SharePoint Permissions & Security: What Every Enterprise Gets Wrong
I have audited over 200 enterprise SharePoint environments. Every single one had at least three critical permission issues that created data exposure risk. The most common: "Everyone except external users" grants on document libraries containing sensitive data, permission inheritance broken at the document level creating unmanageable complexity, and former employees retaining access months after departure.
In 2026, these problems are amplified by Microsoft Copilot. Copilot searches everything a user has access to. Overshared permissions that were merely sloppy before are now actively dangerous — Copilot will surface confidential content to anyone whose permissions technically allow access, even if that access was never intended.
---
The SharePoint Permission Model Explained
SharePoint uses a hierarchical permission inheritance model:
Tenant > Site Collection > Site > Library/List > Folder > Item
By default, each level inherits permissions from its parent. When you break inheritance, that object and everything below it manages its own permissions independently.
The golden rule: break inheritance as rarely as possible, and never at the item level.
Every inheritance break creates a management burden. A site with 500 documents and 50 unique permission sets is essentially unauditable without tooling.
Permission Levels (Built-In)
| Level | What It Allows |
|-------|---------------|
| Full Control | Everything — site settings, permissions, content |
| Design | Add/modify pages, apply themes, approve content |
| Edit | Add, edit, delete list items and documents |
| Contribute | Add, edit (own items), delete (own items) |
| Read | View pages and documents only |
| View Only | View in browser only, cannot download |
| Limited Access | Auto-assigned when someone has access to a child but not parent |
Recommendation: Use only Full Control, Edit, Read, and View Only. Custom permission levels and intermediate levels like Design and Contribute create confusion and make audits harder.
---
The 10-Point Permission Security Model
1. Use Microsoft 365 Groups and Security Groups — Never Individual Users
Every permission assignment should go to a group. When John leaves, you remove him from the group once — not from 47 individual sites.
Group naming convention: `[Department]-[Role]-[Access Level]`
- Finance-Analysts-Edit
- HR-Managers-FullControl
- Marketing-Team-Read
- Legal-External-ViewOnly
2. Implement Role-Based Access Control (RBAC)
Map job functions to permission sets. Create a matrix:
| Role | Corporate Sites | Department Sites | Project Sites | Sensitive Libraries |
|------|----------------|-----------------|---------------|-------------------|
| Executive | Read | Read | Read | Full Control |
| Department Manager | Read | Edit (own dept) | Edit | Read |
| Knowledge Worker | Read | Edit (own dept) | Contribute | No Access |
| Frontline Worker | Read | Read (own dept) | No Access | No Access |
| External Contractor | No Access | No Access | View Only (assigned) | No Access |
3. Never Break Inheritance at the Document Level
If a single document needs different permissions than its library, move it to a library with appropriate permissions. Document-level permissions create:
- Performance degradation (SharePoint must evaluate each item individually)
- Audit impossibility (permission reports become unreadable)
- Copilot confusion (inconsistent access patterns)
4. Configure Conditional Access Policies
In Microsoft Entra ID, create Conditional Access policies for SharePoint:
- Require MFA for all SharePoint access
- Block unmanaged devices from downloading content (allow view-only)
- Require compliant devices for sensitive sites (managed by Intune)
- Block access from risky sign-ins (Identity Protection integration)
- Session timeout of 30 minutes for highly sensitive sites
5. Disable External Sharing by Default
SharePoint Admin Center > Sharing > default to "Only people in your organization." External sharing requires explicit enablement per site with:
- Business justification documented
- Time-limited access (30/60/90 days with auto-expiration)
- Guest access review every 90 days
- Compliance officer approval for sensitive sites
6. Eliminate "Everyone" and "Everyone Except External Users" Groups
Search your entire tenant for these grants. They are the number one cause of data exposure. Replace with specific security groups. Run this audit quarterly.
7. Implement Access Reviews
Microsoft Entra ID Governance access reviews force site owners to certify permissions quarterly. Users whose access is not confirmed are automatically removed. This catches:
- Former employees whose accounts were not properly deprovisioned
- Contractors whose projects ended months ago
- Users who changed roles and no longer need access
8. Configure Information Barriers Where Required
For financial services (Chinese walls), healthcare (clinical vs. administrative separation), and legal (attorney-client privilege), information barriers prevent users in separated segments from discovering each other's SharePoint content.
9. Enable and Monitor Audit Logging
Every access, sharing, permission change, and download must be logged. Microsoft Purview audit logging captures all SharePoint events. Configure alerts for:
- Bulk downloads (more than 50 files in 1 hour)
- Sharing events on sensitive sites
- Permission changes by non-admins
- Access from new geographic locations
10. Make Permissions Copilot-Ready
Before deploying Copilot, audit every site for oversharing. Copilot respects SharePoint permissions but surfaces content aggressively. If a user technically has access to salary data, M&A plans, or executive communications through overshared permissions, Copilot will serve that content in AI-generated responses.
Copilot readiness checklist:
- All sensitive sites restricted to need-to-know groups
- Sensitivity labels applied to confidential content
- DLP policies blocking sensitive content in Copilot responses
- "Everyone" grants eliminated
- External sharing disabled on sensitive sites
---
Permission Audit Workflow
Run this quarterly:
Step 1: Export all sites with unique permissions using SharePoint Admin Center or PowerShell.
Step 2: For each site, pull the permission report. Flag: "Everyone" or "Everyone except external users" grants, external guest access, orphaned users (accounts disabled in Entra ID), groups with more than 200 members (too broad), and document-level permission breaks.
Step 3: Remediate findings. Replace "Everyone" with specific groups, remove orphaned users, consolidate document-level permissions back to library level, and review/renew guest access.
Step 4: Document the audit. Store the report, findings, and remediation actions in your compliance library. This is your evidence for SOC 2, HIPAA, and ISO 27001 auditors.
---
Frequently Asked Questions
What is the difference between sharing and permissions in SharePoint?
Permissions are the access control model (who can do what at which level). Sharing is a mechanism to grant permissions — when you "share" a document, you are creating a permission grant. The danger is that sharing can create unique permissions at the item level, bypassing your governance model.
Should I use SharePoint groups or Microsoft 365 groups?
Microsoft 365 groups for most scenarios. They provide unified membership across SharePoint, Teams, Outlook, and Planner. Use SharePoint groups only when you need site-specific access that should not extend to Teams or other M365 services.
How do I find all sites where "Everyone" has access?
Use the SharePoint Admin Center sharing report, or run a PowerShell script using PnP.PowerShell: Get-PnPSiteCollectionAdmin and Get-PnPGroup across all sites. Third-party tools like ShareGate and Netwrix provide this reporting out of the box.
What happens to permissions when a user leaves the organization?
When the user's Entra ID account is disabled or deleted, they lose access to all SharePoint content. However, their user identity may remain in permission lists, creating "orphaned" entries. Clean these up during quarterly audits. Also check: shared links they created may still work if set to "Anyone with the link."
How do permissions affect Microsoft Copilot responses?
Copilot can only access content that the asking user has permission to view. But Copilot is aggressive about surfacing relevant content — if a user has Read access to an executive compensation spreadsheet because of an overshared "Everyone" grant, Copilot will happily summarize salary data in response to a question about compensation. Clean permissions before Copilot deployment.
Can I bulk-manage permissions across multiple sites?
Yes. Use PnP.PowerShell for scripted permission management across sites. For ongoing governance, use AvePoint Cloud Governance or ShareGate to automate permission standardization. Manual site-by-site permission management does not scale beyond 50 sites.
Written by Errin O'Connor
Founder, CEO & Chief AI Architect | Microsoft Press Bestselling Author | 25+ Years Microsoft Ecosystem
Errin O'Connor is a Microsoft Press bestselling author of 4 books covering SharePoint, Power BI, Azure, and large-scale migrations. He leads our SharePoint consulting practice with expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments.
Expert SharePoint Services
Need Expert Help?
Our SharePoint consultants are ready to help you implement these strategies in your organization.