SharePoint Permission Inheritance Explained
SharePoint permission inheritance controls how access rights flow from a parent site down to every subsite, library, folder, and file. When configured correctly, it eliminates repetitive permission assignments, enforces a consistent security model, and forms the backbone of sound Microsoft 365 governance. Get it wrong and you risk either locking legitimate users out or silently exposing sensitive data to people who should never see it.
This guide covers everything Microsoft 365 administrators, site owners, and governance leads need to know: how inheritance works at each level of the SharePoint hierarchy, when and how to break it, how to restore it, and the governance best practices that prevent permission sprawl. You will also find ready-to-use reference tables to speed up your day-to-day decisions.
What Is SharePoint Permission Inheritance?
SharePoint permission inheritance means that a child object—a subsite, document library, list, folder, or individual file—automatically adopts the permission settings of its parent container. By default, every new object in SharePoint inherits from its parent, so you only need to set permissions once at the top level and they cascade downward through the entire hierarchy without any further action.
When inheritance is active, administrators set permissions once at the site collection root and all objects below automatically follow those rules. When you need a different access pattern for a specific location—say, a confidential HR folder or an executive briefing library—you break inheritance for that specific object and assign unique permissions just there. The rest of the site continues to inherit normally.
SharePoint Permission Levels: A Complete Reference Table
SharePoint provides five built-in permission levels that bundle specific capabilities into named roles. Understanding each level is essential before you can design an effective inheritance strategy. The table below shows every built-in level, who it is designed for, and what it allows.
| Permission Level | Typical Users | Key Capabilities | Inherits by Default |
| View Only | External guests, auditors | View pages and documents only; cannot download | Yes |
| Read | End users, stakeholders | View and download content; no editing | Yes |
| Contribute | Team members, knowledge workers | Add, edit, delete items; cannot manage lists | Yes |
| Edit | Power users, list managers | All Contribute rights plus manage lists and views | Yes |
| Design | Site designers, page authors | All Edit rights plus approve pages, design themes | Yes |
| Full Control | Site owners, SharePoint admins | All rights including permissions management and site settings | Yes |
How SharePoint Permission Inheritance Works: The Full Hierarchy
SharePoint organizes its content in a strict parent-child hierarchy. Permissions flow from the top of that hierarchy downward unless explicitly interrupted. Here is how each level participates in inheritance:
| SharePoint Level | Inherits From | Key Governance Actions |
| Site Collection Root | Nothing (top of hierarchy) | Set baseline permissions; all objects below inherit unless changed |
| Subsite | Parent site collection root | Can break inheritance to create autonomous permission scope |
| Document Library / List | Parent site or subsite | Most common place to break inheritance for sensitive content |
| Folder | Parent library or list | Useful for project-specific or partner access scenarios |
| List Item / File | Parent folder or library | Use sparingly; breaks at this level increases admin overhead significantly |
| SharePoint Online Hub Site | Not inherited (hub navigation only) | Hub sites share navigation and theme but NOT permissions by default |
How to Break SharePoint Permission Inheritance: Step-by-Step
Breaking inheritance is a deliberate administrative action that gives a specific object its own permission set, independent of its parent. Before breaking inheritance, confirm that the security need cannot be met by using groups at the parent level. Over-use of broken inheritance creates a permission sprawl that is difficult to audit and maintain. When you do need to break it, here is the correct process for a document library or folder in SharePoint Online:
- Step 1: Navigate to the library or folder you want to configure. Open the document library from the left navigation or site contents.
- Step 2: Access the Permissions page. Go to Settings (gear icon) > Library settings > Permissions for this document library. For a folder, select the folder, click the three-dot menu, and choose Manage access > Advanced settings.
- Step 3: Click Stop Inheriting Permissions. You will see a confirmation dialog warning that the object will receive its own copy of the parent permissions. Click OK to proceed.
- Step 4: Configure unique permissions. Remove any groups or users that should not have access, and add the specific users or groups with the appropriate permission level using Grant Permissions.
- Step 5: Document the change. Record why inheritance was broken, which users or groups were added, and schedule a future review date. This documentation is critical for audits and ongoing governance.
When to Break SharePoint Permission Inheritance: Business Use Cases
Not every access control challenge requires breaking inheritance. In many cases, adding users to a different group at the parent level achieves the same goal with far less administrative complexity. Use the decision table below to determine whether breaking inheritance is the right approach for your specific scenario.
Scenario
| Scenario | Break Inheritance? | Recommended Approach |
| HR personnel files | Yes | Dedicated HR library with HR group only |
| Legal contracts | Yes | Break at library level; Legal Team group with Contribute |
| Executive meeting notes | Yes | Folder with unique permissions for leadership only |
| External vendor project | Yes | Break at folder; grant guest Contribute; review in 90 days |
| All team members need same access | No | Keep inheritance; add all staff to site members group |
| Different read vs. edit on same library | No | Use SharePoint groups with different permission levels at site level |
| Single sensitive document in public library | Yes (item level) | Break at item only; use rarely; schedule quarterly review |
How to Restore SharePoint Permission Inheritance
Restoring inheritance re-links an object to its parent and deletes all unique permissions on that object. Before restoring, review whether any users or groups with unique access will lose it entirely once the parent permissions take over. This action is irreversible through the UI—once done, all custom permissions are removed and the parent settings apply immediately.
To restore inherited permissions: Go to the permissions page for the list, library, folder, or item (Settings > Library settings > Permissions for this document library). You will see a yellow banner or notice that indicates the object has unique permissions. Click Delete unique permissions or Inherit Permissions (the wording varies between classic and modern SharePoint). Confirm in the dialog that appears. Run Check Permissions for affected users to verify the restored access is correct.
Common SharePoint Permission Inheritance Mistakes and How to Fix Them
Even experienced SharePoint administrators make these mistakes when working with permission inheritance. Recognizing them early and knowing the fix prevents security gaps, permission sprawl, and long-term governance headaches. The table below lists the most frequent errors with actionable remediation.
| Mistake | Why It Happens | How to Fix It |
| Breaking inheritance without documentation | Admins act quickly under pressure without writing down the rationale | Create a permissions change log; record date, reason, who approved, and next review date |
| Overusing unique permissions | Applying unique permissions at every level for granularity | Redesign permission model using groups; consolidate unique permissions to minimum required locations |
| Assigning permissions to individuals instead of groups | Perceived as faster; individual-level control feels easier in the moment | Migrate individual assignments to Azure AD or SharePoint groups; enforce via governance policy |
| Not auditing inheritance changes | Lack of monitoring tooling or process for permission changes | Enable audit logging in Microsoft Purview; review permission change reports quarterly |
| Forgetting about stale unique permissions | No scheduled review process; permissions accumulate over time | Schedule quarterly permission audits; use PowerShell or Microsoft 365 Reports to identify orphaned unique permissions |
| Locking out site owners by accident | Breaking inheritance at the site level removes the site owner group | Always retain site owners when breaking inheritance; verify admin access before confirming changes |
| Not testing permission changes before production | Pressure to deliver quickly skips UAT for permission settings | Test on a staging site or in a test library; verify with Check Permissions for sample users |
| Ignoring permissions when moving or copying content | Assumption that permissions travel with content during migration | Run Check Permissions on all moved items; re-apply inheritance or unique permissions as needed post-migration |
Best Practices for SharePoint Permission Inheritance
Following a small set of consistent practices dramatically reduces the complexity of managing SharePoint permission inheritance across large organizations. Apply these principles from the start of every new site or project and enforce them through governance policy.
- Practice 1: Design permissions at the site level using groups, not individuals. Create Azure AD security groups that map to business roles (for example, HR-Staff, Legal-Team, Finance-Readers) and assign those groups to SharePoint permission levels at the site collection level. Users joining or leaving a team need only be added to or removed from the Azure AD group—no direct SharePoint permission changes required.
- Practice 2: Minimize breaking inheritance. Before breaking inheritance, always ask: can I achieve the same result by using a different SharePoint group or adding a specific group to the parent with a more restrictive permission level? If yes, keep inheritance intact. Reserve unique permissions for scenarios where the access requirement truly cannot be met by the parent hierarchy.
- Practice 3: Run quarterly permission audits. Use the Microsoft 365 admin center, Microsoft Purview, or PnP PowerShell scripts to generate reports on which objects in your SharePoint environment have unique permissions (broken inheritance). Review every unique-permission object against your current business requirements. Consolidate or restore inheritance where the unique permission is no longer needed.
- Practice 4: Document every unique permission. Maintain a permissions register (a simple SharePoint list works well) that records: the URL of the uniquely permissioned object, the date inheritance was broken, the business reason, which groups and users have access, who approved the change, and the next scheduled review date. This register is invaluable during audits, migrations, and compliance reviews.
- Practice 5: Enforce the principle of least privilege. Assign the most restrictive permission level that still enables users to do their job. Most team members need Contribute, not Edit or Full Control. Reserve Full Control for site owners and administrators. Review all Full Control assignments during every quarterly audit—any account with Full Control that is not actively performing administrative tasks is a security risk.
SharePoint Online vs. SharePoint Server: Permission Inheritance Differences
The core concepts of inheritance are identical across both platforms, but the administrative experience and available tooling differ significantly. Administrators managing hybrid environments or planning migrations should be aware of these distinctions.
| Feature | SharePoint Online (Microsoft 365) | SharePoint Server (On-Premises) |
| Inheritance mechanics | Identical to SharePoint Server | Identical to SharePoint Online |
| Permission management UI | Modern UI + classic permissions pages accessible via /_layouts/ | Classic permissions pages only (SharePoint 2016/2019) |
| Bulk permission management | PnP PowerShell, Graph API, SharePoint Online Management Shell | PowerShell (SharePoint PnP), Central Admin, SharePoint Management Shell |
| Audit logging | Microsoft Purview (integrated), audit log in Microsoft 365 admin center | SharePoint built-in audit reports; requires separate SIEM integration |
| External sharing | Built-in guest access via Azure AD; controlled by tenant-level sharing policies | Requires ADFS or custom external auth; more complex to configure |
| Recommended permission tool | Microsoft Entra ID (Azure AD) groups + SharePoint groups | Active Directory security groups + SharePoint groups |
Permission Inheritance and SharePoint Governance
Permission inheritance is not just a technical setting—it is a foundational pillar of any effective SharePoint governance framework. Without a deliberate inheritance strategy, even the most well-intentioned organizations accumulate permission sprawl: hundreds of uniquely-permissioned objects scattered across thousands of sites, with no clear documentation and no defined review process.
A sound governance plan for SharePoint permission inheritance should define four things: (1) who is authorized to break inheritance; (2) what documentation is required before and after breaking; (3) how frequently all unique permissions will be reviewed; and (4) what tools and scripts will be used to generate compliance reports. Organizations using Microsoft Teams alongside SharePoint should extend these governance rules to cover Microsoft 365 Groups, which control SharePoint site permissions through connected team sites.
Frequently Asked Questions about SharePoint Permission Inheritance
Q: What is SharePoint permission inheritance and how does it work?
A: SharePoint permission inheritance means that child objects—subsites, libraries, lists, folders, and files—automatically adopt the permissions of their parent. When you set permissions at the site collection level, all objects below inherit those settings unless you explicitly break the inheritance chain for a specific object.
Q: When should I break SharePoint permission inheritance?
A: Break inheritance when a specific library, folder, or file genuinely requires a different set of users or permissions than its parent site provides. Common valid reasons include: protecting confidential HR or legal files, granting time-limited external vendor access to a project folder, or securing executive content from general staff. Do not break inheritance for convenience or to satisfy requests that can be solved with group membership changes.
Q: How do I restore inheritance after breaking it in SharePoint?
A: Navigate to the permissions page of the library, folder, or item (Settings > Library settings > Permissions for this document library). Click Delete unique permissions or Inherit Permissions. All custom permissions on that object are removed and it inherits from its parent. Verify the resulting access with Check Permissions before communicating the change to affected users.
Q: Does SharePoint Online handle permission inheritance differently than SharePoint Server?
A: The mechanics of inheritance are identical in both versions. The differences lie in the management UI and tooling: SharePoint Online has a modern interface and integrates with Microsoft Entra ID (Azure AD) groups and Microsoft Purview for auditing; SharePoint Server relies on classic permissions pages and on-premises Active Directory. Administrators familiar with one platform will recognize the same inheritance concepts in the other.
Q: What is the best way to manage permissions at scale in a large SharePoint environment?
A: Use Azure AD security groups mapped to roles and assign those groups at the site collection level. Avoid direct user assignments entirely. Use PnP PowerShell to audit permissions at scale, identify uniquely-permissioned objects, and bulk-restore inheritance where needed. Pair this with a governance policy that limits who can break inheritance and requires documentation for every exception.
Q: Can I use PowerShell to manage SharePoint permission inheritance at scale?
A: Yes. PnP PowerShell provides cmdlets like Get-PnPListItem and Get-PnPSiteGroup to analyze permissions across sites. The command Get-PnPList | Where-Object { $_.HasUniqueRoleAssignments } identifies lists and libraries with broken inheritance across a site. For bulk restoration, use Reset-PnPListItemPermission or a loop-based script that calls Set-PnPListItemPermission to restore inheritance across hundreds of items simultaneously.
Q: Does moving or copying content in SharePoint preserve permission inheritance?
A: Moving content within the same site collection generally preserves the inheritance settings of the destination (the item adopts the inheritance of the destination container). Copying always creates a new object that inherits from the destination. Items with broken inheritance that are moved or copied do NOT automatically carry their unique permissions to the destination—you must re-verify and re-apply permissions manually after every move or copy operation involving uniquely-permissioned content.
Key Takeaways on SharePoint Permission Inheritance
SharePoint permission inheritance is the default mechanism that flows access rights from a site collection root down to every library, folder, and file. Understanding it thoroughly is non-negotiable for any Microsoft 365 administrator or governance lead.
Inheritance saves time and ensures consistency. Setting permissions once at the site collection level eliminates repetitive configuration and creates a predictable, auditable security baseline. Resist the urge to break inheritance just because it seems easier to manage access on a case-by-case basis.
Only break inheritance when there is a clear, documented business reason. Valid reasons include protecting HR records, legal files, executive content, or time-limited external partner access. Document every exception in a permissions register and assign a review date to every uniquely-permissioned object.
Groups, not individuals, are the foundation of scalable permission management. Using Azure AD security groups aligned to business roles means user onboarding and offboarding requires only group membership changes, not individual SharePoint permission updates across dozens of sites.
Quarterly audits are not optional. Unique permissions accumulate silently over time. Without regular audits—using Microsoft Purview or PnP PowerShell scripts—stale access rights linger long after employees leave, projects end, or business needs change. Schedule and enforce permission reviews as a core governance activity, not a reactive cleanup.
Governance transforms inheritance from a technical detail into a strategic control. Organizations that define who can break inheritance, what justification is required, and how permissions are reviewed turn SharePoint from a potential security liability into a controlled, compliant, and scalable collaboration platform. Whether you manage 10 sites or 10,000, the principles are the same: inherit broadly, break sparingly, document always, and audit regularly.
Founder of M365 Show, M365con.net & m365.fm
Mirko Peters is a Microsoft 365 expert, content creator, and founder of m365.fm, a platform dedicated to sharing practical insights on modern workplace technologies. His work focuses on Microsoft 365 governance, security, collaboration, and real-world implementation strategies.
Through his podcast and written content, Mirko provides hands-on guidance for IT professionals, architects, and business leaders navigating the complexities of Microsoft 365. He is known for translating complex topics into clear, actionable advice, often highlighting common mistakes and overlooked risks in real-world environments.
With a strong emphasis on community contribution and knowledge sharing, Mirko is actively building a platform that connects experts, shares experiences, and helps organizations get the most out of their Microsoft 365 investments.
Building a Modern Copilot Enablement Strategy for Microsoft Success
