“I can assign permissions to a user or M365 group, but what about SharePoint groups, how can I manage their access with Power Automate?”
Power Automate has two actions that make SharePoint permissions management a bit easier as you can ‘Stop sharing an item or a file’ and ‘Grant access to a file or folder’. But each of them has a limitation. The ‘Stop sharing…’ action won’t work on folders. You can use it to remove permissions from an item or a file, but not from a folder. Then there’s the ‘Grant access…’ action that won’t let you assign permissions to SharePoint groups. You can assign permissions to a user or Microsoft 365 group, but not to a SharePoint group. And since SharePoint groups are still widely used, this post explains how to solve that.
Note: everything inside <…> is a placeholder, replace it including the < and >.
You’ll need an HTTP request
As already shown a few times, if there’s no action that’ll do what you need, you can use an HTTP request.
Method: POST
Uri:
_api/lists/getByTitle('<listName>')/items(<itemID>)/roleAssignments/addRoleAssignment(PrincipalId=<groupID>,roleDefId=<roleID>)
Note: before you can add permissions you must break permissions inheritance on the item/file/folder.
As you can see above it’s a bit more complex than the other HTTP requests on this blog. Additionally to the list name and item id you’ll need two more parameters. The ID of the SharePoint group, and the ID of the permission level.
Get the SharePoint group ID
The first new parameter is the SharePoint group ID. If you know the group name, you can use another HTTP request to get the group ID.
Method: GET
Uri:
_api/web/siteGroups/getByName('<groupName>')
The group ID can be then extracted from the JSON output, e.g.
body('Send_an_HTTP_request_to_SharePoint')?['d']?['Id']Get the permission level ID
The second new parameter is the permissions level ID. And as you could probably guess, you can get it via HTTP request.
Method: GET
Uri:
_api/web/roleDefinitions/getByName('<roleName>')
The role ID can be then extracted in the same way as the group ID.
body('Send_an_HTTP_request_to_SharePoint')?['d']?['Id']Build the HTTP request
Once you have the two IDs, you can use them to assign the desired permissions to the SharePoint group.
Summary
If you can’t use the new Power Automate actions to manage SharePoint group permissions, you can still do it the old way. Get the group ID and permission level ID using HTTP requests, and combine the information together to assign the permissions in the 3rd one.
Really timely Tom, I’m trying to create a SharePoint group from the instructions of this post: https://powerusers.microsoft.com/t5/Power-Automate-Community-Blog/SharePoint-Group-Operations-in-Microsoft-Flow/ba-p/394446
Struggling a bit with the group Id
Hello Steve,
ID is the result from the HTTP request that creates the group, it should be among the outputs of the ‘Parse JSON’ action.
In this instance what should be in the ‘Parse JSON’ action? You mention it but don’t explicitly state it.
Hello PowerApps Newb,
it’s related to the link posted by Steve above, I don’t use any Parse JSON in the solution.
Will this HTTP action result in all users receiving an email notification that something has been shared with them? I need to automate the granting of access and I find that the Grant Access action is buggy (or something). It finds but won’t allow me to select an Active Directory group in the Recipients field. I select the group name over and over and the field remains blank. Very frustrating. So I was looking at your alternative option here — which is great — but will it email everyone?
Hello Rachel,
it won’t send any email, it’ll just assign the permissions. But if you want to make sure you can always try to use some test group, e.g. your department group to assign the permissions somewhere.
In the HTTP request to assign the role to the group for the item, how do you incorporate the d.ID into the two sets of dynamic content? I can’t find any combination of steps that allows me to do that.
I managed to do this by adding it as a function; it initially appeared as a function in the Uri field of the flow action, but after saving it and returning to it later, it had converted to the form shown in the article!
Hello Tom, thank you for this tutorial!
I made a flow that adds access to a folder in a library to a SharePoint group and it works.
However, when I want to perform this same action on a folder that is 3 levels below the root I have the following error:
Error 400 “This operation is not allowed on an object whose permissions are inherited.”
After research, I disabled inheritance of parent permissions but I have the same result on my PowerAutomate flow…
Have you ever had this error?
Hello Jeremy:
Look at this:
https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/set-custom-permissions-on-a-list-by-using-the-rest-interface
You need to BreakRoleInheritance or delete already assigned permission before to assign it again
Hello Jeremy,
there must be some inheritance still enabled, I’d double check if you disabled the inheritance on the right folder, the same folder that should get the unique permissions.
Hi Tom, this was very helpful! I get your newsletters, but I don’t recall seeing one for the specific task I’m working on. We want to process through specific sites (200+ sites) and first get the SharePoint group(s) that have full control permissions, and then get the members and send them an email.
Our users have a tendency to rename the permission groups, which is why we need to query the permission level and get the group(s) with that permission.