Validate Your SharePoint Online Crawl Account Permissions Using PowerShell

Overview of procedure

Authenticate to SharePoint Online

Authenticate to SharePoint Online as the service account user.

Get the FedAuth and rtFa cookie values

Open up your Debugging Tools (such as DevTools from Chrome) and copy the FedAuth and rtFa cookies from session.

Add your information to the PowerShell script

Enter your site and these two cookies into this PowerShell script:

# change these 3 variables to match your environment
$sharepointUrl = "https://YourSharePointURL.com"

$fedAuthCookieValue = "EnterYourFedAuthCookieValueHere"

$rtFaValue = "EnterYourRtfaCookieValueHere"

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "text/xml")
$headers.Add("SOAPAction", "http://schemas.microsoft.com/sharepoint/soap/GetUpdatedFormDigestInformation")
$headers.Add("X-RequestForceAuthentication", "true")
$headers.Add("Cookie", "FedAuth=$fedAuthCookieValue;rtFa=$rtFaValue")

$body = "<?xml version=`"1.0`" encoding=`"utf-8`"?>`n<soap:Envelope xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`" xmlns:xsd=`"http://www.w3.org/2001/XMLSchema`" xmlns:soap=`"http://schemas.xmlsoap.org/soap/envelope/`">`n  <soap:Body>`n    <GetUpdatedFormDigestInformation xmlns=`"http://schemas.microsoft.com/sharepoint/soap/`" />`n  </soap:Body>`n</soap:Envelope>"

$response = Invoke-RestMethod "$sharepointUrl/_vti_bin/sites.asmx" -Method 'POST' -Headers $headers -Body $body
Write-Host "$response"

The response will resemble:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <soap:Body>
        <GetUpdatedFormDigestInformationResponse xmlns="http://schemas.microsoft.com/sharepoint/soap/">
            <GetUpdatedFormDigestInformationResult>
                *<DigestValue>YourDigestValueWithTimestamp</DigestValue>*
                <TimeoutSeconds>1800</TimeoutSeconds>
                <WebFullUrl>https://lucidworksfusiondev.sharepoint.com/sites/ndd2</WebFullUrl>
                <LibraryVersion>16.0.19527.12083</LibraryVersion>
                <SupportedSchemaVersions>14.0.0.0,15.0.0.0</SupportedSchemaVersions>
            </GetUpdatedFormDigestInformationResult>
        </GetUpdatedFormDigestInformationResponse>
    </soap:Body>
</soap:Envelope>

Add your URL and DigestValue

Copy the DigestValue from this response into the PowerShell script below. Also change the SharePoint URL to match your environment.

# change these 2 variables to match your environment
$sharepointUrl = "https://YourSharePointURL.com"
$digestValue = "YourDigestValueWithTimestamp"

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "text/xml")
$headers.Add("X-RequestForceAuthentication", "true")
$headers.Add("X-RequestDigest", "$digestValue")

$body = "<Request AddExpandoFieldTypeSuffix=`"true`" SchemaVersion=`"14.0.0.0`" LibraryVersion=`"16.0.0.0`" ApplicationName=`".NET Library`" xmlns=`"http://schemas.microsoft.com/sharepoint/clientquery/2009`"><Actions><ObjectPath Id=`"2`" ObjectPathId=`"1`"/><ObjectPath Id=`"4`" ObjectPathId=`"3`"/><Query Id=`"5`" ObjectPathId=`"3`"><Query SelectAllProperties=`"false`"><Properties><Property Name=`"Webs`" SelectAll=`"true`"><Query SelectAllProperties=`"false`"><Properties/></Query></Property><Property Name=`"Title`" ScalarProperty=`"true`"/><Property Name=`"ServerRelativeUrl`" ScalarProperty=`"true`"/><Property Name=`"RoleDefinitions`" SelectAll=`"true`"><Query SelectAllProperties=`"false`"><Properties/></Query></Property><Property Name=`"RoleAssignments`" SelectAll=`"true`"><Query SelectAllProperties=`"false`"><Properties/></Query></Property><Property Name=`"HasUniqueRoleAssignments`" ScalarProperty=`"true`"/><Property Name=`"Description`" ScalarProperty=`"true`"/><Property Name=`"Id`" ScalarProperty=`"true`"/><Property Name=`"LastItemModifiedDate`" ScalarProperty=`"true`"/></Properties></Query></Query></Actions><ObjectPaths><StaticProperty Id=`"1`" TypeId=`"{3747adcd-a3c3-41b9-bfab-4a64dd2f1e0a}`" Name=`"Current`"/><Property Id=`"3`" ParentId=`"1`" Name=`"Web`"/></ObjectPaths></Request>"

$response = Invoke-RestMethod "$sharepointUrl/_vti_bin/client.svc/ProcessQuery" -Method 'POST' -Headers $headers -Body $body
Write-Host "$response"

If permissions are incorrect, you will get an error message.

[
    {
        "SchemaVersion": "14.0.0.0",
        "LibraryVersion": "16.0.19527.12083",
        "ErrorInfo": {
            "ErrorMessage": "Access denied. You do not have permission to perform this action or access this resource.",
            "ErrorValue": null,
            "TraceCorrelationId": "640d309f-b0f7-b000-8100-49826f3674cb",
            "ErrorCode": -2147024891,
            "ErrorTypeName": "System.UnauthorizedAccessException"
        },
        "TraceCorrelationId": "640d309f-b0f7-b000-8100-49826f3674cb"
    }
]

If permissions are correct, you will get a response that resembles:

[
    {
        "SchemaVersion": "14.0.0.0",
        "LibraryVersion": "16.0.19527.12083",
        "ErrorInfo": null,
        "TraceCorrelationId": "e70c309f-3097-b000-4931-8fe95320fdb0"
    },
    2,
    {
        "IsNull": false
    },
    4,
    {
        "IsNull": false
    },
    5,
    {
        "_ObjectType_": "SP.Web",
        "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a",
        "Webs": {
            "_ObjectType_": "SP.WebCollection",
            "_Child_Items_": []
        },
        "Title": "NddTest",
        "ServerRelativeUrl": "/sites/ndd2",
        "RoleDefinitions": {
            "_ObjectType_": "SP.RoleDefinitionCollection",
            "_Child_Items_": [
                {
                    "_ObjectType_": "SP.RoleDefinition",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741829",
                    "BasePermissions": {
                        "_ObjectType_": "SP.BasePermissions",
                        "High": 2147483647,
                        "Low": 4294967295
                    },
                    "Description": "Has full control.",
                    "Hidden": false,
                    "Id": 1073741829,
                    "Name": "Full Control",
                    "Order": 1,
                    "RoleTypeKind": 5
                },
                {
                    "_ObjectType_": "SP.RoleDefinition",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741828",
                    "BasePermissions": {
                        "_ObjectType_": "SP.BasePermissions",
                        "High": 432,
                        "Low": 1012866047
                    },
                    "Description": "Can view, add, update, delete, approve, and customize.",
                    "Hidden": false,
                    "Id": 1073741828,
                    "Name": "Design",
                    "Order": 32,
                    "RoleTypeKind": 4
                },
                {
                    "_ObjectType_": "SP.RoleDefinition",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741830",
                    "BasePermissions": {
                        "_ObjectType_": "SP.BasePermissions",
                        "High": 432,
                        "Low": 1011030767
                    },
                    "Description": "Can add, edit and delete lists; can view, add, update and delete list items and documents.",
                    "Hidden": false,
                    "Id": 1073741830,
                    "Name": "Edit",
                    "Order": 48,
                    "RoleTypeKind": 6
                },
                {
                    "_ObjectType_": "SP.RoleDefinition",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741827",
                    "BasePermissions": {
                        "_ObjectType_": "SP.BasePermissions",
                        "High": 432,
                        "Low": 1011028719
                    },
                    "Description": "Can view, add, update, and delete list items and documents.",
                    "Hidden": false,
                    "Id": 1073741827,
                    "Name": "Contribute",
                    "Order": 64,
                    "RoleTypeKind": 3
                },
                {
                    "_ObjectType_": "SP.RoleDefinition",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741826",
                    "BasePermissions": {
                        "_ObjectType_": "SP.BasePermissions",
                        "High": 176,
                        "Low": 138612833
                    },
                    "Description": "Can view pages and list items and download documents.",
                    "Hidden": false,
                    "Id": 1073741826,
                    "Name": "Read",
                    "Order": 128,
                    "RoleTypeKind": 2
                },
                {
                    "_ObjectType_": "SP.RoleDefinition",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741825",
                    "BasePermissions": {
                        "_ObjectType_": "SP.BasePermissions",
                        "High": 48,
                        "Low": 134287360
                    },
                    "Description": "Can view specific lists, document libraries, list items, folders, or documents when given permissions.",
                    "Hidden": true,
                    "Id": 1073741825,
                    "Name": "Limited Access",
                    "Order": 160,
                    "RoleTypeKind": 1
                },
                {
                    "_ObjectType_": "SP.RoleDefinition",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741924",
                    "BasePermissions": {
                        "_ObjectType_": "SP.BasePermissions",
                        "High": 176,
                        "Low": 138612801
                    },
                    "Description": "Can view pages, list items, and documents. Document types with server-side file handlers can be viewed in the browser but not downloaded.",
                    "Hidden": false,
                    "Id": 1073741924,
                    "Name": "View Only",
                    "Order": 2147483647,
                    "RoleTypeKind": 0
                },
                {
                    "_ObjectType_": "SP.RoleDefinition",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:rd:1073741925",
                    "BasePermissions": {
                        "_ObjectType_": "SP.BasePermissions",
                        "High": 1073741856,
                        "Low": 203624545
                    },
                    "Description": "",
                    "Hidden": false,
                    "Id": 1073741925,
                    "Name": "LW Fusion",
                    "Order": 2147483647,
                    "RoleTypeKind": 0
                }
            ]
        },
        "RoleAssignments": {
            "_ObjectType_": "SP.RoleAssignmentCollection",
            "_Child_Items_": [
                {
                    "_ObjectType_": "SP.RoleAssignment",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:ra:3",
                    "PrincipalId": 3
                },
                {
                    "_ObjectType_": "SP.RoleAssignment",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:ra:6",
                    "PrincipalId": 6
                },
                {
                    "_ObjectType_": "SP.RoleAssignment",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:ra:7",
                    "PrincipalId": 7
                },
                {
                    "_ObjectType_": "SP.RoleAssignment",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:ra:8",
                    "PrincipalId": 8
                },
                {
                    "_ObjectType_": "SP.RoleAssignment",
                    "_ObjectIdentity_": "e70c309f-3097-b000-4931-8fe95320fdb0|740c6a0b-85e2-48a0-a494-e0f1759d4aa7:site:d714bad3-ef71-4f83-86b6-25405106b719:web:ab8c2f1e-c518-4b2a-a89f-c6404b97a85a:ra:14",
                    "PrincipalId": 14
                }
            ]
        },
        "HasUniqueRoleAssignments": true,
        "Description": "",
        "Id": "/Guid(ab8c2f1e-c518-4b2a-a89f-c6404b97a85a)/",
        "LastItemModifiedDate": "/Date(1580251756000)/"
    }
]