You are listed as a site owner in SharePoint, but you see an Access Denied message when you try to open the site or perform specific actions. This happens because SharePoint permission inheritance is broken or because the site owner lacks permissions at a higher level, such as the site collection or tenant. This article explains the root causes of this behavior and provides step-by-step instructions to restore full access.
Key Takeaways: Resolving Access Denied for Site Owners
- SharePoint admin center > Active sites > Permissions: Check if the user is in the site owners group at the site collection level, not just a subsite.
- Site Permissions > Check Permissions: Use this tool to see exactly which permissions the user has and where they come from.
- Site collection > Site Permissions > Permission Levels: Verify the user’s permission level includes the rights needed for the action they are trying to perform.
Why a Site Owner Sees Access Denied in SharePoint
SharePoint permissions are hierarchical. A user can be an owner of one subsite but not have access to the parent site collection or to specific resources like lists, libraries, or pages that have unique permissions. The most common cause is that the site owner is assigned to a SharePoint group at the subsite level, but the action they are trying to perform requires permissions at the site collection level or on a specific item that has broken inheritance.
Another cause is that the site owner’s Microsoft Entra ID account is disabled, deleted, or has a license issue. If the user account is blocked or the SharePoint license is not assigned, the user will see Access Denied even if they are in the correct SharePoint group. Additionally, security groups or Azure AD groups used for site permissions may have been changed or removed.
Broken Permission Inheritance
When a site owner tries to access a subsite that has unique permissions, the owner role on the parent site does not automatically grant access. Each subsite or item with unique permissions requires its own permission assignment. If the site owner was not explicitly added to the permissions of that subsite or item, Access Denied appears.
Missing Site Collection Permissions
Some operations, such as changing site themes, enabling features, or managing site policies, require site collection administrator rights. A site owner who is only a member of the Owners group on a subsite does not have these elevated rights. The Access Denied message appears when the user attempts an action that requires site collection admin privileges.
Account or License Problems
If the user account is suspended, deleted, or the SharePoint license is removed, SharePoint blocks access. Even if the user appears in the site owners group, the underlying account status overrides the permission assignment. Check the Microsoft 365 admin center for account status and license assignment.
Steps to Diagnose and Fix Access Denied for a Site Owner
- Verify the user account is active and licensed
Go to the Microsoft 365 admin center at admin.microsoft.com. Select Users > Active users. Find the user and check the account status. It must say Active. Then select the user and click the Licenses and Apps tab. Ensure SharePoint Online (or Office 365) is assigned. If the account is blocked or the license is missing, reactivate the account or assign the license. - Check site collection ownership
Open the SharePoint admin center at admin.microsoft.com/SharePoint. Select Active sites. Find the site where the issue occurs. Click the site name, then select the Permissions tab. Check if the user is listed as a site collection administrator. If not, add them by clicking Add site collection admin and entering the user’s email address. - Test permissions with the Check Permissions tool
Navigate to the site where Access Denied appears. Click Settings (gear icon) > Site Permissions. On the ribbon, click Check Permissions. Enter the user’s email address and click Check Now. The tool shows exactly which permissions the user has and from which group or direct assignment. If the result shows only Limited Access or no access, the user is missing the necessary permissions. - Add the user to the site owners group at the correct level
If the user is only an owner of a subsite but needs access to the parent site, go to the parent site. Click Settings > Site Permissions. Click Advanced Permissions Settings. In the ribbon, click Grant Permissions. Add the user and select the Full Control permission level or add them to the Owners group for that site collection. - Restore broken permission inheritance
If the issue is on a specific list, library, or item, navigate to that resource. Click Settings > List Settings or Library Settings. Click Permissions for this document library (or list). If you see the message This library has unique permissions, break inheritance and add the site owner explicitly. Alternatively, click Delete unique permissions to inherit permissions from the parent site again. - Clear the browser cache and reauthenticate
Even after fixing permissions, cached credentials or stale cookies can still show Access Denied. Have the user clear their browser cache and cookies, then sign out and sign back in to Microsoft 365. Use a private browsing session to test the access after the permissions change.
If Access Denied Persists After the Main Fix
The user is a site owner but cannot access the site’s home page
This usually indicates that the user is not in the site collection administrators group. Even if they are in the Owners group of a subsite, the home page may be at the root site collection level. Add the user as a site collection administrator in the SharePoint admin center as described in step 2 above.
The user can browse the site but sees Access Denied when opening a document library
The library likely has unique permissions that do not include the user. Use the Check Permissions tool on that library. If the user has no access, go to Library Settings > Permissions for this document library and either grant the user permissions or delete unique permissions to inherit.
The user sees Access Denied only when using the SharePoint mobile app
The mobile app caches credentials separately. Clear the app cache or reinstall the app. Also ensure the user is not using an expired token. Sign out and sign back in within the app.
The site owner cannot share the site with external users
External sharing is controlled at the tenant level and site level. Even a site owner cannot enable external sharing if the tenant admin has disabled it. Check the SharePoint admin center > Policies > Sharing. If external sharing is allowed, go to the site settings > Site permissions > Access requests and sharing settings to verify the site-level sharing setting.
| Item | Site Owner (Subsite) | Site Collection Administrator |
|---|---|---|
| Permission scope | Limited to the subsite and its content | Entire site collection including root site and all subsites |
| Can change site theme | Yes, on the subsite only | Yes, on any site in the collection |
| Can manage site policies | No | Yes |
| Can add site collection admins | No | Yes |
| Can enable or disable features | Limited to site-scoped features | All site collection scoped features |
After applying the steps above, the site owner should have full access. If the problem continues, check the SharePoint audit log in the compliance center for any permission changes or unusual activity on the site. You can also use the Microsoft 365 Support and Recovery Assistant to diagnose account and license issues automatically.