“Can I use Power Automate flow to list all SP groups on a site and identify the owners, the ones with ‘full control’ permissions level?”
As you probably know by now, Power Automate doesn’t like SharePoint groups. All the operations require an HTTP request, let it be creating a group, adding users, managing permissions, or even sending an email. And it’s no different when looking for some information about a group, in this case identifying their permissions level. Listing the groups is one thing, but how about more details, e.g. what can the group members actually do?
List the groups first
When managing SP group permissions in a flow, you always work with the PrincipalId – the user / group id related to the specific site. It’s not global, as e.g. the user Entra ID, it’s different on every site, assigned only when the user / group is used in there. As such, you should always start by listing all the groups first.
Method: GET
Uri: _api/web/siteGroups
Extract the array with the groups from the output using an expression.
outputs('Send_an_HTTP_request_to_SharePoint')?['body']?['d']?['results']Now, knowing all the group ids, you can continue by checking their permissions level.
Get their permissions level next
Loop through all the groups in ‘Apply to each’ and get their roles with another HTTP request.
Method: GET
Uri: _api/Web/RoleAssignments/GetByPrincipalId(<groupId>)/RoleDefinitionBindings
This request might fail for some of the groups, but that’s fine. Not all groups have some permissions level and it’ll return an error for them.
But for those that have some permissions, ‘Select’ the permissions level name from the result…
outputs('Send_an_HTTP_request_to_SharePoint_2')?['body']?['d']?['results']
item()?['Name']
…store them in an object that’ll contain the group name and the permission levels using ‘Compose’ action. Since each group can have multiple permission levels, join them into a string using e.g. a semicolon as a separator…
{
"Name": "@{item()?['Title']}",
"Permissions": "@{join(body('Select'),';')}"
}
…and collect the responses with another ‘Compose’ after the loop. This second ‘Compose’ must be configured to run no matter whether the loop succeeded or failed…
…and it should collect the outputs from the first ‘Compose’.
outputs('Compose')
The last step is to filter away all the groups without permissions – the null values in the outputs.
The result will be all groups on the SharePoint site with their specific permissions levels.
Summary
As you can see, it’s possible to do a lot with SP groups in a Power Automate flow, even listing permissions level. But you must know the right http requests to call, the ones that’ll give you the desired outputs, and sometimes even combine more of them. However, once you learn more about the SharePoint REST API you can do so much more in a flow than the standard actions allow you to.
1 thought on “Get SP groups permissions level with Power Automate flow”