Uncontrolled permissions can expose sensitive company data. Learn how to take control of Microsoft 365 permissions with a clear framework, practical tools, and governance best practices.

Microsoft 365 permissions can often spiral out of control faster than you can govern them. Hybrid work, external collaboration, and AI integrations surface sensitive data everywhere across apps, devices, and environments.  

And before long, shadow IT creeps in, unapproved sharing links linger, and IT teams are stuck in cleanup mode. With all this going on, it’s easy to lose track of who has access to what.

In our webinar, Liam covered how to regain control of Microsoft 365 permissions. He broke down practical strategies, tools, and pitfalls to help you keep Microsoft 365 secure and efficient.  

Watch the on-demand webinar of How to control Microsoft 365 permissions—before they control you, and see Liam’s demos and advice.

Or, keep reading for the key takeaways.

Microsoft 365 permissions grow faster than anyone can manually manage

With hybrid work now the norm, more people are connecting to their Microsoft 365 environment from more devices, networks, and locations than ever. There are employees working from home, contractors joining for short-term projects, and external collaborators hopping into Teams. Everyone is creating, sharing, and accessing data daily.

And it’s not just users. AI tools, integrations, and unmanaged connectors surface sensitive data across your environment, often bypassing established controls. Combine that with manual oversight that just can’t keep up, and things get out of hand fast.

“Access in Microsoft 365 evolves minute by minute.”

‍
— Liam Cleary, Microsoft Certified Trainer, MVP Alumni, & CEO at SharePlicity

‍

The problem? Lack of visibility

Think of a shared file that stays public months too long, or a guest account no one remembers to remove. That’s everyday work and it’s normal for stuff to slip through.  

Liam often sees it firsthand during Microsoft 365 security assessments. He finds guest users that are still lingering, shared links left public, and internal content drifting outside the organization’s boundaries without any protection.

It’s rarely done on purpose. The real issue is that no one has a clear line of sight into who has access to what.

‍

Avoid the messy pitfalls that cause chaos in the first place

Access changes constantly: new teams, shared files, app connections, guest invites, etc. Without automated checks or a governance framework in place, it’s difficult to stay on top of it all.

And when there’s no clear ownership or visibility, the risks start to add up. Productivity slows, insider risk increases, and compliance concerns grow.

Many organizations wait until things get messy to step in. But cleanup alone isn’t enough. To stay secure and support productivity, you need to be proactive. That means building intentional access policies, automating reviews, and designing with scale in mind.

‍

Microsoft 365 governance is about making sure the right people have the right access for the right reasons

Governance isn’t about locking things down, it’s about bringing clarity and control to how access is granted, used, and reviewed. Liam’s “four questions” model defines how every organization should evaluate access:

1. Who has access?

2. Why was it granted?

3. How long should it last?

4. How will it be reviewed?

Build a resilient governance model

Once you’ve anchored your thinking around those four questions, apply these foundational pillars to give structure and resilience to your permissions model:

• Least Privilege: Grant only what’s necessary, avoiding broad or default admin rights.
• Just‑in‑Time Access: Allow elevated permissions when needed and ensure they’re removed as soon as the need ends.
• Separation of Duties: No one person should control the entire process from request to approval to review.
• Role‑Based Access Control (RBAC): Align permissions to roles/functions rather than individuals so that scale and change are easier to manage.
• Clear ownership and accountability: Every resource (team, site, group) should have a named owner who reviews and maintains access over time.

Together, these pillars form what Liam calls the “balanced governance model” which is a framework built not just for control, but for clarity and accountability, too.

Access should follow a simple lifecycle

Access needs to be managed from start to finish, not just when someone joins a team. Here’s the 3-step lifecycle Liam recommends:

1. Request and approve
Someone asks for access, and it’s approved based on your policies.

2. Provision and monitor
Access is granted (ideally through automation) and tracked in case anything changes.

3. Review and revoke
Access is reviewed regularly. Anything outdated gets removed.

Even if parts of this process are manual, they should be clearly documented and assigned to someone.

People are a big part of governance

Don’t forget the human side of governance! Having the right tools is great but they don’t run themselves. You still need the people part to keep governance, security, and permission management running smoothly:

• Business owners approve access and know who needs what.
• IT admins set up and enforce the rules.
• Security teams check that policies meet your standards.
• Auditors make sure what’s happening matches the rules.
• Executives give the program visibility and support.
• End users need to understand what responsible access looks like.

‍

To control permissions and enforce accountability, combine Microsoft 365 built-in governance tools with organizational commitment

If manual access management doesn’t scale, what does that mean? How do I gain control?

Microsoft 365 offers built-in governance tools to help you control permissions.

• Microsoft Entra ID Governance
• Conditional Access
• Privileged Identity Management (PIM)
• Access Reviews

Microsoft Entra ID Governance

Helps you control who has access to resources, why they have it, and for how long. It automates approvals, reviews, and removals to keep access up to date.

Conditional Access

Lets you decide when and how users can sign in. You can set rules based on things like location, device type, or risk level.

How to create a Conditional Access policy

‍

1. Go to Entra ID > Security > Conditional Access > New Policy.

2. Name your policy clearly (e.g., CA001_Require_MFA_for_Admins).

3. Under Assignments → Users, select specific roles (e.g., Global Admins).

4. Under Cloud Apps, choose “Microsoft Admin Portals.”

5. Under Conditions, add:

• User risk level: Medium or high.
• Device platform: Windows, macOS, iOS, etc.
• Locations: Block or allow specific countries or IPs.

6. Under Access Controls, select:

• “Grant access” → “Require MFA.”

7. Under Session Controls, configure sign-in frequency (e.g., reauthenticate every 12 hours).

8. Enable the policy and review in report-only mode before enforcing.

‍

Pro Tip: Name and tag policies consistently so auditors can trace them to written governance rules.

‍

Privileged Identity Management (PIM)

Gives admin permissions only when they’re needed. It adds time limits and approval steps to reduce the risk of always‑on admin access.

How to activate a role in Privileged Identity Management

1. Go to Entra ID > Roles and Administrators > Privileged Identity Management.

2. Select a role (e.g., Exchange Administrator).

3. Under Assignments, click Add Assignment.

4. Choose the member (user or group).

5. Set Assignment Type:Eligible (temporary) instead of Active.

6. Configure Activation Duration: (e.g., 2 hours max).

7. Require Justification Text and MFA on activation.

8. Enable Notifications for security teams on activation events.

9. Review role settings regularly to ensure durations and approvals are current.

Access Reviews

Helps you regularly check who still needs access to apps, groups, or roles. You can schedule reviews so outdated permissions are cleaned up automatically.

‍

Security initiatives only succeed when they support, not hinder, productivity

If you can't lock everything down because end users need to do their jobs, how do you find middle ground?

The everyday challenge of governance is keeping data safe without slowing employees down.

According to Liam, security only works when it supports productivity—not when it blocks it.

It starts with the fundamentals:

• Enforce multi-factor authentication
• Block risky or suspicious sign-ins
• Use Conditional Access to adapt to real-world risk in real time
• Apply Privileged Identity Management so admin roles are temporary, not always on

On the productivity side, your goal is to remove friction where it’s safe to do so. Let users request access through self-service. Keep sign-ins simple for trusted, compliant users. And avoid bottlenecks where IT becomes the blocker.

‍

To make collaboration and sharing should feel easy, you need the right guardrails in place

Liam explains that while Microsoft 365 is built for openness, it’s up to you to make sure that openness doesn’t become overexposure. With platforms like SharePoint Online encouraging open, even anonymous sharing, it’s critical to put secure boundaries in place.

That means taking control of how external and guest access are handled from the moment a guest is invited to the moment their access should end.

• Have clear, secure policies for guest access
• Enable automatic expiration for external accounts
• Restrict which domains users can share with
• Review guest access regularly, so accounts don’t linger unnoticed

‍

“Sustainable governance thrives on a very fine balance between safety and efficiency.”

— Liam Cleary, Microsoft Certified Trainer, MVP Alumni, & CEO at SharePlicity

‍

Key takeaways

If you’re just starting out, these four high-level points are a great place to start:

• Map your environment. Visibility is the foundation of control. Know who has access to what.
• Automate the lifecycle. Use Entra ID Governance, PIM, and Access Reviews to replace manual work with policy-driven automation.
• Balance protection and productivity. Apply Zero Trust adaptively so users can work freely while data stays secure.
• Evolve continuously. Governance is an ongoing discipline, not a one-time project—review, measure, and optimize often.

‍