Managing permissions in SharePoint Online is crucial for securing files and folders from unauthorized access. By default, SharePoint Online follows a structured access model through permission inheritance. However, unique permissions in SharePoint Online offer the flexibility to break this inheritance, granting or restricting access at a granular level. Whether you need to secure sensitive files or create project-specific access rules, understanding how to manage unique permissions in SharePoint Online is essential.

In this blog, we’ll help you understand what unique permissions are and how to manage them effectively in SharePoint Online.

Unique permissions in SharePoint Online allow specific users or groups to have distinct access levels. These unique permissions override the default inherited permission and allow you to customize access for a particular site, library, folder, or file.

Consider a project team working within a SharePoint Online document library. While most files should be accessible to the entire team, some sensitive financial reports require restricted access. In such cases, you can break the site-level permission inheritance and grant unique permissions to those files.

How to Set Unique Permissions in SharePoint Online?

Before setting unique permissions, it’s important to understand how SharePoint Online permission inheritance works. By default, SharePoint Online lists, libraries, folders, and files inherit permissions from their parent site. This means that user and group permissions, such as Read, Edit, Contribute, or Full Control, set at the site level are automatically applied to all documents within it. Hence, we need to break the permission inheritance before creating unique permissions in SharePoint Online.

Let’s explore how to break permission inheritance, create unique permissions, and delete unique permissions in SharePoint Online.

• How to break permission inheritance in SharePoint Online?
• Break permission inheritance in SharePoint Online using PowerShell
• How to create unique permissions for a file or folder in SharePoint Online?
• List all unique permissions for files and folders in a SharePoint Online site
• How to remove unique permissions in SharePoint Online?
• Delete unique permissions in SharePoint Online using PowerShell
• Best practices for managing unique permissions in SharePoint Online

Let’s see how to stop permission inheritance for a file/folder in SharePoint Online.

1. Navigate to the document library in your SharePoint site.
2. Click on the ellipses icon (…) of the file/folder that you want to break inheritance.
3. Select Manage access and then click on the ellipsis icon (…) at the top right corner of the Manage Access window.
4. Choose Advanced settings to open the SharePoint Online permissions page.

5. In the permissions page, select the Stop Inheriting Permissions button to break the permission inheritance of the file/folder you have selected.

The selected file or folder no longer inherits permissions from the parent site, as SharePoint permission inheritance has been successfully stopped.

Alternatively, you can also use PowerShell to break permission inheritance for a file/ folder in SharePoint Online. To do this, register an Entra ID application to use with PnP PowerShell and connect to PnP PowerShell with the desired SPO site and execute the following cmdlet.

1. Break inheritance permission for a file in SharePoint Online:

To break inheritance permissions for a specific file in SharePoint Online, you can use the ‘Get-PnPFile’ cmdlet along with the BreakRoleInheritance method as shown below.

$file = Get-PnPFile -Url "<file path>"

$file.ListItemAllFields.BreakRoleInheritance($True,$True)

Invoke-PnPQuery

Replace “<file path>” in the cmdlet with the actual path of the file for which you want to break permission inheritance.

2. Break inheritance permission for a folder in SharePoint Online:

You can use the ‘Get-PnPFolder’ cmdlet along with the BreakRoleInheritance method to break inheritance permissions for a specific folder in SharePoint Online.

$folder = Get-PnPFolder -Url "<folder path>"

$folder.ListItemAllFields.BreakRoleInheritance($True,$True)

Invoke-PnPQuery

Replace “<folder path>” in the cmdlet with the actual path of the folder for which you want to break inheritance.

After breaking the permission inheritance, follow the steps below to give unique permissions to a file/folder in SharePoint Online.

1. Return to your SharePoint document library and click on the ellipsis icon (…) of the file/folder.
2. Click the Manage access option and then select the Grant Access (user icon) in the top right corner of the Manage Access window.

3. Here, type the name of the user or group you want to grant unique access for the selected file.
4. Use the Edit drop-down to change the permission level, such as:
   • Can edit – Users can view and modify the file/folder with this permission.
   • Can view – With this option, users can only view the file/folder.
   • Can’t download – This permission allows users to view the file but doesn’t allow them to download it.

Note:

• Permission levels of site owners and group owners cannot be modified.
• External sharing of a SharePoint file or folder using a sharing link with someone who doesn’t have site access grants them unique permission.

Now, the unique permission has been successfully created. You can navigate to the permissions page and check all the unique permissions you have created.

How to Check SPO Unique Permissions Assigned to a Specific User for a File or Folder?

Sometimes, you may need to verify the unique permissions assigned to a specific user or group. In such cases, you can use the Check Permissions option.

1. Simply select the Check Permissions option in SPO permissions page, enter the name of the user or group you want to review, and click Check Now.
2. This will display all the permission levels assigned to that particular user or group.

Once, you break the inheritance and assign unique permission for a file or folder, any new permission added at the site level won’t reflect on the file/folder permissions. Additionally, if you set unique permissions for a folder, those permissions are automatically extended to all files and subfolders within it.

Note: SharePoint Online supports up to 50,000 unique permissions per list or library.

Now that you have learned how to create unique permissions in SharePoint Online, it is equally important to regularly monitor them. This helps prevent unauthorized access and ensures proper security for your files and folders. Let’s see how to view all unique permissions in a SharePoint Online site.

1. Navigate to your SharePoint site and click the Settings icon (⚙️) on the top banner.
2. Select Site permissions and choose Advanced permissions settings.

3. You will see a warning message like “Some content on this site has different permissions from what you see here.” Click on the Show these items option near this message.

4. It will show the SharePoint Online lists that have unique permissions. Click the manage permissions option next to the list name.

5. It will redirect you to the permissions page of that list. Here, again click on the Show these items option near the warning message.
6. Now, you can see all the files and folders that have unique permissions in your SharePoint Online site.

SharePoint unique permissions can quickly become complex and difficult to manage, especially for large organizations. In such cases, we might need to limit unique permissions in SharePoint Online.

To revoke a unique permission granted to a specific user, follow the steps below.

1. In the permissions page of your file/folder, select the user whose permission you want to revoke.
2. Then, click on the Remove User Permissions option in the toolbar to remove a unique permission granted to that specific user for your file/folder.
3. If you want to delete all unique permissions you have created for a SharePoint documents, just click on the Delete unique permissions option.
4. This will delete all the unique permissions and restore permission inheritance for that file/folder.

To delete unique permissions and restore inheritance for a file or folder using PnP PowerShell, first connect to the desired SharePoint site using the following cmdlet.

Connect-PnPOnline -Url "<SiteURL>" -Interactive

Remove unique permissions for a file in SharePoint Online:

If a file has unique permissions and you want it to inherit permissions from its parent document library, run the following cmdlet.

$file = Get-PnPFile -Url "<file path>"

$file.ListItemAllFields.ResetRoleInheritance()

Invoke-PnPQuery

Replace “<file path>” with the actual file path before executing the cmdlet.

Remove unique permissions for a folder in SharePoint Online:

Use the ‘Get-PnPFolder’ cmdlet with ResetRoleInheritance method to restore permission inheritance for a folder.

$folder = Get-PnPFolder -Url "<folder path>"

$folder.ListItemAllFields.ResetRoleInheritance()

Invoke-PnPQuery

Ensure to replace “<folder path>” with the actual folder path before running the cmdlet.

Follow these best practices to keep SharePoint Online unique permissions organized and easily manageable.

1. Use Security Groups Instead of Individual Users: Instead of granting unique permissions to individual users, add them to security groups. Assigning permissions to groups helps prevent confusion and simplifies unique permission management.
2. Apply Least Privileged Permissions: Always grant users the minimum level of access required to perform their tasks. Regularly monitor SharePoint Online file activities to ensure unique permissions are correctly assigned and not providing excessive access.
3. Minimize Unique Permissions: Assigning unique permissions to files, folders, or libraries should be done only when absolutely necessary. It is recommended to maintain below 5,000 unique permissions to simplify SharePoint Online permission management.
4. Document and Review Unique Permissions Regularly: Keep track of where and why unique permissions are applied to prevent unauthorized access of sensitive documents.

In conclusion, creating unique permissions in SharePoint Online is beneficial for restricting sensitive files while keeping general content accessible to everyone in a SharePoint site. However, excessive unique permissions can make management difficult. By following SharePoint Online permission levels best practices, you can maintain a structured and secure permission model.
If you have any questions, feel free to reach out through the comments section below!