Validate Your SharePoint Online Crawl Account Permissions Using PowerShell
Table of Contents
Overview of procedure
How to set up and validate SharePoint Online crawl account permissions:
Authenticate to SharePoint Online
Authenticate to SharePoint Online as the service account user.
Get the FedAuth and rtFa cookie values
Open up your Debugging Tools (such as DevTools from Chrome) and copy the FedAuth
and rtFa
cookies from session.
Add your information to the PowerShell script
Enter your site and these two cookies into this PowerShell script:
# change these 3 variables to match your environment
$sharepointUrl = "https://YourSharePointURL.com"
$fedAuthCookieValue = "EnterYourFedAuthCookieValueHere"
$rtFaValue = "EnterYourRtfaCookieValueHere"
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "text/xml")
$headers.Add("SOAPAction", "http://schemas.microsoft.com/sharepoint/soap/GetUpdatedFormDigestInformation")
$headers.Add("X-RequestForceAuthentication", "true")
$headers.Add("Cookie", "FedAuth=$fedAuthCookieValue;rtFa=$rtFaValue")
$body = "<?xml version=`"1.0`" encoding=`"utf-8`"?>`n<soap:Envelope xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`" xmlns:xsd=`"http://www.w3.org/2001/XMLSchema`" xmlns:soap=`"http://schemas.xmlsoap.org/soap/envelope/`">`n <soap:Body>`n <GetUpdatedFormDigestInformation xmlns=`"http://schemas.microsoft.com/sharepoint/soap/`" />`n </soap:Body>`n</soap:Envelope>"
$response = Invoke-RestMethod "$sharepointUrl/_vti_bin/sites.asmx" -Method 'POST' -Headers $headers -Body $body
Write-Host "$response"
The response will resemble:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<GetUpdatedFormDigestInformationResponse xmlns="http://schemas.microsoft.com/sharepoint/soap/">
<GetUpdatedFormDigestInformationResult>
*<DigestValue>YourDigestValueWithTimestamp</DigestValue>*
<TimeoutSeconds>1800</TimeoutSeconds>
<WebFullUrl>https://lucidworksfusiondev.sharepoint.com/sites/ndd2</WebFullUrl>
<LibraryVersion>16.0.19527.12083</LibraryVersion>
<SupportedSchemaVersions>14.0.0.0,15.0.0.0</SupportedSchemaVersions>
</GetUpdatedFormDigestInformationResult>
</GetUpdatedFormDigestInformationResponse>
</soap:Body>
</soap:Envelope>
Add your URL and DigestValue
Copy the DigestValue
from this response into the PowerShell script below. Also change the SharePoint URL to match your environment.
# change these 2 variables to match your environment
$sharepointUrl = "https://YourSharePointURL.com"
$digestValue = "YourDigestValueWithTimestamp"
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "text/xml")
$headers.Add("X-RequestForceAuthentication", "true")
$headers.Add("X-RequestDigest", "$digestValue")
$body = "<Request AddExpandoFieldTypeSuffix=`"true`" SchemaVersion=`"14.0.0.0`" LibraryVersion=`"16.0.0.0`" ApplicationName=`".NET Library`" xmlns=`"http://schemas.microsoft.com/sharepoint/clientquery/2009`"><Actions><ObjectPath Id=`"2`" ObjectPathId=`"1`"/><ObjectPath Id=`"4`" ObjectPathId=`"3`"/><Query Id=`"5`" ObjectPathId=`"3`"><Query SelectAllProperties=`"false`"><Properties><Property Name=`"Webs`" SelectAll=`"true`"><Query SelectAllProperties=`"false`"><Properties/></Query></Property><Property Name=`"Title`" ScalarProperty=`"true`"/><Property Name=`"ServerRelativeUrl`" ScalarProperty=`"true`"/><Property Name=`"RoleDefinitions`" SelectAll=`"true`"><Query SelectAllProperties=`"false`"><Properties/></Query></Property><Property Name=`"RoleAssignments`" SelectAll=`"true`"><Query SelectAllProperties=`"false`"><Properties/></Query></Property><Property Name=`"HasUniqueRoleAssignments`" ScalarProperty=`"true`"/><Property Name=`"Description`" ScalarProperty=`"true`"/><Property Name=`"Id`" ScalarProperty=`"true`"/><Property Name=`"LastItemModifiedDate`" ScalarProperty=`"true`"/></Properties></Query></Query></Actions><ObjectPaths><StaticProperty Id=`"1`" TypeId=`"{3747adcd-a3c3-41b9-bfab-4a64dd2f1e0a}`" Name=`"Current`"/><Property Id=`"3`" ParentId=`"1`" Name=`"Web`"/></ObjectPaths></Request>"
$response = Invoke-RestMethod "$sharepointUrl/_vti_bin/client.svc/ProcessQuery" -Method 'POST' -Headers $headers -Body $body
Write-Host "$response"
If permissions are incorrect, you will get an error message.
[
{
"SchemaVersion": "14.0.0.0",
"LibraryVersion": "16.0.19527.12083",
"ErrorInfo": {
"ErrorMessage": "Access denied. You do not have permission to perform this action or access this resource.",
"ErrorValue": null,
"TraceCorrelationId": "640d309f-b0f7-b000-8100-49826f3674cb",
"ErrorCode": -2147024891,
"ErrorTypeName": "System.UnauthorizedAccessException"
},
"TraceCorrelationId": "640d309f-b0f7-b000-8100-49826f3674cb"
}
]
If permissions are correct, you will get a response that resembles:
[
{
"SchemaVersion": "14.0.0.0",
"LibraryVersion": "16.0.19527.12083",
"ErrorInfo": null,
"TraceCorrelationId": "e70c309f-3097-b000-4931-8fe95320fdb0"
},
2,
{
"IsNull": false
},
4,
{
"IsNull": false
},
5,
{
"_ObjectType_": "SP.Web",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a",
"Webs": {
"_ObjectType_": "SP.WebCollection",
"_Child_Items_": []
},
"Title": "NddTest",
"ServerRelativeUrl": "/sites/ndd2",
"RoleDefinitions": {
"_ObjectType_": "SP.RoleDefinitionCollection",
"_Child_Items_": [
{
"_ObjectType_": "SP.RoleDefinition",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741829",
"BasePermissions": {
"_ObjectType_": "SP.BasePermissions",
"High": 2147483647,
"Low": 4294967295
},
"Description": "Has full control.",
"Hidden": false,
"Id": 1073741829,
"Name": "Full Control",
"Order": 1,
"RoleTypeKind": 5
},
{
"_ObjectType_": "SP.RoleDefinition",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741828",
"BasePermissions": {
"_ObjectType_": "SP.BasePermissions",
"High": 432,
"Low": 1012866047
},
"Description": "Can view, add, update, delete, approve, and customize.",
"Hidden": false,
"Id": 1073741828,
"Name": "Design",
"Order": 32,
"RoleTypeKind": 4
},
{
"_ObjectType_": "SP.RoleDefinition",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741830",
"BasePermissions": {
"_ObjectType_": "SP.BasePermissions",
"High": 432,
"Low": 1011030767
},
"Description": "Can add, edit and delete lists; can view, add, update and delete list items and documents.",
"Hidden": false,
"Id": 1073741830,
"Name": "Edit",
"Order": 48,
"RoleTypeKind": 6
},
{
"_ObjectType_": "SP.RoleDefinition",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741827",
"BasePermissions": {
"_ObjectType_": "SP.BasePermissions",
"High": 432,
"Low": 1011028719
},
"Description": "Can view, add, update, and delete list items and documents.",
"Hidden": false,
"Id": 1073741827,
"Name": "Contribute",
"Order": 64,
"RoleTypeKind": 3
},
{
"_ObjectType_": "SP.RoleDefinition",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741826",
"BasePermissions": {
"_ObjectType_": "SP.BasePermissions",
"High": 176,
"Low": 138612833
},
"Description": "Can view pages and list items and download documents.",
"Hidden": false,
"Id": 1073741826,
"Name": "Read",
"Order": 128,
"RoleTypeKind": 2
},
{
"_ObjectType_": "SP.RoleDefinition",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741825",
"BasePermissions": {
"_ObjectType_": "SP.BasePermissions",
"High": 48,
"Low": 134287360
},
"Description": "Can view specific lists, document libraries, list items, folders, or documents when given permissions.",
"Hidden": true,
"Id": 1073741825,
"Name": "Limited Access",
"Order": 160,
"RoleTypeKind": 1
},
{
"_ObjectType_": "SP.RoleDefinition",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741924",
"BasePermissions": {
"_ObjectType_": "SP.BasePermissions",
"High": 176,
"Low": 138612801
},
"Description": "Can view pages, list items, and documents. Document types with server-side file handlers can be viewed in the browser but not downloaded.",
"Hidden": false,
"Id": 1073741924,
"Name": "View Only",
"Order": 2147483647,
"RoleTypeKind": 0
},
{
"_ObjectType_": "SP.RoleDefinition",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741925",
"BasePermissions": {
"_ObjectType_": "SP.BasePermissions",
"High": 1073741856,
"Low": 203624545
},
"Description": "",
"Hidden": false,
"Id": 1073741925,
"Name": "LW Fusion",
"Order": 2147483647,
"RoleTypeKind": 0
}
]
},
"RoleAssignments": {
"_ObjectType_": "SP.RoleAssignmentCollection",
"_Child_Items_": [
{
"_ObjectType_": "SP.RoleAssignment",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:ra:3",
"PrincipalId": 3
},
{
"_ObjectType_": "SP.RoleAssignment",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:ra:6",
"PrincipalId": 6
},
{
"_ObjectType_": "SP.RoleAssignment",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:ra:7",
"PrincipalId": 7
},
{
"_ObjectType_": "SP.RoleAssignment",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:ra:8",
"PrincipalId": 8
},
{
"_ObjectType_": "SP.RoleAssignment",
"_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:ra:14",
"PrincipalId": 14
}
]
},
"HasUniqueRoleAssignments": true,
"Description": "",
"Id": "/Guid(ab8c2f1e-c518-4b2a-a89f-c6404b97a85a)/",
"LastItemModifiedDate": "/Date(1580251756000)/"
}
]