You set a SharePoint site visitor group to Read permission, but members can still edit files. This contradiction often stems from inheritance breaks, item-level permissions, or sharing links that grant higher access. The root cause is that SharePoint permission levels apply at the site level, but individual items like documents, folders, or lists can have separate permission settings. This article explains why visitors with Read permission can edit files and provides workarounds to enforce read-only access.
The problem occurs when a file or folder inherits permissions from a parent object that allows editing, or when a sharing link with Edit rights is sent to visitors. Additionally, if the site uses Microsoft 365 Groups, the group members might have Contributor access through the group, overriding the site-level Read permission. Understanding these causes helps you apply the correct fix.
This article covers the technical reasons behind this permission conflict, step-by-step methods to verify and correct permissions, and workarounds for common scenarios. You will learn how to check permission inheritance, remove unintended edit links, and use SharePoint admin center settings to prevent edits.
Key Takeaways: Fixing Edit Access for Read-Only Visitors
- Site Permissions > Check Permission: Use this tool to see the effective permissions for a specific user on a site or item.
- Library Settings > Permissions for This Document Library: Stop inheriting permissions and set unique Read permission on the library to block edits.
- Sharing Links > Advanced Settings: Remove any sharing links with Edit rights sent to visitors and resend links with View only.
Why Visitors With Read Permission Can Still Edit Files
SharePoint permission levels are hierarchical. A site-level Read permission grants users the ability to view pages, list items, and documents. However, this permission can be overridden at the list, library, folder, or item level. If any of these child objects have unique permissions that include Edit or Contribute, visitors will be able to modify files.
Another common cause is the use of sharing links. When a user with Edit rights creates a sharing link for a file and sends it to a visitor, that link provides the visitor with Edit access regardless of the visitor’s site-level permission. The link permission is independent of site permissions.
Microsoft 365 Groups connected to a SharePoint site also affect permissions. If the site is group-connected, all group members automatically get Contributor access to the site. Even if you add those same users to a Visitors group with Read permission, the group membership overrides the site permission because the group’s Contributor role is applied at the site level.
Permission Inheritance and Breaking
By default, all items in a SharePoint site inherit permissions from the site. When an administrator or site owner breaks inheritance on a library or folder and assigns unique permissions, they might accidentally grant Edit access to the Visitors group. This is the most frequent technical reason for the problem.
Sharing Link Override
A sharing link with Edit permission bypasses all site-level restrictions. The link recipient can edit the file even if their user account has Read permission on the site. This happens because the link grants a separate token of access that does not check site permissions.
Steps to Diagnose and Fix Permission Conflicts
- Check effective permissions for a visitor
Go to the site where the issue occurs. Select Settings > Site Permissions. Choose Check Permissions. Enter the visitor’s email address and select Check Now. The result shows the exact permission level the user has on the site. If it shows Edit or Contribute instead of Read, the user has higher access through a group or direct assignment. - Review permission inheritance on the library
Navigate to the library where files are being edited. Select the gear icon > Library Settings. Under Permissions and Management, select Permissions for This Document Library. If the ribbon shows Manage Parent, the library inherits permissions from the site. If it shows Delete Unique Permissions, the library has its own permission set. Click Delete Unique Permissions to revert to site inheritance, which will enforce the site-level Read permission. - Remove unique permissions on affected folders or files
If you want to keep unique permissions on the library, check individual folders and files. Select the file or folder, select the ellipsis menu, then Manage Access. Under Advanced Settings, select Stop Inheriting Permissions. Then remove any user or group that has Edit permission and add the Visitors group with Read permission. Ensure no other groups with Edit remain. - Identify and revoke sharing links with Edit rights
In the library, select the file that visitors can edit. Select the ellipsis menu > Manage Access. Under Links, review all sharing links. If any link shows Can Edit, select the link and choose Remove. Create a new link with Can View and send it to the visitors. - Verify Microsoft 365 Group membership
If the site is connected to a Microsoft 365 Group, go to the group in Outlook or the Microsoft 365 admin center. Check if the visitors are members of the group. If they are, remove them from the group or change the group’s SharePoint site permission to Read. In the SharePoint admin center, select Active sites, choose the site, and under Settings > Site permissions, set the group’s permission level to Read.
If Visitors Still Have Edit Access After the Main Fix
Visitor Account Has Direct Edit Permission on a Subsite
If your site has subsites, each subsite can have its own permission settings. A visitor might have Read permission on the root site but Edit permission on a subsite. Check permissions on each subsite using Check Permissions. Remove the visitor from any subsite group that grants Edit, or ensure the subsite inherits permissions from the parent site.
File Versioning Allows Edits Through Check Out
Even with Read permission, a user can check out a file if the library allows it. Check out is an edit operation. In Library Settings > Versioning Settings, set Require Check Out to No. This prevents check-out actions for read-only users.
Anonymous Access or External Sharing Links
If the site allows anonymous access, any user with the link can edit if the link type is Edit. Review external sharing settings in the SharePoint admin center. Under Policies > Sharing, set external sharing to Only people in your organization or to Specific people. Remove any anonymous Edit links from the library.
| Item | Site-Level Read Permission | Item-Level Edit via Link |
|---|---|---|
| Description | Applied to the entire site via a SharePoint group | Applied to a single file or folder via a sharing link |
| Scope | All items in the site | Only the specific item shared |
| Override behavior | Can be overridden by unique permissions on child objects | Overrides site-level Read permission for that item |
| Management location | Site Settings > Site Permissions | File or folder > Manage Access > Links |
| Fix method | Delete unique permissions or adjust group membership | Remove the Edit link and create a View link |
You can now identify why visitors with Read permission can edit files and apply the correct workaround. Start by checking effective permissions and reviewing sharing links. If the issue persists, examine permission inheritance on libraries and folders. As an advanced tip, use SharePoint admin center > Active sites > Policies > Sharing to disable Anyone links entirely, which prevents external users from receiving Edit links that bypass site permissions.