Your input shapes our product. Suggest a feature now →
Features Pricing Demos Add-ons Blog Guides Use cases Compare Tools Alerts FAQ Contact Sign in Start free trial
  1. Home
  2. Guides
  3. Audit SharePoint Permissions

How to Audit SharePoint Permissions Across Multiple Sites

Permission sprawl is one of the most common governance problems in SharePoint Online. It builds up gradually: a project finishes but the shared links stay live, a contractor gets owner access and never gets removed, individual files accumulate broken inheritance because someone clicked "Stop inheriting permissions" years ago. A periodic permissions audit finds and fixes this drift before it becomes a compliance issue.

This guide walks through a full permissions audit from start to finish: scoping the work, using native SharePoint tools, exporting a complete permission matrix, and remediating the findings. It covers SharePoint Online (Microsoft 365).

Before You Start: Understand the Permission Model

SharePoint permissions cascade from tenant to site collection to site to library to folder to item. By default, each level inherits from its parent. When you break that inheritance on a folder or file, SharePoint stores a separate access control list for that object. Every broken-inheritance object counts against your 50,000 unique-permissions limit per site collection.

There are two categories of access to audit:

  • Group-based permissions: SharePoint groups (Owners, Members, Visitors) and Microsoft 365 groups tied to teams or sites.
  • Sharing links: Anyone links, Specific people links, and Organisation-wide links created via the Share button or OneDrive sync. These bypass the group model entirely and are harder to enumerate.

Step 1: Map Your Site Collections

Start by getting the complete list of sites you need to cover.

  1. Open the SharePoint admin center (https://<tenant>-admin.sharepoint.com).
  2. Navigate to Sites > Active sites.
  3. Click Export (CSV) to download the full site list. This gives you URLs, storage usage, template type, and the primary admin for each site.
  4. Filter out system sites (search, portals) and personal OneDrive sites unless your audit specifically covers OneDrive.
Scope decision: For a first audit, focus on the top 20 sites by storage or by sensitivity (sites tagged confidential or containing HR and finance data). A full-tenant audit is worth scheduling quarterly once the initial cleanup is complete.

Step 2: Identify Unique Permissions (Broken Inheritance)

For each site in scope, you want to know which libraries, folders, or items have stopped inheriting permissions from their parent.

Using the native SharePoint UI

  1. Open the site and go to Site settings > Site permissions.
  2. Click Check permissions and enter a user's name or email to see what access they have and where it comes from.
  3. In any library, select a file or folder and click Manage access (right-click or via the details pane). If the item shows "This item has unique permissions", it has broken inheritance.

Limitations of the native approach

The native UI checks permissions for one item or one user at a time. It cannot enumerate all unique-permission items across a site or across multiple sites. For that, you need either PnP PowerShell scripts or a tool that reads the SharePoint REST API.

Watch the 50,000 limit: Each site collection supports a maximum of 50,000 unique permission objects. Sites with deep folder structures and file-level sharing are most at risk. See the SharePoint Online Limits Reference for the full table including the performance implications as you approach this threshold.

Step 3: Review SharePoint Groups and Membership

  1. Open the site and go to Site settings > People and groups.
  2. Review each group (Owners, Members, Visitors, plus any custom groups).
  3. Look for individual user accounts added directly to site permission groups instead of via Microsoft 365 groups or Azure AD groups. Direct user assignments are harder to audit and do not move when someone leaves the organisation.
  4. Check for external users (accounts ending in #EXT# in the display name or UPN). Confirm each one is still an active partner or vendor with a legitimate need.
  5. Identify inactive accounts: users who are still licensed but have not signed in within the past 90 days. Flag these for review or removal.

Step 4: Audit Shared Links

Sharing links are the hardest part of a permissions audit because they bypass the group-based model. A file can have "Members" access at the library level and still be accessible to anyone in the world if someone created an "Anyone with the link" share.

Using the SharePoint admin center

  1. In the SharePoint admin center, go to Reports > Sharing to review external sharing links by site and by user.
  2. Set link expiry policies under Policies > Sharing to enforce automatic expiration on new Anyone links going forward.

Using ShareMaster's Shared Links and Permissions tool

The native admin center shows aggregate sharing counts but does not let you enumerate, filter, or bulk-remove links across sites. ShareMaster's Shared Links and Permissions tool reads sharing links for any connected SharePoint site and shows:

  • Link type (Anyone, Specific people, Organisation, or direct access).
  • Link creation date and the user who created it.
  • The item or folder the link targets.
  • Whether the link has already expired or is still active.

From the results list, you can select links and bulk-remove them in a single operation, without opening each file manually.

Step 5: Check Site Collection Administrators

Site collection administrators have full control over every object in the site collection, including second-stage Recycling Bin access and the ability to see all content regardless of unique permissions. This role should be kept small.

  1. In the SharePoint admin center, open Sites > Active sites.
  2. Click any site and check the Admins tab.
  3. Confirm each listed admin has a current business reason for full control. Service accounts, project accounts for completed migrations, and former employees are common candidates for removal.

Step 6: Export a Full Permission Matrix

A permission matrix shows every user and group mapped to every site, library, folder, and item they can access. It is the deliverable most compliance auditors and security reviewers expect.

ShareMaster's Report Master generates permission matrix exports to Excel. You select the sites to cover, run the export, and receive a spreadsheet with one row per principal-object combination, including permission level, whether it came from inheritance or a direct assignment, and the original site URL.

For ongoing governance, schedule this export monthly and compare it against the previous month's version. A diff between two exports quickly shows who gained or lost access and where new unique permissions appeared.

Step 7: Remediate Findings

A typical first-audit remediation involves three categories of work:

Remove inactive and external users

Use the exported matrix to identify accounts that no longer need access. Removing a direct user from a SharePoint group immediately revokes their access to every library and item that inherits from that group.

Consolidate unique permissions

For folders and files with broken inheritance, restore inheritance where possible (the "Delete unique permissions" option in the item's Manage access panel). Move access control to the library level using groups so future changes propagate automatically.

Remove or expire shared links

Use the Shared Links and Permissions tool to bulk-remove links with no current business purpose: links created for one-off sharing more than 90 days ago, Anyone links on sensitive documents, and links belonging to accounts that are no longer active.

Step 8: Establish Ongoing Governance

A one-time audit decays quickly. Permissions drift comes back within weeks if no controls are in place. The minimum governance layer worth establishing after an audit:

  • Set a link expiry policy in the SharePoint admin center (30 days for Anyone links is a common starting point).
  • Restrict who can create new sites to prevent sprawl of ungoverned site collections.
  • Run a quarterly permissions export from Report Master and review the diff against the previous quarter.
  • Integrate SharePoint group membership with Azure AD access reviews for the most sensitive groups, so group owners are asked to recertify members on a schedule.

Summary

A permissions audit covers four areas: site collection admins, group membership, unique permissions on items, and shared links. The native SharePoint admin center handles high-level reporting; a tool like ShareMaster covers the item-level enumeration and bulk remediation that native tooling lacks. Running a permission matrix export before and after remediation gives you audit evidence and a baseline for ongoing governance.

Learn more about Shared Links and Permissions