New command: m365 spo site membership get

[mkm17]

Usage

m365 spo site membership get

Description

Retrieve information about default site groups' membership.

Options

Option	Description
-u, --siteUrl <siteUrl>	The URL of the site
-r, --role [role]	Filter the results to only users with the given role: 'Owner', 'Member', 'Visitor'.

Examples

Retrieves information about default site groups' owners, members, and visitors of the site.

m365 spo site membership get --siteUrl https://contoso.sharepoint.com

Retrieves information about site owners.

m365 spo site membership get --siteUrl https://contoso.sharepoint.com --role Owners

Default properties

• Email
• LoginName
• Name
• UserPrincipalName
• Role

Additional Info

This command could be helpful for SharePoint administrators, It would allow getting information about membership of a site using the _api/SPO.Tenant/sites/GetSiteUserGroups endpoint, like in the SP admin page.

The benefit here is that administrators can access this information with SharePoint admin permission only, without needing site collection admin permission.

[milanholemans]

Hi @mkm17 thank you for creating this issue.
Could you give some more context about what this command actually does? What will it return?

If it lists memberships of default groups, I think that's already possible using spo web get --withGroups and spo group member list.

[mkm17]

Hi, @milanholemans To be honest, it will retrieve the same data as in the provided examples by you. The only difference is that to execute spo web get, the current user must have permission to the web. However, when using _api/SPO.Tenant/sites/GetSiteUserGroups, a user can have 'just' SharePoint Global Admin permission.

The use case can be when there's a need to generate a report on the membership of multiple webs without direct access for current user. To address this scenario,

1. we can utilize an app with application permissions for all sites,
2. temporarily add a user as a site collection admin, or
3. use the _api/SPO.Tenant/sites/GetSiteUserGroups endpoint.

The similar case is mentioned here #5882 (comment)

If adding a new command is not the best solution, maybe we can extend spo group member list with --asAdmin flag?

Then the command execution should cover only default groups and the execution would be like m365 spo group member list --associatedmembers --asAdmin

[milanholemans]

Hi @mkm17 thanks for clarifying. Does this endpoint only return the SharePoint groups? Could you give an example of a possible output? This would make it a bit clearer I guess.

[mkm17]

Hi @milanholemans,
for example the GET request
https://<tenant>-admin.sharepoint.com/_api/SPO.Tenant/sites/GetSiteUserGroups?siteId='<SiteId>'&userGroupIds=[0,1,2]

returns

[
        {
            "userGroup": [
                {
                    "email": "login@tenant.onmicrosoft.com",
                    "loginName": "i:0#.f|membership|login@tenant.onmicrosoft.com",
                    "name": "<Display Name>",
                    "userPrincipalName": "login@tenant.onmicrosoft.com"
                }
            ]
        },
        {
            "userGroup": []
        },
        {
            "userGroup": []
        }
    ]

The first user group corresponds to Owners, the next one to Members, and the last one to visitors. As I mentioned before, the real case scenario could be generating a membership report while the user is only a SharePoint admin without access to the Site as a Site collection admin.
Of course, it's just an idea. Honestly, I've already used this scenario, so I thought it might be useful for someone else :)