powershell-scripts/m365/Set-PnPFolderAcl.ps1

[CmdletBinding()]
param(
	[Parameter(Mandatory=$true)]
	[string]$Name,
	[Parameter(Mandatory=$true)]
	[string]$List = 'Shared Documents',
	[Parameter(Mandatory=$true)]
	[string]$Owner,
	[Parameter()]
	[array]$Acl
)

<#
.SYNOPSIS
	Sets permissions on a folder in a SharePoint document library.
.DESCRIPTION
	This script breaks permission inheritance on a specified folder in a SharePoint document library and assigns permissions to a specified owner group and additional groups defined in the ACL parameter.
.PARAMETER Name
	The name of the folder to set permissions on.
.PARAMETER List
	The name of the document library containing the folder. Default is 'Shared Documents'.
.PARAMETER Owner
	The name of the SharePoint group to assign as the owner of the folder with 'Full Control' permissions.
.PARAMETER Acl
	An array of objects defining additional groups and their permissions to assign to the folder. Each object should have a 'DisplayName' property for the group name and a 'Role' property for the permission level (e.g., 'Read', 'Edit').
.EXAMPLE
	$Acl = @(
		@{ DisplayName = "SG-ADMIN-AdvocateFloats-Dynamic"; Role = "Edit" },
		@{ DisplayName = "SG-ADMIN-AdvocateManagers-Dynamic"; Role = "Edit" }
	)
	.\Set-PnPFolderAcl.ps1 -Name "ProjectX" -List "Shared Documents" -Owner "Project Owners" -Acl $Acl
#>

<#
.SYNOPSIS
	Tests if a PnP Group exists.
.DESCRIPTION
	This function tests if a PnP Group exists in the current SharePoint site.
.PARAMETER Identity
	The identity of the group to test.
.EXAMPLE
	Test-PnPGroup -Identity "MyGroup"
#>
function Test-PnPGroup {
	param(
		[string]$Identity
	)

	try {
		Get-PnPGroup -Identity $Identity -ErrorAction Stop | Out-Null
		return $true
	} catch {
		return $false
	}
}

<#
.SYNOPSIS
	Tests if an Entra ID Group exists and PnP can resolve it.
.DESCRIPTION
	This function tests if a Entra ID Group exists and can be resolved by PnP.
.PARAMETER Identity
	The identity of the group to test.
.EXAMPLE
	Test-EntraIdGroup -Identity "MyGroup"
#>
function Test-EntraIdGroup {
	param(
		[string]$Identity
	)

	try {
		Get-PnPEntraIdGroup -Identity $Identity -ErrorAction Stop | Out-Null
		return $true
	} catch {
		return $false
	}
}

# Validate that we are connected to a SharePoint site and that the specified list and owner group exist
if (-not (Get-PnPContext)) {
	Write-Error "Not connected to a SharePoint site. Please connect using Connect-PnPOnline before running this script."
	exit 1
}
if (-not (Get-PnPList -Identity $List -ErrorAction SilentlyContinue)) {
	Write-Error "The specified list '$List' does not exist on the current site."
	exit 1
}
if (-not (Test-PnPGroup -Identity $Owner)) {
	Write-Error "The specified owner group '$Owner' does not exist on the current site."
	exit 1
}

# Warning if no ACL entries are provided, as this will result in the folder having no permissions assigned
if ($Acl.Count -eq 0) {
	Write-Warning "No ACL entries provided. The folder will have no permissions assigned."
}


# Break inheritance on the location folder and set ownership
Write-Host "Breaking permission inheritance for folder '$List/$Name'."
Write-Host "Assigning 'Full Control' permissions to SharePoint group '$Owner' for folder '$List/$Name'."
Set-PnPFolderPermission -List $List -Identity "$List/$Name" -Group $Owner -AddRole 'Full Control' -ClearExisting

foreach ($Group in $Acl) {
	if (Test-PnPGroup $Group.DisplayName) {
		Write-Host "Assigning '$($Group.Role)' permissions to SharePoint group '$($Group.DisplayName)' for folder '$List/$Name'."
		Set-PnPFolderPermission -List $List -Identity "$List/$Name" -Group $Group.DisplayName -AddRole $Group.Role
	} elseif (Test-EntraIdGroup $Group.DisplayName) {
		Write-Host "Assigning '$($Group.Role)' permissions to Entra ID group '$($Group.DisplayName)' for folder '$List/$Name'."
		Set-PnPFolderPermission -List $List -Identity "$List/$Name" -User $Group.DisplayName -AddRole $Group.Role
	} else {
		Write-Warning "Group '$($Group.DisplayName)' does not exist. Skipping permission assignment."
		continue
	}
}