document library permissions.

In this blog I will cover how to do this.

Firstly you will need the AzureAD PowerShell module

You will also need the SharePointPnPPowerShellOnline module

Now lets set the variables we need to work with:

# Azure/O365 credentials used to get the Azure AD group info and set the SharePoint Online document library permissions
$Credential = Get-Credential

# Display name of the Azure AD group you wish to assign permissions to
$Groupname = "Accounts Payable"

# URL of your SharePoint Online site that contains the library
$SiteURL = ""

# Document library name you will be assigning permissions to
$LibraryName = "Accounts Documents"

To be able to assign the Azure AD group to the document library we need to get its object ID and assign it to a variable.

Connect-AzureAD -Credential $Credential
# Get the ObjectId of your Azure AD group
$GroupId = (Get-AzureADGroup -Filter "DisplayName eq '$GroupName'").ObjectId

Now we can connect to SharePoint Online to set the permissions

Connect-PnPOnline –Url $SiteURL –Credentials $Credential

If you want to break permissions inheritance on the library (optional)

Set-PnPList -Identity $LibraryName -BreakRoleInheritance

Now we can set the Azure AD group permissions on the library. Note that the roles available are Read, Contribute, Full Control.

Set-PnPListPermission -Identity $LibraryName -Group "c:0t.c|tenant|$GroupId" -AddRole 'Contribute'

That’s it! now the Azure AD group has the permissions assigned to the library. If you wish to add the “Everyone except external users” group to the library you can use the following:

$AllExceptExternalUsers = Get-PnPUser | where-object title -eq "Everyone except external users" | Select-Object -expand loginname

Set-PnPListPermission -Identity $LibraryName -Group $AllExceptExternalUsers -AddRole "Read"

Here’s the full script:

Share on facebook
Share on linkedin
Share on twitter

Leave a Reply