public/get-SpOPermissions.ps1

Function get-SpOPermissions{
    <#
        Author = "Jos Lieben (jos@lieben.nu)"
        CompanyName = "Lieben Consultancy"
        Copyright = "https://www.lieben.nu/liebensraum/commercial-use/"
         
        Parameters:
        -teamName: the name of the Team to scan
        -siteUrl: the URL of the Team (or any sharepoint location) to scan (e.g. if name is not unique)
        -expandGroups: if set, group memberships will be expanded to individual users
        -outputFormat:
            XLSX
            CSV
            Default (output to Out-GridView)
            Any combination of above is possible
        -includeCurrentUser: add entries for the user performing the audit (as this user will have all access, it'll clutter the report)
    #>
        
    Param(
        [parameter(Mandatory=$true,
        ParameterSetName="ByName")]
        [String]
        $teamName,
    
        [parameter(Mandatory=$true,
        ParameterSetName="BySite")]
        [String]
        $siteUrl, 

        [Switch]$expandGroups,
        [ValidateSet('XLSX','CSV','Default')]
        [String[]]$outputFormat="XLSX",
        [Switch]$includeCurrentUser
    )

    $global:includeCurrentUser = $includeCurrentUser.IsPresent
    if(!$global:tenantName){
        $global:tenantName = (New-GraphQuery -Method GET -Uri 'https://graph.microsoft.com/v1.0/domains?$top=999' -NoPagination | Where-Object -Property isInitial -EQ $true).id.Split(".")[0]
    }

    Write-Host "Starting SpO Scan of $teamName $siteUrl"

    $spoBaseAdmUrl = "https://$($tenantName)-admin.sharepoint.com"
    Write-Verbose "Using Sharepoint base URL: $spoBaseAdmUrl"

    $ignoredSiteTypes = @("REDIRECTSITE#0","SRCHCEN#0", "SPSMSITEHOST#0", "APPCATALOG#0", "POINTPUBLISHINGHUB#0", "EDISC#0", "STS#-1","EHS#1","POINTPUBLISHINGTOPIC#0")
    if($siteUrl){
        $sites = Get-PnPTenantSite -Connection (Get-SpOConnection -Type Admin -Url $spoBaseAdmUrl) -Identity $siteUrl
    }
    if(!$sites){
        $sites = @(Get-PnPTenantSite -IncludeOneDriveSites -Connection (Get-SpOConnection -Type Admin -Url $spoBaseAdmUrl) | Where-Object {`
            $_.Template -NotIn $ignoredSiteTypes -and
            ($Null -ne $teamName -and $_.Title -eq $teamName -and $_.Template -notlike "*CHANNEL*") -or ($Null -ne $siteUrl -and $_.Url -eq $siteUrl)
        })
    }

    if($sites.Count -gt 1){
        Throw "Failed to find a single Team using $teamName. Found: $($sites.Url -join ","). Please use the Url to specify the correct Team"
    }elseif($sites.Count -eq 0 -or $Null -eq $sites){
        Throw "Failed to find a Team using $teamName $siteUrl. Please check the name and try again"
    }else{
        $site = $sites[0]
    }

    if($site.GroupId.Guid -eq "00000000-0000-0000-0000-000000000000"){
        $groupId = $Null
        Write-Host "Site is not connected to a group and is likely not a Team site."
    }else{
        $groupId = $site.GroupId.Guid
        Write-Host "Site is connected to a group with ID: $groupId"
    }

    if($groupId){
        try{
            Write-Host "Retrieving channels for this site/team..."
            $channels = New-GraphQuery -Uri "https://graph.microsoft.com/beta/teams/$groupId/channels" -Method GET -NoRetry
            Write-Host "Found $($channels.Count) channels"
        }catch{
            Write-Warning "Failed to retrieve channels for this site/team, assuming no additional sub sites to scan"
            $channels = @()
        }
        foreach($channel in $channels){
            if($channel.filesFolderWebUrl){
                $targetUrl = $Null; $targetUrl ="https://$($tenantName).sharepoint.com/$($channel.filesFolderWebUrl.Split("/")[3])/$($channel.filesFolderWebUrl.Split("/")[4])"
            }
            if($targetUrl -and $sites.Url -notcontains $targetUrl){
                try{
                    Write-Host "Adding Channel $($channel.displayName) with URL $targetUrl to scan list as it has its own site"
                    $extraSite = $Null; $extraSite = Get-PnPTenantSite -Connection (Get-SpOConnection -Type Admin -Url $spoBaseAdmUrl) -Identity $targetUrl
                    if($extraSite -and $extraSite.Template -NotIn $ignoredSiteTypes){
                        $sites += $extraSite
                    }
                }catch{
                    Write-Error "Failed to add Channel $($channel.displayName) with URL $targetUrl to scan list. It may have been deleted, because Get-PnPTenantSite failed with $_" -ErrorAction Continue
                }
            }          
        }
    }

    $global:SPOPermissions = @{}
    $statObjects = @()

    foreach($site in $sites){ 
        $global:statObj = [PSCustomObject]@{
            "Module version" = $global:moduleVersion
            "Category" = "SharePoint"
            "Subject" = $site.Url
            "Total objects scanned" = 0
            "Scan start time" = Get-Date
            "Scan end time" = ""
            "Scan performed by" = $global:currentUser.userPrincipalName
        }              
        $wasOwner = $False
        try{
            if($site.Owners -notcontains $global:currentUser.userPrincipalName){
                Write-Host "Adding you as site collection owner to ensure all permissions can be read from $($site.Url)..."
                Set-PnPTenantSite -Identity $site.Url -Owners $global:currentUser.userPrincipalName -Connection (Get-SpOConnection -Type Admin -Url $spoBaseAdmUrl) -WarningAction Stop -ErrorAction Stop
                Write-Host "Owner added and marked for removal upon scan completion"
            }else{
                $wasOwner = $True
                Write-Host "Site collection ownership verified for $($site.Url) :)"
            }            
            $spoWeb = Get-PnPWeb -Connection (Get-SpOConnection -Type User -Url $site.Url) -ErrorAction Stop
        }catch{        
            Write-Error "Failed to parse site $($site.Url) because $_" -ErrorAction Continue
            $global:statObj."Scan end time" = "ERROR! $_"
            $statObjects += $global:statObj
            continue
        }
        
        Write-Host "Scanning root $($spoWeb.Url)..."
        $spoSiteAdmins = Get-PnPSiteCollectionAdmin -Connection (Get-SpOConnection -Type User -Url $site.Url)
        $global:SPOPermissions.$($spoWeb.Url) = @()

        foreach($spoSiteAdmin in $spoSiteAdmins){
            if($spoSiteAdmin.PrincipalType -ne "User" -and $expandGroups){
                $members = $Null; $members = Get-PnPGroupMembers -group $spoSiteAdmin -parentId $spoSiteAdmin.Id -siteConn (Get-SpOConnection -Type User -Url $site.Url) | Where-Object {$_}
                foreach($member in $members){
                    New-SpOPermissionEntry -Path $spoWeb.Url -Permission (get-spopermissionEntry -entity $member -object $spoWeb -permission "Owner" -Through "GroupMembership" -parent $spoSiteAdmin.Title)
                }
            }else{
                New-SpOPermissionEntry -Path $spoWeb.Url -Permission (get-spopermissionEntry -entity $spoSiteAdmin -object $spoWeb -permission "Owner" -Through "DirectAssignment")
            }
        }        

        get-PnPObjectPermissions -Object $spoWeb

        $global:statObj."Scan end time" = Get-Date
        $statObjects += $global:statObj
        if(!$wasOwner){
            Write-Host "Cleanup: Removing you as site collection owner of $($site.Url)..."
            Remove-PnPSiteCollectionAdmin -Owners $global:currentUser.userPrincipalName -Connection (Get-SpOConnection -Type User -Url $site.Url)
            Write-Host "Cleanup: Owner removed"
        }          
    }
    
    Write-Host "All permissions retrieved, writing reports..."

    $permissionRows = foreach($row in $global:SPOPermissions.Keys){
        foreach($permission in $global:SPOPermissions.$row){
            [PSCustomObject]@{
                "ID" = $permission.RowId
                "Path" = $row
                "Object"    = $permission.Object
                "Name" = $permission.Name
                "Identity" = $permission.Identity
                "Email" = $permission.Email
                "Type" = $permission.Type
                "Permission" = $permission.Permission
                "Through" = $permission.Through
                "Parent" = $permission.Parent
                "LinkCreationDate" = $permission.LinkCreationDate
                "LinkExpirationDate" = $permission.LinkExpirationDate                
            }
        }
    }

    add-toReport -statistics $statObjects -formats $outputFormat -permissions $permissionRows -category "SpO"
}