Unattended Invoke-PnPSPRestMethod for uniqperm.aspx?

[wjamesw]

Hello,

I'm trying to write a script to run unattended that checks /_layouts/15/uniqperm.aspx as an inexpensive method for identifying uniquely permissioned SharePoint Online lists or lists containing uniquely permissioned list items.

I can only get it to work when I've connected using -UseWebLogin, then using Invoke-PnPSPRestMethod -Raw. This approach is not unattended and I see that -UseWebLogin is disappearing anyway.

When I connect using a certificate for my registered PnP PowerShell Application, to which I have granted application permissions with Full Access rights to all sites, I get a 401 error for this cmdlet for this page (while /_layouts/15/user.aspx, for example, is retrieved just fine!)

How can I get this to work for uniqperm.aspx like -UseWebLogin did please?

Thanks,

James

[Barbarur]

I couldn't understand the issue. Can you share a minimum reproducible sample for what works and what doesn't work for you?

Here is a sample script for getting side permissions: https://pnp.github.io/script-samples/spo-get-permission-audit/README.html?tabs=pnpps

[wjamesw]

Hi @Barbarur,

Thanks for your reply. The below is a minimum sample:

Import-Module PnP.PowerShell
$appId = "75e59c80-3dbb-47b0-89cd-9ba9d141800f";
$tenantId = "bd78dee9-9abf-4401-b6d6-e142688c4654";
$certificatePath = "PnP_PowerShell_Application.pfx";
$SiteURL = "https://wjwdev.sharepoint.com/sites/test";
$siteUserUrl = "/_layouts/15/user.aspx";
$sitePermissionUrl = "/_layouts/15/uniqperm.aspx?IsDlg=1";

Write-Host "`nTesting with Application Permissions";
$sitePermissionPageContent = $null;
$siteUserPageContent = $null;
Connect-PnPOnline -Url $SiteURL -Tenant $tenantId -ClientId $appId -CertificatePath $certificatePath;

Write-Host "`nRetrieving user page";
$siteUserPageContent = Invoke-PnPSPRestMethod -Url $($SiteURL + $siteUserUrl) -Method GET -Raw;
$siteUserPageContent.IndexOf('__gvctl00_PlaceHolderMain_rptrUsers__div');

Write-Host "`nRetrieving unique permissions page";
$sitePermissionPageContent = Invoke-PnPSPRestMethod -Url $($SiteURL + $sitePermissionUrl) -Method GET -Raw; 
$sitePermissionPageContent.IndexOf('__gvctl00_PlaceHolderMain_rptrUniqueLists__div');

Write-Host "`nTesting with -UseWebLogin";
$sitePermissionPageContent = $null;
$siteUserPageContent = $null;
Connect-PnPOnline -Url $SiteURL -UseWebLogin;

Write-Host "`nRetrieving user page";
$siteUserPageContent = Invoke-PnPSPRestMethod -Url $($SiteURL + $siteUserUrl) -Method GET -Raw;
$siteUserPageContent.IndexOf('__gvctl00_PlaceHolderMain_rptrUsers__div');

Write-Host "`nRetrieving unique permissions page";
$sitePermissionPageContent = Invoke-PnPSPRestMethod -Url $($SiteURL + $sitePermissionUrl) -Method GET -Raw; 
$sitePermissionPageContent.IndexOf('__gvctl00_PlaceHolderMain_rptrUniqueLists__div');

This produces the following output:

As you can see, while the user.aspx page is successfully retrieved using both connection options, only the -UseWebLogin approach works for the uniqperm.aspx page, but using that approach is not unattended which is my requirement.

Thanks for linking to the script sample. That's actually where I got the idea to do this script. The difference is that the sample has to get every item from every list to see if there are any lists with uniquely permissioned items (see Get-ListItems_WithUniquePermissions function), whereas the table on this page already has that information, so it would be more efficient to read that page if possible.

Please let me know if you have any further questions.

Thanks,

James

[Barbarur]

I've been doing some test and I'm facing the same issue. That endpoint might be restricted to users only, not really sure.

Though I wonder; even if you are able to retrieve the data, how do you plan to get the sub-unique permissions? That URL only shows if the Lists/Libraries with unique permissions and List/Libraries and hold items with unique permissions, but it doesn't show unique permissions at the Item/folder level.

[wjamesw]

Hopefully someone will know. Thanks for trying!
If you visit that page you'll see a "View exceptions" link for each list that contains items with unique permissions:

Each of those "View exceptions" links is to the same uniqperm.aspx page, but with a different query string, on which you'll see all the uniquely permissioned items, each with a link that will take you to the permissions for that item (or, at least, which you can extract the item ID from).

[jflieben]

I wouldn't recommend going this route, because uniqperm.aspx only shows the first few unique permissions. You'd be better off with e.g. M365Permissions to create a full overview of these types of exceptions.