Want to generate a SharePoint Online site permissions report without using PowerShell? With ShareGate, it’s easy to audit user access across your SharePoint Online sites, subsites, and OneDrive. We’ll show you how to simplify your site permissions review with automation workflows—even when external users are involved.
There’s no one-size-fits-all approach to managing your SharePoint permissions. Using a mix of strategies can help you keep your data secure over time—and the right combination depends on your organization’s specific needs and goals.
The good news? You don’t need complex PowerShell scripts or clunky manual reporting tools to get clarity.
You can generate a SharePoint Online permissions report using ShareGate’s permissions reporting tool. With SharePoint permissions reporting, you get visibility into user access, proactively manage security risks, and export the results into a CSV file for easy analysis.
Learn SharePoint Online: Best practices, tips, and tricks.
Data security should be part of every organization’s Microsoft 365 management plan. A great way to maintain sensitive data security? Conduct regular SharePoint permissions reporting audits and generate a site permissions report to ensure compliance.
You’ll find a variety of built-in and custom reports in ShareGate that can help you monitor security the way you want and simplify SharePoint management. Here, we’ll walk you through the steps to set up and run our popular Permissions Matrix Report so you can get a complete overview of all the permissions given to users and groups in SharePoint and Microsoft 365—without the need for PowerShell.
Table of contents
- What SharePoint security means at ShareGate
- Why SharePoint Online permissions reports and site collection permissions matter for security
- Understanding SharePoint permission levels and user access
- SharePoint Online user permissions report—the ShareGate way
- How to create a SharePoint permissions matrix report with ShareGate
- Review your permissions matrix report results to maximize SharePoint security
15 days of full access to ShareGate—Try now!
Explore all our powerful features—no credit card required—and see how we can help your projects.
What SharePoint security means at ShareGate
There’s the governance plan, rules, and processes to follow—and then comes the reality. Sometimes, you don’t have the time or total control to ensure every action taken inside your SharePoint complies with the initial plan.
SharePoint security might have different meanings depending on your business and your governance. For us, SharePoint security must answer these questions:
- Who has access to my site/content, and from where do they have access?
- What is my permissions structure like?
- What are the activities, and who takes them inside my SharePoint content?
- Am I taking any risks by allowing external sharing in Microsoft 365?
- Can I take action to correct security breaches quickly?
👉Locking everything down won’t cut it: Enroll in our free Microsoft 365 security course and learn how to secure your tenant without it taking over your IT team’s workload.
Why SharePoint Online permissions reports and site collection permissions matter for security
We can all agree that SharePoint and Microsoft 365 are powerful tools that enable unprecedented levels of collaboration and productivity. That being said, bringing all of your employees together within the same environment comes with its fair share of security concerns.
So how do you make sure everyone has access to the right things?
Restricting access too much can frustrate users, while excessive permissions put sensitive data at risk: the dreaded shadow IT.
On the other hand, excessive permission levels can compromise security, allowing users to modify or delete sensitive information they shouldn’t access.
That’s why, to minimize the risk of data leaks, it’s crucial that you regularly audit permissions in SharePoint Online. A strong SharePoint permissions reporting strategy ensures IT admins can quickly identify access issues and prevent security breaches before they happen.
Unfortunately, there’s no easy Microsoft out-of-the-box solution or built-in SharePoint permissions reporting tool that allows you to do this. And even when you run a SharePoint user permissions report manually, there’s no straightforward way to export-csv and save the data for further analysis.
You would need to manually check user permissions, list site permissions, or run PowerShell scripts with commands like Get-Credential and RoleDefinitionBindings to analyze each SharePoint site.
That’s where ShareGate’s centralized reporting comes in. 👍
Understanding SharePoint permission levels and user access
There are three standard permission groups that enable you to manage SharePoint permissions within a site:
- Owners
- Members
- Visitors
For IT admins, Groups is key for modern workplace governance because it has a sense of centralized management.
There are a variety of permission levels that allow users to access the resources they need.
Full control
- For Site collection owners
- Contains all available SharePoint permissions, meaning individuals and groups can carry out any activity – from creating sites to editing lists and libraries or deleting documents.
Edit
- For group members – typically heads of departments/the person running a department’s site.
- Lets users add, edit, and delete content (e.g., documents, pages, and announcements).
Read
- Usually for someone invited to participate in work but not to make changes.
- It’s only possible to view pages and items in existing lists and download documents.
Permission levels define what users can and can’t do within SharePoint Online, including workflows, list items, and admin center controls. You may not want some users to be able to see a certain site at all. Or, in other cases, you might just want to let them see certain lists and libraries but not be able to change or contribute to them.
Knowing which permissions to apply and how to use them requires an intimate understanding of your organization’s needs.
SharePoint Online user permissions report—the ShareGate way
Trying to audit SharePoint site permissions manually is time-consuming, not to mention the risk of human error and inconsistent permission levels. And as soon as you’ve finished all the necessary steps to audit every site, you need to start the whole process over again—user permissions need to be audited regularly to keep data secure on an ongoing basis.
Skip the PowerShell foreach loops—ShareGate’s SharePoint Online permissions report automates the process with a clean, visual permissions matrix. Generate a site permissions report that tracks unique permissions, SharePoint groups, and role assignments in one click.
ShareGate’s permissions matrix report
ShareGate’s built-in permissions matrix report helps you uncover the permissions and access given to users and groups in your SharePoint and Microsoft 365.
With ShareGate’s permissions matrix report, site admins can instantly get permission details across their SharePoint environment—including who has access, through which SharePoint groups, role assignments, and individual permissions.
Plus, the full user permissions report can be exported as a CSV file with NoTypeInformation, making it easier to share with stakeholders or integrate with other reporting tools. It saves a lot of time that would otherwise be spent performing the repetitive tasks required to monitor and manage permissions regularly.
You can run the report on multiple site collections at once, and it will work the same whether you’re using SharePoint Online, Microsoft 365, or both in a hybrid setup.
With the results from the permissions matrix report, you can see:
- All site owners, site members, user and group permissions, and each one’s permission level
- Objects that have inherited permissions
- Microsoft 365 external users (including pending invitations and anonymous guest links)
How to create a SharePoint permissions matrix report with ShareGate
Ready to run your first permissions matrix report in ShareGate? We’ll walk you through the steps!
Prerequisites: Before you get started, make sure you’ve connected ShareGate to an environment as a Global or SharePoint administrator, and that you have site collection administrator rights for the environments within the scope of the report.
In ShareGate, navigate to the Security screen by clicking on the Security tab on the left navigation. Then click on Run permissions matrix report under Security essentials.
Select the target of the report, then click Next.
On the next screen, set your desired report options from the options outlined below the image, then click Schedule or Run now.
Users and groups
Select All users and groups, External users, or Specific users and groups. If you selected Specific users and groups, begin typing the user’s name and select the appropriate user from the dropdown.
Object types
Select whether or not you would like lists and libraries and list contents to be included in the scope of the report.
If you choose to include your list contents, note that the report will only show you permissions on folders, documents, and list items that have custom permissions (permissions not inherited by the parent).
Setup automatic export
If you want ShareGate to export a copy of the completed report automatically when finished, click on Setup automatic export before running the report. Check out our support documentation on how to set up automatic export to SharePoint library for more info and detailed instructions.
Review your permissions matrix report results to maximize SharePoint security
Once ShareGate has finished running your permissions matrix report, you’ll be able to see which users and groups have access in your environment.
If any errors popped up, you can click on Error details for more info to help you fix the problem fast.
Permission levels
Permissions for SharePoint groups and Active Directory security groups are not initially expanded. You can click on the expand icon (the plus sign) to view the members, owners, or visitors of a given group.
Inherited permissions
To view the inherited permissions of an object, click on View (next to where it says Same as parent).
Guest links and external user invitations
You can also view sharing links that are currently being used to grant external users access to SharePoint Online documents to guests outside of your organization’s Microsoft 365.
By default, these links do not exist and need to be enabled manually. When this happens, SharePoint creates hidden user accounts for each link type depending on whether the external user was granted “View only” or “Edit” permissions.
These accounts are all listed as Anonymous Guest Link in your ShareGate permissions matrix report, with checkmarks indicating whether the external user has “Contribute” or “Read” access:
You will also see any pending external user invitations in your report. Invitations usually expire after a week, but since these invitations can be used to access certain resources on your SharePoint site, ShareGate displays them in your report as long as the invitation is not accepted and hasn’t expired yet.
External users can also be invited to join SharePoint groups. If you expand the associated SharePoint group, you’ll be able to see these invitations there.
Wondering about which reports you should run to stay on top of security? Check out our article on SharePoint reports to schedule regularly.
