Understanding SharePoint Permissions

1. How SharePoint Permissions Work

SharePoint Online uses a hierarchical permission model that flows from the tenant level down through site collections, sites, libraries, folders, and individual files. At each level, permissions can be inherited from the parent or broken to define unique access rules. Understanding this hierarchy is essential for managing security effectively.

At the top level, tenant-wide settings control global sharing policies, such as whether external sharing is allowed and what types of sharing links users can create. These settings act as guardrails, but individual site owners can still configure their own permissions within those boundaries. This decentralised approach is flexible but makes it difficult to maintain a clear picture of who has access to what.

Sites are the primary containers in SharePoint. Each site has its own set of permission groups, typically Owners, Members, and Visitors, with corresponding access levels of Full Control, Edit, and Read. Document libraries and lists within the site inherit these permissions by default, but any item can have its inheritance broken to grant or restrict access independently.

2. Permission Types

SharePoint has three primary categories of permissions: direct permissions, inherited permissions, and sharing links. Direct permissions are explicitly assigned to a user or group at a specific level in the hierarchy. These are the most straightforward to understand and audit because they create a clear relationship between the principal and the resource.

Inherited permissions flow down from parent objects. When a document library inherits permissions from its parent site, any user who has access to the site automatically has the same access to the library. Inheritance simplifies administration but can lead to unintended access if site-level permissions are too broad. Breaking inheritance at lower levels creates unique permissions that must be managed separately.

Sharing links are the most dynamic and often the most problematic permission type. When a user shares a file or folder using a link, SharePoint creates a new permission entry. There are several types of sharing links: organisation links that work for anyone in your tenant, specific people links that are restricted to named recipients, and anonymous links that work for anyone with the URL. Each type carries different security implications.

3. External Sharing

External sharing is one of the most significant security considerations in SharePoint. When users share content with people outside your organisation, they create access paths that bypass your internal security controls. SPScan pays particular attention to external sharing because it represents the most common vector for accidental data exposure.

There are important distinctions between different types of external sharing. Organisation-wide sharing links are restricted to authenticated users within your tenant and are generally considered safe. External sharing links sent to specific email addresses require the recipient to authenticate but still grant access to someone outside your organisation. Anonymous links, sometimes called "anyone" links, are the highest risk because they can be forwarded and used by anyone without authentication.

SharePoint administrators can control external sharing at both the tenant and site level. However, even when external sharing is restricted at the tenant level, existing sharing links may persist until they are explicitly revoked. SPScan scans for all active sharing links and flags external and anonymous access so you can review and remediate as needed.

4. Why Permissions Drift

Permission drift occurs when the actual state of permissions in your SharePoint environment gradually diverges from your intended security policy. This is a natural consequence of day-to-day operations: users share files with colleagues, project teams change, and temporary access grants are never revoked. Over time, these small changes accumulate into a significant security gap.

Common causes of permission drift include users creating sharing links for quick collaboration without considering the long-term implications, site owners adding external users for a specific project and forgetting to remove them afterwards, and inheritance breaks that are created to grant temporary access but never restored. Organisational changes such as departures, role changes, and team restructuring also contribute to drift when access is not updated accordingly.

The challenge with permission drift is that it is invisible without active monitoring. SharePoint does not alert administrators when permissions accumulate beyond a certain threshold or when sharing links remain active for extended periods. This is exactly the gap that SPScan fills: by scanning your environment regularly and comparing the current state against best practices, SPScan makes permission drift visible and actionable.

5. How SPScan Monitors Permissions

SPScan uses the Microsoft Graph API to scan your SharePoint environment with read-only access. During each scan, SPScan discovers all sites in your tenant, enumerates the permissions on each site and its contents, and identifies sharing links, external access, and inheritance breaks. The results are stored and compared against previous scans to detect changes.

The scanning pipeline works in stages. First, SPScan refreshes its OAuth token and discovers any new or removed sites. Then it scans storage usage across all sites. Next, it resolves group memberships to understand who actually has access through group-based permissions. Finally, it analyses the full permission structure and calculates a compliance score for the tenant.

When SPScan detects a change that matches one of your alert rules, it dispatches a notification through your configured channels. This means you are informed immediately when someone creates a new anonymous sharing link, grants external access to a sensitive site, or breaks permission inheritance in a way that could expose data. Over time, SPScan builds a historical record of your permission landscape that you can use for auditing and compliance reporting.