CLI for Microsoft 365 - how cool is that? - Permission commands
SharePoint Online gives you the possibility to manage permissions on many different levels: webs, lists, folders, files, and items. Breaking role inheritance may not always be the best idea to do and should rather be considered as last resort, but it is not always possible to create an enterprise, tailor-made, solution without it. Thanks to the awesome work done by the community, the CLI for Microsoft 365 now has new commands that will allow us to accomplish that.
🤔 But first of all what is CLI for Microsoft 365? Quick intro
If you already know what the CLI for M365 is, then I suppose you may skip this part😀. CLI for Microsoft 365 is a cross platform command line tool based on Node.js that helps you manage many things around Microsoft 365 and your SPFx projects (yes, that as well 🤩. rename, upgrade … you name it). To name a few, you may manage OneDrive, Planner, Power Apps and Automate, Teams, Yammer, SharePoint (of course). The list keeps on growing and growing, check out the CLI for Microsoft 365. But it’s not only about managing Microsoft 365. The CLI helps you also manage your own SPFx environment (check out the doctor) or projects (rename, upgrade etc.). This is a very unique feature that many similar command line tools don’t have. Some commands do simple things, but some are actually ready to use scenarios all done under a single command. Check out the full list of commands
🎚️ Permission Levels
It all starts with defining what roles (permission levels) you will want to use. Each SharePoint site starts with a set of default role definitions, like: Full Control, Design, Edit, Contribute, Read. Those are the basic role definitions needed for most use cases we may think of, but if something is missing, then SharePoint gives us the possibility to extend permission levels with our custom made role definitions with different sets of permissions we may give, grouped in list, site, personal permissions. Exactly this scenario is covered by the first set of commands now available in the CLI for Microsoft 365. We may use
spo roledefinition list/get/add/remove
commands to do everything we need in this area. When adding a new role definition, we may pick any set of permissions from the following list:
EmptyMask, ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, AnonymousSearchAccessList, Open, ViewPages, AddAndCustomizePages, ApplyThemeAndBorder, ApplyStyleSheets, ViewUsageData, CreateSSCSite, ManageSubwebs, CreateGroups, ManagePermissions, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, ManageWeb, AnonymousSearchAccessWebLists, UseClientIntegration, UseRemoteAPIs, ManageAlerts, CreateAlerts, EditMyUserInfo, EnumeratePermissions, FullMask
in the rights
option.
What’s worth mentioning is also the additional information (value) added when retrieving role definitions. CLI for Microsoft 365 when retrieving data usually outputs the response of the used API endpoint. For the role definition, the output is unfortunately not that user friendly. Let’s check what the SharePoint REST API gives when retrieving a custom created role definition:
{
"BasePermissions": {
"High": "0",
"Low": "67567639"
},
"Description": "",
"Hidden": false,
"Id": 1073741934,
"Name": "test",
"Order": 2147483647,
"RoleTypeKind": 0,
}
Wait, what? So what exactly are the permissions given for that role definition? What does 67567639
mean 🤔? Luckily for us, CLI does the additional translation and adds this information. For the above response when running
m365 spo roledefinition get --webUrl https://someTenant.sharepoint.com/sites/someSite --id 1073741934
we will get
{
"BasePermissions": {
"High": "0",
"Low": "67567639"
},
"Description": "",
"Hidden": false,
"Id": 1073741934,
"Name": "test",
"Order": 2147483647,
"RoleTypeKind": 0,
"BasePermissionsValue": [
"ViewListItems",
"AddListItems",
"EditListItems",
"ApproveItems",
"Open",
"ViewPages",
"AddAndCustomizePages",
"BrowseDirectories"
],
"RoleTypeKindValue": "None"
}
Now, ok, now I get it 😉.
For more information, check out the following commands:
spo roledefinition get
- Gets specified role definition from webspo roledefinition list
- Gets list of role definitions for the specified sitespo roledefinition add
- Adds a new roledefinition to webspo roledefinition remove
- Removes the role definition from the specified site
🔓🔒 Roleinheritance break/reset
After defining custom role definitions, the next step is breaking role inheritance on an item, list, or web. The most advanced secure scenarios sooner or later will require providing some unique permissions on list, folder, item or file level. It’s best to always inherit permissions for as long as possible, and when breaking the inheritance, be aware of the limitations. The CLI for Microsoft 365 now has a set of commands you may use on any level that will allow you to either break or reset role inheritance. When breaking role inheritance, the currently defined permissions will be kept. In order to clear all existing permissions, we may use clearExistingPermissions
option.
For more information, check the docs for the following commands:
spo file roleinheritance break
spo file roleinheritance reset
spo folder roleinheritance break
spo folder roleinheritance reset
spo list roleinheritance break
spo list roleinheritance reset
spo listitem roleinheritance break
spo listitem roleinheritance reset
spo web roleinheritance break
spo web roleinheritance reset
🪪 roleassignment add/remove
Now that we have unique permissions set on item (file, folder), list or web we may start modifying them by adding or removing role assignments to a group or user. The CLI for Microsoft 365 makes this process very convenient, as we may specify the user or group by name. For example, if we would like to grant Editor
role to a user with mail someaccount@tenant.onmicrosoft.com
on a list, we may just run:
m365 spo list roleassignment add --webUrl "https://contoso.sharepoint.com/sites/project-x" --listTitle "someList" --upn "someaccount@tenant.onmicrosoft.com" --roleDefinitionName "Editor"
It’s that simple 😎.
For more information check the docs for the following commands:
spo file roleassignment add
spo file roleassignment remove
spo folder roleassignment add
spo folder roleassignment remove
spo list roleassignment add
spo list roleassignment remove
spo listitem roleassignment add
spo listitem roleassignment remove
spo web roleassignment add
spo web roleassignment remove
🙏 THANK YOU
The commands described in this article were mostly developed thanks to the great help CLI for Microsoft 365 has received from the community. The provided functionality and improvements that were added along the way are truly awesome, and as one of the maintainers, I would like to express my gratitude to all the contributors engaged in the CLI repo. You ROCK 🤩.
🙋 Wanna help out?
CLI for Microsoft 365 is a great tool to use and also great place to learn GIT best practices, how to use SharePoint, Graph or other APIs. This tool is constantly improving and we are always open for contributors like you to make this tool even better 💪. Don’t worry if you don’t know how to start or what you could do. Just check out the contributing guide and issues list and give it a shot. If I still didn’t convince you, check out the 7 reasons to contribute to the community by Martin Lingstuyl. I will be waiting for your PRs. Let me know if you need any help to get started 👍.