Why SharePoint Permissions Accumulate Into a Security Risk
SharePoint Online permissions decay over time in every tenant. A site collection that started with 15 carefully chosen members quietly grows to 200 users through organic sharing, guest invitations, broken inheritance on document libraries, and ad-hoc "Anyone with the link" shares. By the time an audit is requested — usually after a data-loss event or a compliance review — administrators discover that sensitive HR documents are accessible to contractors who left six months ago, and an entire Finance hub site has inheritance broken at the folder level with unique permissions applied to 300 individual items.
The business impact of uncontrolled SharePoint access goes beyond security. Organisations operating under GDPR, HIPAA, or ISO 27001 face regulatory exposure if personal data is accessible beyond the stated purpose. In our client work across India, UAE, and Australia, we have seen audit findings where external guest users retained access to a client portal for 18 months after the project ended — purely because no recurring review process existed. This article gives you the toolset and the process to eliminate that risk.
Understanding SharePoint's permission inheritance model is the prerequisite for any audit. By default, all lists, libraries, and items inherit permissions from their parent site. When inheritance is broken — through unique role assignments, "Share" operations, or Access Request approvals — a parallel permission record is created that the Admin Center's summary views do not surface. Your audit strategy must account for both inherited and unique permissions across all levels of the hierarchy.
Run your first permissions audit on a non-production hub site or a single department site before tackling the whole tenant. The volume of data for large tenants — thousands of sites with broken inheritance — can be overwhelming without a scoped warm-up run.
SharePoint Admin Center Built-In Reports
The SharePoint Admin Center at https://<tenant>-admin.sharepoint.com provides several native reports that give a high-level view of sharing activity without requiring PowerShell. Start with Reports > Usage, which shows site-level activity including sharing actions over the last 30, 90, or 180 days. Sites with a high ratio of sharing events relative to active users are prime candidates for a deeper dive.
The Sharing report under Active Sites surfaces every site where external sharing is enabled, categorised by sharing level: Anyone links, specific people outside the organisation, and existing external users. Filter this report by "External users allowed" to produce your initial oversharing candidate list. Export the CSV and sort by the number of external users to prioritise sites with the most guest exposure.
The Data access governance reports, introduced in 2024, are the most powerful native addition to the Admin Center. Navigate to Reports > Data access governance and you will find pre-built reports for: sites with "Anyone" links created in the last 28 days, sites shared with external users, and sites with oversharing sensitivity labels. These reports can be scheduled to run automatically and delivered to a compliance inbox — no PowerShell required for the initial triage pass.
Reviewing the Sharing Links Report
Within Data access governance, the Sharing links report lists every active "Anyone" and "People in your organisation" link created across your tenant. Each row shows the site URL, the resource type (file or folder), the link creation date, and the link expiry date (if set). Export this report and immediately flag any link with no expiry date set on a site classified as confidential or above. These links represent indefinite access grants that survive even if the original sharer leaves the organisation.
Microsoft Entra Access Reviews for SharePoint Groups
Microsoft Entra ID (formerly Azure AD) Access Reviews provide a structured, auditable mechanism for validating group membership — and since SharePoint permissions are managed through Microsoft 365 Groups and Azure AD Security Groups, access reviews indirectly govern SharePoint access at scale. Create access reviews for every group that is a member of a sensitive SharePoint site collection.
To create a review, navigate to Microsoft Entra admin center > Identity Governance > Access Reviews > New Access Review. Set the scope to a specific group, choose quarterly recurrence, and assign the review to the group owner rather than the IT team. This distributes the review burden to people who actually know whether each member still needs access. Enable the "Auto apply results" setting so that members whose access is not confirmed are automatically removed after the review period closes.
Entra access reviews require at least a Microsoft Entra ID P2 licence or a Microsoft Entra ID Governance licence for each user being reviewed. Confirm your licensing before setting up organisation-wide recurring reviews.
For guest users specifically, configure a separate access review scoped to all guests in your directory with a monthly or quarterly cadence. Guest accounts that have not signed in for 90 days and have no active access review approval are strong candidates for automatic removal. Combine this with the Entra ID setting External Collaboration Settings > Guest user access expiration to cap the maximum lifetime of any guest account regardless of review status.
Exporting Permissions with PnP PowerShell
Native reports show aggregate data. PnP PowerShell gives you row-level precision — every role assignment, on every object, for every user and group. Install PnP PowerShell with Install-Module PnP.PowerShell and connect using a service account with SharePoint Administrator rights or an app registration with Sites.FullControl.All application permission.
The script below exports all unique permission assignments (broken inheritance) across all site collections in a tenant to a CSV. It traverses sites, webs, lists, and optionally list items — scope the item-level traversal to libraries flagged as high-risk to keep runtime manageable. For a 5,000-site tenant, a full site-and-list scan typically completes in 60–90 minutes when run from an Azure Automation account co-located with your tenant.
Connect-PnPOnline -Url "https://contoso-admin.sharepoint.com" -Interactive $sites = Get-PnPTenantSite -IncludeOneDriveSites $false $results = [System.Collections.Generic.List[PSObject]]::new() foreach ($site in $sites) { Connect-PnPOnline -Url $site.Url -Interactive $web = Get-PnPWeb $lists = Get-PnPList | Where-Object { -not $_.Hidden } foreach ($list in $lists) { if (-not $list.HasUniqueRoleAssignments) { continue } $assignments = Get-PnPListPermissions -Identity $list.Id foreach ($a in $assignments) { $results.Add([PSCustomObject]@{ SiteUrl = $site.Url ListTitle = $list.Title Principal = $a.Member.LoginName PrincipalType = $a.Member.PrincipalType Roles = ($a.RoleDefinitionBindings.Name -join ', ') }) } } } $results | Export-Csv -Path "./permissions-audit.csv" -NoTypeInformation Write-Host "Exported $($results.Count) unique permission assignments"
Extending to Item-Level Permissions
Item-level broken inheritance is the most common source of hidden over-sharing. Documents shared directly via "Share" in the SharePoint UI always create item-level unique permissions. Add a Get-PnPListItem loop inside the list iteration, checking $item.HasUniqueRoleAssignments, to surface these. For libraries with tens of thousands of items, use -PageSize 500 and batch the results to avoid memory pressure. Export item-level data to a separate CSV and cross-reference against your sensitivity label classification to prioritise remediation.
Identifying Oversharing Patterns
Raw permission exports are only useful when you have a framework for interpreting them. In our client engagements we apply four oversharing patterns that account for 95% of the risk in a typical SharePoint tenant.
Pattern 1 — Everyone or Everyone Except External Users: Any role assignment where the principal is the Everyone or c:0-.f|rolemanager|spo-grid-all-users claim effectively makes the content readable by every licensed user in the tenant. Search your export for these claim values in the Principal column and map them against content sensitivity. Internal-only finance documents shared with Everyone are an immediate finding.
Pattern 2 — Abandoned Groups: SharePoint groups with zero members still appear as role assignments. They waste governance overhead and can be repopulated maliciously if group management is not restricted. Filter your export for groups and cross-reference against Entra group membership counts using Get-PnPMicrosoft365Group.
Pattern 3 — Direct User Assignments: Microsoft's recommended model grants access through groups, not individual users. Direct user assignments bypass group lifecycle management — when an employee's account is disabled, their group memberships are removed, but direct SharePoint role assignments survive until explicitly deleted. Filter your export for PrincipalType -eq 'User' entries and flag sites where more than 20% of permissions are user-direct.
Pattern 4 — Inherited-from-root Exposure: When a document library inherits from the root web and the root web has broad membership (e.g., the entire company), the library is effectively public internally. These items do not show up in the unique-permissions export — you need a separate check of root-web role assignments versus site intent.
Guest Access Cleanup Automation
Guest access cleanup is the highest-impact remediation action in most tenants. The combination of PnP PowerShell and the Microsoft Graph API lets you automate the identification and removal of stale guest accounts — those who have not signed in for a configurable number of days and who have no active Entra access review approval pending.
Connect-MgGraph -Scopes "User.Read.All", "AuditLog.Read.All" $cutoff = (Get-Date).AddDays(-90) $guests = Get-MgUser -Filter "userType eq 'Guest'" ` -Property "DisplayName,Mail,SignInActivity,CreatedDateTime" -All $stale = $guests | Where-Object { $_.SignInActivity.LastSignInDateTime -lt $cutoff -or $null -eq $_.SignInActivity.LastSignInDateTime } $stale | Select-Object DisplayName, Mail, @{N='LastSignIn';E={$_.SignInActivity.LastSignInDateTime}}, CreatedDateTime | Export-Csv "./stale-guests.csv" -NoTypeInformation Write-Host "$($stale.Count) stale guests found"
Before bulk-removing any guest accounts, send a 14-day notice email using Power Automate — trigger the flow on a schedule, read the stale-guests CSV from a SharePoint library, and use the Send Email action to notify the guest and their internal sponsor. Log all responses back to a SharePoint list to maintain an auditable record. Only accounts with no response after the notice period and no active review approval should be removed via Remove-MgUser.
Removing a guest account from Azure AD also removes them from all Microsoft 365 Groups and Teams channels they were a member of — including any Teams chats or files they contributed. Always check whether the guest owns any SharePoint content before deletion and reassign ownership to an internal user first.
Applying Sensitivity Labels to Enforce Permission Policies
Sensitivity labels in Microsoft Purview are the most scalable mechanism for aligning SharePoint permissions with information classification. When you apply a label at the site level — for example, "Confidential – Finance" — the label can enforce an external sharing restriction (no guest access), a conditional access policy, and an encryption policy simultaneously. This means a properly classified site cannot be over-shared regardless of individual user actions.
To deploy site-level sensitivity labels, enable the feature in the Microsoft Purview compliance portal under Information Protection > Labels. Create a label policy that publishes the label to SharePoint and OneDrive. Use the Set-SPOSite -SensitivityLabel parameter via PnP PowerShell to apply labels in bulk to existing sites based on your audit findings. Sites with high-sensitivity content that currently have overly permissive sharing settings should be the first batch.
# Get the label GUID from Purview admin center $labelGuid = "a1b2c3d4-e5f6-7890-abcd-ef1234567890" $financeSites = Get-PnPTenantSite | Where-Object { $_.Url -like "*/finance*" -or $_.Url -like "*/hr*" } foreach ($site in $financeSites) { Set-PnPTenantSite -Url $site.Url -SensitivityLabel $labelGuid Write-Host "Labelled: $($site.Url)" } # Optionally block external sharing on labelled sites Set-PnPTenantSite -Url $site.Url -SharingCapability Disabled
Library-level and file-level labels (applied through auto-labelling policies or manual classification) extend the protection to individual documents. When a document is labelled, Purview encryption travels with the file even if it is downloaded and shared outside SharePoint — making label-based protection the strongest available control for highly sensitive content.
Building an Ongoing Permissions Governance Programme
A one-time audit is a point-in-time snapshot. Without an ongoing programme, permissions drift resumes within weeks. Effective SharePoint permissions governance operates across three time horizons: continuous monitoring (near real-time), periodic review (quarterly), and lifecycle events (onboarding, offboarding, project closure).
For continuous monitoring, configure Microsoft Purview audit log alerts to fire whenever an "Anyone" link is created on a site classified as Internal or higher. Route these alerts to a Teams channel monitored by your security team using a Power Automate flow with an HTTP trigger on the Purview webhook. Immediate visibility into new oversharing events prevents the slow accumulation problem that creates the audit crisis in the first place.
For quarterly reviews, schedule your PnP PowerShell audit script to run via Azure Automation and deposit the results CSV to a SharePoint library. Build a Power BI report connected to that library so governance stakeholders can review trends — which sites are gaining unique permissions, which guest accounts are accumulating, which groups are growing. Trend visibility converts permissions governance from reactive firefighting to proactive risk management.
For lifecycle events, ensure your HR system's offboarding workflow triggers a Power Automate flow that: removes the departing user from all SharePoint groups (via Graph API), transfers site ownership if they are a primary admin, and logs a confirmation to the compliance SharePoint list. Project-closure workflows should include a step that reviews and removes all guests associated with the project site before archival.
Key Takeaways
Start with SharePoint Admin Center Data Access Governance reports for a no-code, high-level view of oversharing and "Anyone" links before investing in PowerShell scripting.
PnP PowerShell's Get-PnPListPermissions combined with HasUniqueRoleAssignments filtering is the most reliable way to export every broken-inheritance permission record across all sites and lists.
Entra access reviews automate the quarterly validation burden by routing approval decisions to group owners — the people who actually know whether each member still needs access.
Sensitivity labels applied at site level are the strongest preventive control — they make oversharing structurally impossible for classified sites rather than relying on user discipline.
Build ongoing governance across three horizons: continuous audit log alerts for immediate signals, quarterly Power BI trend reviews, and HR-triggered lifecycle automation for offboarding and project closure.