“I don’t want to remove all permissions and add them again just to remove one SharePoint user, is there an easier way to do it using Power Automate?”
If you manage SharePoint permissions in your Power Automate flow, you don’t have many options. There’re 2 dedicated actions: ‘Stop sharing an item or a file’ and ‘Grant access to an item or a folder’. One action that’ll remove all permissions (and doesn’t work on folders), and the other to assign permissions (but doesn’t work with SharePoint groups). That’s it, everything else needs an HTTP request.
But there’re situations when you don’t want to remove all the permissions and add them all again, with only minor changes. For example, an approval process where everyone can edit only during their approval step. Why should you remove all the permissions and add them all again just to change contribute to read for one user?
Get the user principalId
As you probably realised, you’ll need another HTTP request. When you manage permissions via HTTP requests, you always work with the user princialId. That’s not the standard user id which you can see e.g. in Planner tasks. This id can be different on each SharePoint site. Therefore, if you want to remove permissions on a specific site, you must get the id from the site.
Method: GET
Uri:
_api/web/SiteUsers/getByEmail('<user email address>')/IdNote: <…> is a placeholder, replace it including the < and >.
The result will contain the principalId of the user on the specific site. Use an expression to extract the id from the JSON output.
body('Send_an_HTTP_request_to_SharePoint')?['d']?['Id']Remove the permissions with an HTTP request
Now, when you have the id, you can use it in an HTTP request to remove permissions from this user.
Method: DELETE
Uri:
_api/web/lists/getByTitle('<listName>')/items(<itemId>)/roleassignments(<principalId>)Note: <…> is a placeholder, replace it including the < and >.
At this point you can use the ‘Grant access to an item or a file’ action to give the user different permissions than he had, or you can leave him without access.
Summary
It is possible to remove permissions only from a single SharePoint user in Power Automate flow, but it needs another set of HTTP requests. The first one will give you the user principalId which is different for each SharePoint site. If you want to remove permissions from multiple sites, you’ll have to ask each of them. The second request will take this principalId and use it to remove the permissions.
Sounds like a very nice post. We have added it to our directory. Follow our account for more information about #SharePoint #Microsoft365 content.
https://www.hubsite365.com/en-de/news?id=%2281b0cc16-b5ca-4949-9caa-2c06276df5f3%22&topic=%22b4240112-c3da-ec11-bb3d-000d3a4860eb%22
Thanks for your article!
I have a question that is there any way to remove all the users in a specific SharePoint Group with Power Automate?
Hello Liu,
it is doable, list all the users with an HTTP request: https://tomriha.com/list-members-of-a-sharepoint-group-with-power-automate/ and loop through them to get their principalId and remove them as explained in the article.
hey,
regarding this entry below, can we possibly select a dynamic value of assigned person per item for a share point list item instead of a static user mail address?
same question goes for id, which is I guess share point list item id
_api/web/SiteUsers/getByEmail(”)/Id
which i just tried and flow is running forever without a result 🙁