Want to generate a SharePoint permissions report without using PowerShell? With ShareGate, it’s easy to audit your SharePoint Online permissions—we explain how and walk you through the steps to set up a permissions matrix report.
There is no single best way to manage your SharePoint permissions. Employing multiple strategies can help you ensure your data stays secure over time. And choosing the right combination for your organization depends on your individual needs and overarching governance plan.
Learn SharePoint Online: Best practices, tips, and tricks.
Data security should be a part of every organization’s governance plan.
A great way to maintain data security? Conduct regular SharePoint permission audits periodically.
You’ll find a variety of built-in and custom reports in ShareGate that can help you monitor security the way you want and simplify SharePoint management.
Here, we’ll walk you through the steps to set up and run our popular Permissions Matrix Report so you can get a complete overview of all the permissions given to users and groups in SharePoint and Microsoft 365 without the need for PowerShell.
Table of contents
- What SharePoint security means at ShareGate
- Why audit SharePoint Online permissions?
- What are the SharePoint permission levels that are available?
- SharePoint Online user permissions report—the ShareGate way
- How to create a SharePoint permissions matrix report with ShareGate
- Review your permissions matrix report results to maximize SharePoint security
What SharePoint security means at ShareGate
There’s the governance plan, rules, and processes to follow—and then comes the reality. Sometimes, you don’t have the time or total control to ensure every action taken inside your SharePoint complies with the initial plan.
SharePoint security might have different meanings depending on your business and your governance. For us, SharePoint security must answer these questions:
- Who has access to my site/content, and from where do they have access?
- What is my permissions structure like?
- What are the activities, and who takes them inside my SharePoint content?
- Am I taking any risks by allowing external sharing in Microsoft 365?
- Can I take action to correct security breaches quickly?
Why audit SharePoint Online permissions?
We can all agree that SharePoint and Microsoft 365 are powerful tools that enable unprecedented levels of collaboration and productivity. That being said, bringing all of your employees together within the same environment comes with its fair share of security concerns.
So how do you make sure everyone has access to the right things?
Placing unnecessary restrictions on end users can hinder productivity and cause them to turn to other, unapproved tools: the dreaded shadow IT.
On the other hand, excessive access rights can put the security of your organization’s data at risk—enabling users to view, edit, share, or even delete sensitive information they shouldn’t have access to in the first place.
That’s why, to minimize the risk of data leaks, it’s crucial that you regularly audit permissions in SharePoint Online.
Unfortunately, there’s no easy Microsoft out-of-the-box solution or built-in report inside SharePoint that allows you to do this. You would need to manually dive in and check individual user permissions—or list the current permissions for each SharePoint site by using complex Microsoft PowerShell scripts.
That’s where ShareGate’s centralized reporting comes in. 👍
SharePoint permission levels
There are three standard permission groups that enable you to manage SharePoint permissions within a site:
For IT admins, Groups is key for modern workplace governance because it has a sense of centralized management.
There are a variety of permission levels that allow users to access the resources they need.
- For Site collection owners
- Contains all available SharePoint permissions, meaning individuals and groups can carry out any activity – from creating sites to editing lists and libraries or deleting documents.
- For group members – typically heads of departments/the person running a department’s site.
- Lets users add, edit, and delete content (e.g., documents, pages, and announcements).
- Usually for someone invited to participate in work but not to make changes.
- It’s only possible to view pages and items in existing lists and download documents.
In short, permission levels tend to group actions and define what users can and can’t see within your enterprise IT solution. You may not want some users to be able to see a certain site at all. Or, in other cases, you might just want to let them see certain lists and libraries but not be able to change or contribute to them.
Knowing which permissions to apply and how to use them requires an intimate understanding of your organization’s needs.
SharePoint Online user permissions report—the ShareGate way
Trying to audit SharePoint site permissions manually is time-consuming, not to mention the risk of human error. And as soon as you’ve finished all the necessary steps to audit every site, you need to start the whole process over again—user permissions need to be audited regularly to keep data secure on an ongoing basis.
Instead, minimize the time you spend on SharePoint administration tasks by running a single report in ShareGate: the built-in permissions matrix report.
ShareGate’s permissions matrix report
ShareGate’s built-in permissions matrix report helps you uncover the permissions and access given to users and groups in your SharePoint and Microsoft 365.
The permissions matrix report enables you to quickly identify which users have access to what in one clean and comprehensible matrix—saving you valuable time that would otherwise be spent performing the repetitive tasks required to monitor and manage permissions regularly.
You can run the report on multiple site collections at once, and it will work the same whether you’re using SharePoint, Microsoft 365, or both in a hybrid scenario.
With the results from the permissions matrix report, you can see:
- All site owners, site members, user and group permissions, and each one’s permission level
- Objects that have inherited permissions
- Microsoft 365 external users (including pending invitations and anonymous guest links)
How to create a SharePoint permissions matrix report with ShareGate
Ready to run your first permissions matrix report in ShareGate? We’ll walk you through the steps!
Prerequisites: Before you get started, make sure you’ve connected ShareGate to an environment as a Global or SharePoint administrator, and that you have site collection administrator rights for the environments within the scope of the report.
In ShareGate, navigate to the Security screen by clicking on the Security tab on the left navigation. Then click on Run permissions matrix report under Security essentials.
Select the target of the report, then click Next.
On the next screen, set your desired report options from the options outlined below the image, then click Schedule or Run now.
Users and groups
Select All users and groups, External users, or Specific users and groups. If you selected Specific users and groups, begin typing the user’s name and select the appropriate user from the dropdown.
Select whether or not you would like lists and libraries and list contents to be included in the scope of the report.
If you choose to include your list contents, note that the report will only show you permissions on folders, documents, and list items that have custom permissions (permissions not inherited by the parent).
Setup automatic export
If you want ShareGate to export a copy of the completed report automatically when finished, click on Setup automatic export before running the report. Check out our support documentation on how to set up automatic export to SharePoint library for more info and detailed instructions.
Review your permissions matrix report results to maximize SharePoint security
Once ShareGate has finished running your permissions matrix report, you’ll be able to see which users and groups have access in your environment.
If any errors popped up, you can click on Error details for more info to help you fix the problem fast.
Permissions for SharePoint groups and Active Directory security groups are not initially expanded. You can click on the expand icon (the plus sign) to view the members, owners, or visitors of a given group.
To view the inherited permissions of an object, click on View (next to where it says Same as parent).
Guest links and external user invitations
You can also view sharing links that are currently being used to grant access to SharePoint Online documents to guests outside of your organization’s Microsoft 365.
By default, these links do not exist and need to be enabled manually. When this happens, SharePoint creates hidden user accounts for each link type depending on whether the external user was granted “View only” or “Edit” permissions.
These accounts are all listed as Anonymous Guest Link in your ShareGate permissions matrix report, with checkmarks indicating whether the external user has “Contribute” or “Read” access:
You will also see any pending external user invitations in your report. Invitations usually expire after a week, but since these invitations can be used to access certain resources on your SharePoint site, ShareGate displays them in your report as long as the invitation is not accepted and hasn’t expired yet.
External users can also be invited to join SharePoint groups. If you expand the associated SharePoint group, you’ll be able to see these invitations there.
Wondering about which reports you should run to stay on top of security? Check out our article on SharePoint reports to schedule regularly.