SharePoint permissions confuse good teams because access can come from Microsoft 365 groups, site roles, library settings, and sharing links at the same time. A simple model prevents "why can they see finance?"
The three layers
| Layer | What it controls |
|---|---|
| Microsoft 365 group | Membership for a Team-connected site |
| SharePoint site role | Owners, Members, Visitors on the site |
| Sharing link | File/folder access that may bypass group thinking |
Owners manage site settings and permissions. Members edit libraries. Visitors read—use sparingly on sensitive sites.
Best practices
1. Prefer group membership over breaking inheritance on every folder.
2. Use private channels in Teams when a subset needs different access inside one team.
3. Default sharing links to People in your organization with existing access.
4. Avoid "Everyone except external users" links on confidential libraries.
5. Run access reviews on sites with guest access if your plan supports it.
Broken inheritance warning
When you break inheritance on a subfolder, you create admin debt. Each new hire needs manual updates. Fix structure instead: split into two sites or use private channels.
External sharing
Guest accounts in Entra ID are auditable. Anonymous links are convenient and risky—many firms disable or expire them automatically.
Auditing
Site owners should periodically check who has access via site permissions and sharing reports. Security teams use unified audit logs on higher tiers.
Help
Permission remediation after acquisitions is specialist work—contact partners who migrate and restructure SharePoint regularly.
