Sharepoint - Retrieve Permissions at folder and file level in Powershell

This is the method using PnP Online. Retrieve the additional properties using

Get-PnPProperty

Connect-PnPOnline -Url $siteUrl
$context = Get-PnPContext

For Files

$file = Get-PnPFile -Url $filePath -AsListItem
        Get-PnPProperty -ClientObject $file -Property HasUniqueRoleAssignments, RoleAssignments

        if($file.HasUniqueRoleAssignments -eq $True) 
        {
            foreach($roleAssignments in $file.RoleAssignments )  
            {
                Get-PnPProperty -ClientObject $roleAssignments -Property RoleDefinitionBindings, Member

                $permission.LoginName = $roleAssignments.Member.LoginName
                $permission.LoginTitle = $roleAssignments.Member.Title
                $permission.PrincipalType = $roleAssignments.Member.PrincipalType.ToString()
                $permission.Permission = ""
                #Get the Permissions assigned to user 
                foreach ($RoleDefinition  in $roleAssignments.RoleDefinitionBindings) 
                { 
                    $permission.Permission = $permission.Permission + "," + $RoleDefinition.Name 
                }
            }
        }

For folders

        $file = Get-PnPFolder -Url $filePath -Includes ListItemAllFields.RoleAssignments, ListItemAllFields.HasUniqueRoleAssignments
        $context.Load($file);
        $context.ExecuteQuery();

        if($file.ListItemAllFields.HasUniqueRoleAssignments -eq $True) 
        {
            foreach($roleAssignments in $file.ListItemAllFields.RoleAssignments)
            {
                Get-PnPProperty -ClientObject $roleAssignments -Property RoleDefinitionBindings, Member

                $permission.LoginName = $roleAssignments.Member.LoginName
                $permission.LoginTitle = $roleAssignments.Member.Title
                $permission.PrincipalType = $roleAssignments.Member.PrincipalType.ToString()
                $permission.Permission = ""
                 #Get the Permissions assigned to user/group
                foreach ($RoleDefinition in $roleAssignments.RoleDefinitionBindings){
                     $permission.Permission = $permission.Permission + "," + $RoleDefinition.Name
                }
            }
        }

In case you just want to use pnp-powershell, All you need to do for each one of those folders / files:

FILE

$result = Get-PnPProperty -ClientObject $file -Property RoleAssignments       
        Get-PnPProperty -ClientObject $file.RoleAssignments -Property Groups
        foreach ($role in $file.RoleAssignments) {
            $result = Get-PnPProperty -ClientObject $role -Property RoleDefinitionBindings, Member
        }

FOLDER

$result = Get-PnPProperty -ClientObject $folder -Property RoleAssignments       
        Get-PnPProperty -ClientObject $folder.RoleAssignments -Property Groups
        foreach ($role in $file.RoleAssignments) {
            $result = Get-PnPProperty -ClientObject $role -Property RoleDefinitionBindings, Member
        }

After that, you will find all the assigned permissions details under the "roleassignments" property.


This script should help you:

https://gallery.technet.microsoft.com/office/SharePoint-Permissions-f42ea9db

Check this bit:

     foreach($List in $Web.lists) 
        { 
            if($List.HasUniqueRoleAssignments -eq $True -and ($List.Hidden -eq $false)) 
            { 
                #Get all the users granted permissions to the list 
                foreach($ListRoleAssignment in $List.RoleAssignments )  
                {  
                    #Is it a User Account? 
                    if($ListRoleAssignment.Member.userlogin)     
                    { 
                        #Get the Permissions assigned to user 
                        $ListUserPermissions=@() 
                        foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings) 
                        { 
                            $ListUserPermissions += $RoleDefinition.Name +";" 
                        } 

                        #Send the Data to Log file 
                        "$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tDirect Permission`t$($ListUserPermissions) `t$($ListRoleAssignment.Member)" | Out-File $FileUrl -Append 
                    } 
                    #Its a SharePoint Group, So search inside the group and check if the user is member of that group 
                    else   
                    { 
                        foreach($user in $ListRoleAssignment.member.users) 
                        { 
                            #Get the Group's Permissions on site 
                            $ListGroupPermissions=@() 
                            foreach ($RoleDefinition  in $ListRoleAssignment.RoleDefinitionBindings) 
                            { 
                                $ListGroupPermissions += $RoleDefinition.Name +";" 
                            } 

                            #Send the Data to Log file 
                            "$($List.ParentWeb.Url)/$($List.RootFolder.Url)`tList`t$($List.Title)`tMember of $($ListRoleAssignment.Member.Name) Group`t$($ListGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append 
                        } 
                    }     
                } 
            } 

            #Get Folder level permissions 
            foreach($Folder in $List.folders) 
            { 
                if($Folder.HasUniqueRoleAssignments -eq $True) 
                { 
                    #Get all the users granted permissions to the folder 
                    foreach($FolderRoleAssignment in $Folder.RoleAssignments )  
                    {  
                        #Is it a User Account? 
                        if($FolderRoleAssignment.Member.userlogin)     
                        { 
                            #Get the Permissions assigned to user 
                            $FolderUserPermissions=@() 
                            foreach ($RoleDefinition  in $FolderRoleAssignment.RoleDefinitionBindings) 
                            { 
                                $FolderUserPermissions += $RoleDefinition.Name +";" 
                            } 

                            #Send the Data to Log file 
                            "$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tDirect Permission`t$($FolderUserPermissions) `t$($FolderRoleAssignment.Member)" | Out-File $FileUrl -Append 
                        } 
                        #Its a SharePoint Group, So search inside the group and check if the user is member of that group 
                        else   
                        { 
                            foreach($user in $FolderRoleAssignment.member.users) 
                            { 
                                #Get the Group's Permissions on site 
                                $FolderGroupPermissions=@() 
                                foreach ($RoleDefinition  in $FolderRoleAssignment.RoleDefinitionBindings) 
                                { 
                                    $FolderGroupPermissions += $RoleDefinition.Name +";" 
                                } 

                                #Send the Data to Log file 
                                "$($Folder.Web.Url)/$($Folder.Url)`tFolder`t$($Folder.Title)`tMember of $($FolderRoleAssignment.Member.Name) Group`t$($FolderGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append 

                            } 
                        }     
                    } 
                } 
            } 

            #Get Item level permissions 
            foreach($Item in $List.items) 
            { 
                if($Item.HasUniqueRoleAssignments -eq $True) 
                { 
                    #Get all the users granted permissions to the item 
                    foreach($ItemRoleAssignment in $Item.RoleAssignments )  
                    {  
                        #Is it a User Account? 
                        if($ItemRoleAssignment.Member.userlogin)     
                        { 
                            #Get the Permissions assigned to user 
                            $ItemUserPermissions=@() 
                            foreach ($RoleDefinition  in $ItemRoleAssignment.RoleDefinitionBindings) 
                            { 
                                $ItemUserPermissions += $RoleDefinition.Name +";" 
                            } 

                            #Prepare item's absolute Url and Name 
                            $ItemDispForm = $Item.ParentList.Forms | where { $_.Type -eq "PAGE_DISPLAYFORM" } | Select-Object -first 1 
                            if ($ItemDispForm.Url) 
                            { 
                                $ItemUrl = "$($Item.Web.Url)/$($ItemDispForm.Url)?ID=$($Item.ID)"  
                            } 
                            else 
                            { 
                                $ItemUrl = "$($Item.Url)" 
                            } 

                            if ($Item.Name) 
                            { 
                                $ItemTitle = $Item.Name 
                            } 
                            else 
                            { 
                                $ItemTitle = $Item.Title 
                            } 

                            #Send the Data to Log file 
                            "$($ItemUrl)`tItem`t$($ItemTitle)`tDirect Permission`t$($ItemUserPermissions) `t$($ItemRoleAssignment.Member)" | Out-File $FileUrl -Append 
                        } 
                        #Its a SharePoint Group, So search inside the group and check if the user is member of that group 
                        else   
                        { 
                            foreach($user in $ItemRoleAssignment.member.users) 
                            { 
                                #Get the Group's Permissions on site 
                                $ItemGroupPermissions=@() 
                                foreach ($RoleDefinition  in $ItemRoleAssignment.RoleDefinitionBindings) 
                                { 
                                    $ItemGroupPermissions += $RoleDefinition.Name +";" 
                                } 

                                #Prepare item's absolute Url and Name 
                                $ItemDispForm = $Item.ParentList.Forms | where { $_.Type -eq "PAGE_DISPLAYFORM" } | Select-Object -first 1 
                                if ($ItemDispForm.Url) 
                                { 
                                    $ItemUrl = "$($Item.Web.Url)/$($ItemDispForm.Url)?ID=$($Item.ID)"  
                                } 
                                else 
                                { 
                                    $ItemUrl = "$($Item.Url)" 
                                } 

                                if ($Item.Name) 
                                { 
                                    $ItemTitle = $Item.Name 
                                } 
                                else 
                                { 
                                    $ItemTitle = $Item.Title 
                                } 

                                #Send the Data to Log file 
                                "$($ItemUrl)`tItem`t$($ItemTitle)`tMember of $($ItemRoleAssignment.Member.Name) Group`t$($ItemGroupPermissions)`t$($user.LoginName)" | Out-File $FileUrl -Append 

                            } 
                        }     
                    } 
                } 
            }