When you migrate a document library from one SharePoint environment to another, the library often retains permission inheritance from the old site or library structure. This means users who should not have access can still see or edit files, creating security gaps. The cause is that migration tools copy the library with its unique permissions or inherited settings from the source intact. This article explains how to break permission inheritance on the migrated library and apply fresh, correct permissions.
Key Takeaways: How to Reset Permissions on a Migrated Library
- SharePoint library settings > Permissions for this document library: Use this path to break inheritance and manage unique permissions.
- Stop Inheriting Permissions button: Click this to disconnect the library from its parent site or library permissions.
- Remove unique permissions after migration: Use PowerShell or the SharePoint admin center to bulk-remove inherited permissions from migrated libraries.
Why Migrated Libraries Keep Old Permission Inheritance
When you migrate a SharePoint document library using tools like ShareGate, Metalogix, or the native SharePoint Migration Tool, the tool copies the library along with its permission settings. If the source library had unique permissions not inherited from the parent, the migrated copy retains those unique permissions. If the source library inherited permissions from its parent site, the migrated copy will try to inherit from the new parent site, which may have a different permission set. This mismatch causes the library to appear with old permission inheritance, often allowing unintended access.
The root technical behavior is that SharePoint stores permission inheritance as a property on each securable object (site, library, folder, item). Migration tools replicate this property exactly. After migration, you must manually break or restore inheritance to match your target environment. The migration process itself does not automatically reset permissions to target defaults.
Inherited vs Unique Permissions in SharePoint
In SharePoint, every library starts by inheriting permissions from its parent site. When you break inheritance, the library gets its own Access Control List (ACL) separate from the parent. After migration, the library may show as inheriting from the new parent site, but the actual user access may still reflect the old source settings. This is because the migration tool may copy the ACL but mark it as inherited, causing confusion. Always check the permission mode after migration.
Steps to Break Permission Inheritance on a Migrated Library
Follow these steps to ensure the migrated library uses the correct permission inheritance. You will need at least Edit permissions on the library or Full Control on the site.
- Open the library settings
Navigate to the migrated library in the target SharePoint site. Click the gear icon (Settings) in the top-right corner, then select Library settings. If you are on a modern SharePoint page, click the ribbon menu and choose Settings > Library settings. - Check current permission inheritance
In the left navigation pane of Library settings, click Permissions for this document library. You will see a banner stating either “This library inherits permissions from its parent” or “This library has unique permissions.” If it says inheriting, proceed to the next step. If it says unique, you can either keep the unique permissions or restore inheritance to the parent. - Stop inheriting permissions
Click the Stop Inheriting Permissions button on the ribbon. A confirmation dialog appears. Click OK. The library now has unique permissions, but the old ACL from migration is still present. You must now remove unwanted users or groups. - Remove migrated users and groups
In the Permissions page, you will see a list of users and groups. Check the boxes next to any that came from the old source and should not have access. Click Remove User Permissions from the ribbon. Confirm the removal. Repeat until only the correct users remain. - Add correct permissions
Click Grant Permissions on the ribbon. Enter the users or groups that should have access to this library. Select the permission level (Read, Contribute, Edit, etc.) and click Share. The library now has fresh permissions not tied to the old environment.
Restoring Inheritance Instead of Unique Permissions
If you want the migrated library to inherit permissions from its new parent site, you can restore inheritance. This removes the old ACL entirely.
- Navigate to Permissions for this document library
Same path as above: Library settings > Permissions for this document library. - Click Delete Unique Permissions
On the ribbon, click Delete Unique Permissions. A warning tells you that unique permissions will be lost. Click OK. The library now inherits permissions from its parent site. All old migrated users are removed. - Verify inheritance
Refresh the Permissions page. The banner should now say “This library inherits permissions from its parent.” Check the parent site permissions to confirm the correct users have access.
Common Issues After Migrating a Library with Old Permissions
Even after breaking or restoring inheritance, you may encounter problems. Here are the most frequent ones and how to resolve them.
Users Still Have Access After Breaking Inheritance
This happens if you did not remove the old users after breaking inheritance. The ACL from the source is still present. Go back to Permissions for this document library, select all users from the old environment, and click Remove User Permissions. Also check if any SharePoint groups from the old site are present and remove them.
Permission Inheritance Shows as Broken but Old Groups Remain
The migration tool may have copied the old site groups (e.g., “Old Site Members”) as unique permissions. These groups no longer exist in the target environment, but they appear as unresolved entries. You cannot remove them via the browser. Use PowerShell to remove them. Run the following script in SharePoint Online Management Shell:
$web = Get-PnPWeb
$list = $web.Lists.GetByTitle("Your Library Name")
$list.BreakRoleInheritance($false, $false)
$list.Update()
Invoke-PnPQuery
This script breaks inheritance again and removes all existing role assignments. Then you can add fresh permissions.
Library Shows Inherited Permissions but Access Is Wrong
If the library inherits from the parent site but users from the old source still have access, the parent site may have inherited old permissions from a higher level. Check the parent site’s permission inheritance. If the parent site itself has unique permissions from migration, you must break or restore inheritance at the site level first. Then the library will inherit correctly.
Migrated Library Permission Modes: Before and After Fix
| Item | Before Fix | After Fix |
|---|---|---|
| Permission inheritance | Inherited from parent (with old ACL) | Unique or correctly inherited from new parent |
| User access | Old users from source environment | Only intended users from target environment |
| Permission management | Cannot edit or remove old users easily | Full control to add/remove users |
| Security risk | High — unintended access persists | Low — permissions match current needs |
By following the steps above, you can ensure your migrated library has the correct permission inheritance. Always verify permissions immediately after migration. Use the library settings to break or restore inheritance, and remove any old users. For bulk migrations, consider using PowerShell to automate permission reset across multiple libraries.