Meet Sarah, the compliance and risk manager at Meridian Legal, a 190-person professional services firm. Meridian's IT team runs the Microsoft 365 environment, but Sarah owns the information security programme and is accountable to the board for it.
The situation
Meridian Legal has been working toward ISO 27001 certification for two years. The external certification audit is now six months away. The auditor's pre-engagement questionnaire includes a section on information access controls that names SharePoint Online explicitly: the auditor will want to see evidence that access to sensitive content is reviewed regularly, granted on a least-privilege basis, and revoked promptly when staff leave or change roles.
Sarah's problem is that Meridian's SharePoint environment has grown organically over five years. There are 26 active site collections, a mix of team sites and communication sites, and no consistent approach to permissions. Some sites use default membership through Microsoft 365 groups; others have been customised over time with individual user assignments, broken inheritance on specific libraries, and document-level permissions added by partners who needed one-time access years ago.
What Sarah did not know before the audit
- How many external users still had access to any Meridian SharePoint content.
- Which libraries had broken permission inheritance and what the resulting access looked like.
- How many sharing links had been created for client-facing documents and whether any were still active for people who had left the firms those documents were shared with.
- Whether any former employees who had left in the past 18 months still appeared on any site group or had documents shared directly with their old email addresses.
Sarah had access to the SharePoint admin center, but its reporting capabilities gave her site-level storage and usage data, not a usable permission breakdown across all 26 sites and their libraries. Exporting a meaningful access review from the native tools would have taken weeks of manual site-by-site work.
Phase 1: Establish a baseline with Report Master
Understand the full permission picture before changing anything
Sarah's IT administrator installed ShareMaster and connected it to Meridian's Microsoft 365 tenant. They ran Report Master with a scope of all 26 sites, generating a permission matrix export to Excel.
The export returned a row for every unique permission assignment across every site, library, and folder where inheritance had been broken. The key columns were:
- Site name and URL
- Library or list name
- User or group name
- Permission level (Full Control, Edit, Read, Limited Access, etc.)
- Whether the assignment was direct (individual user) or via a SharePoint group or Microsoft 365 group
- Whether the user was internal or external to the tenant
The report ran in under ten minutes across all 26 sites. Sarah and the IT admin spent the next hour reviewing the Excel output together.
What they found:
- 14 former employees still appeared on at least one site group or had direct permissions on at least one library. Eleven had left within the past year; three had left over two years ago.
- 31 libraries and folders had broken permission inheritance, of which eight were in the HR and Finance site collections. Three of those eight had members from the general staff Members group, which was broader than intended.
- 6 external users from two former client companies had active permissions on document libraries. Both client engagements had ended.
- One site owner had granted Full Control to a contractor account that was not in any directory, meaning it could not be resolved to a known person.
Phase 2: Audit and revoke external sharing links
Shared links are invisible in standard permission reports
Permission matrix reports show group memberships and direct user assignments, but SharePoint sharing links are a separate permission mechanism. A link shared with a specific person grants access outside the site's group structure and does not appear in a standard permission export. Sarah needed a separate tool for this.
She used the Shared Links and Permissions tool in ShareMaster to enumerate all active sharing links across all 26 sites. The results were eye-opening:
- 440 unique sharing links were found across Meridian's sites.
- Of these, 96 were links shared with specific external email addresses.
- 22 were "Anyone with the link" (anonymous) links, most of them on a single site used for marketing collateral.
- The remainder were organisation-wide links visible to all Meridian staff.
Sarah exported the external and anonymous link list and reviewed it with the relevant team leads over two days. The result:
- 68 of the 96 external-recipient links were confirmed no longer needed and were bulk-revoked directly from ShareMaster.
- 12 were active client engagements and remained in place, with expiry dates set for the expected engagement end date.
- 16 required individual confirmation from the document owner before revocation. The team leads handled those conversations.
- All 22 anonymous links were reviewed. 19 were revoked; the remaining three were for publicly shared marketing documents that the marketing team confirmed were intentional.
Phase 3: Remediate stale and overly broad permissions
Fix what the baseline found
Working from the Report Master export, Sarah and the IT admin addressed each category of finding:
Former employees: the IT admin removed all 14 former employee accounts from SharePoint site groups and direct permission assignments. Because ShareMaster's permission report had identified every site and library where each account appeared, the removal was systematic rather than a site-by-site search. The accounts had already been disabled in Azure AD, but disabling an account does not remove SharePoint group membership, so the access entries had persisted.
Overly broad library permissions: for the three sensitive HR and Finance libraries where the general Members group had access, the IT admin broke inheritance explicitly and rebuilt permissions with a smaller, named group containing only the HR and Finance staff who required access.
External users from closed engagements: the six external accounts from former clients were removed from site groups. The IT admin also checked whether those email addresses appeared on any sharing links (they did; four of the 68 bulk-revoked links above were for those same accounts).
Unresolvable contractor account: the account with Full Control that could not be resolved to a known person was removed. The site owner confirmed it was a contractor from a project that had ended two years earlier.
Phase 4: Generate final evidence for the auditor
Close-out documentation
After the remediation was complete, Sarah ran the Report Master export again across all 26 sites. This second export served as the "after" snapshot, confirming that all identified issues had been resolved. She saved both exports (before and after) with dates in the filename and attached them to Meridian's ISO 27001 control evidence folder.
She also prepared a brief access review log documenting:
- The date the review was conducted.
- Scope (all 26 SharePoint site collections).
- Findings summary: 14 former employees removed, 6 external users removed, 68 sharing links revoked, 3 sensitive libraries tightened to defined access groups.
- Approvals: site owners and team leads who confirmed sharing link revocations.
The IT admin also set a calendar reminder to run the same review every quarter, with Report Master as the baseline tool each time.
Audit outcome
| Finding category | Identified | Resolved |
|---|---|---|
| Former employee permission entries | 14 accounts across multiple sites | 14 removed (100%) |
| External users from closed engagements | 6 accounts | 6 removed (100%) |
| External sharing links revoked | 96 external-recipient links | 68 revoked; 12 retained with expiry dates; 16 confirmed by document owners |
| Anonymous links reviewed | 22 links | 19 revoked; 3 confirmed intentional (marketing) |
| Overly broad sensitive library permissions | 3 libraries (HR and Finance sites) | 3 rebuilt with explicit, named access groups |
| Unresolvable Full Control account | 1 contractor account | 1 removed |
The external ISO 27001 auditor reviewed the before-and-after permission matrix exports, the sharing link revocation log, and the process documentation. The access control section of the audit raised no major non-conformances. The auditor noted the systematic approach and the quarterly review commitment as positive evidence of ongoing control.
What made the difference
The biggest challenge in a SharePoint permissions audit is not knowing where to look. Broken inheritance, library-level assignments, and sharing links all operate independently and are not visible in a single native report. Without Report Master's cross-site permission matrix and the Shared Links enumeration, building the same picture manually would have required checking each of 26 sites one by one, a process that Sarah estimated would take at least three working weeks.
The actual audit preparation took four working days: one day to run the baseline and review the findings, two days for stakeholder review of sharing links, and one day for remediation and close-out documentation. The time saving came directly from having a complete, structured view of the permission state before starting.
The quarterly review commitment, backed by the same Report Master process, ensures the access control state stays clean between certification cycles rather than accumulating problems that require a large cleanup every year.