SharePoint Online: Change User Permissions using PowerShell

Requirement:  Edit user permissions in SharePoint Online

How to change user permissions  in SharePoint Online?
You want to change user's permission on a particular site/library/item in SharePoint online. E.g. Once a particular project has completed and you no longer want the team member to add or edit the project's supporting documents but only view! SharePoint provides a flexible way to manage permission changes to a user or a group. Here is how to update user permissions in SharePoint online.

• To edit site permissions for a user, Navigate to the SharePoint Online site where the user has access. Click on Settings gear and then site settings.
• On the Site Settings page, click on "Site Permissions" link under Users and Permissions group.
• On the site permissions page, Select the check box next to the user which you want to edit permissions. Click on "Edit User Permissions" button from the ribbon.
• Select-Unselect the relevant permissions check boxes. In this case, you have to untick "Edit" and tick "Read". Click OK to save your changes.

Please note, if the site or library is inheriting permissions from the parent, You may have to Stop Inheriting Permissions in order to provide unique permission to the item.

Edit user permissions in sharepoint online using PowerShell:
Lets script the above task of editing the user permissions. Remove "Edit" and add "Read" permission to the user at site level.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Variables for Processing
$SiteURL = "https://crescent.sharepoint.com/Sites/marketing"
$UserAccount="i:0#.f|membership|Salaudeen@crescent.com"
$PermissionToRemove="Edit"
$PermissionToAdd="Read"

#Setup Credentials to connect
$Cred = Get-Credential
$Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)

Try {
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = $Cred

    #Get all Users of the site
    $Users = $Ctx.Web.SiteUsers
    $Ctx.Load($Users)
    $Ctx.ExecuteQuery()

    #Get user accounts
    $UserAccounts =  $Users | Select -ExpandProperty LoginName

    #Check if the given user exists in the site
    If($UserAccounts -Contains $UserAccount)
    {
        #Get the User
        $User = $ctx.Web.SiteUsers.GetByLoginName($UserAccount)

        #Get Permission Levels to add and remove
        $RoleDefToAdd = $Ctx.web.RoleDefinitions.GetByName($PermissionToAdd)
        $RoleDefToRemove = $Ctx.web.RoleDefinitions.GetByName($PermissionToRemove)

        #Get the User's role assignment on the web
        $RoleAssignment = $Ctx.web.RoleAssignments.GetByPrincipal($User)

        #Add/remove permission levels to the role assignment
        $RoleAssignment.RoleDefinitionBindings.Add($RoleDefToAdd)
        $RoleAssignment.RoleDefinitionBindings.Remove($RoleDefToRemove)
        $RoleAssignment.Update()
        $Ctx.ExecuteQuery() 

        write-host  -f Green "User permissions updated Successfully!"
    }
    else
    {
        Write-host -f Yellow "User Doesn't exist in the site!"
    }
}
Catch {
    write-host -f Red "Error Updating User Permissions!" $_.Exception.Message
}