When a SharePoint site, library, or list breaks permission inheritance and you later restore it, the default action removes all unique permissions, including those assigned to site owners. This can leave site owners without access if they were added only through unique permissions. This article explains why this happens and provides the exact steps to restore inheritance while preserving owner access. You will learn how to use PowerShell and the SharePoint admin center to keep site owners in place.
Key Takeaways: Restoring Inheritance Without Losing Owners
- SharePoint admin center > Active sites > Permissions: Use this to check which sites have broken inheritance before making changes.
- SharePoint Online Management Shell (PowerShell): Run
Set-SPOSite -Identity $url -DenyAddAndCustomizePages 0to temporarily allow permission adjustments. - PnP PowerShell cmdlet
Set-PnPWebPermission: Re-add owners after restoring inheritance without affecting inherited permissions.
Why Restoring Inheritance Removes Owners
When a SharePoint site inherits permissions from its parent, it uses the parent’s permission set. If you break inheritance, the site gets its own unique permission set. Restoring inheritance removes the unique permission set and forces the site to use the parent’s permissions again. Any users or groups that were added only at the site level through unique permissions are removed. This includes site owners if they were not already in the parent’s permission set.
The root cause is that SharePoint treats the restore operation as a full reset. It does not merge unique permissions into the parent set. It simply deletes the unique set. If you have site owners who were added only after breaking inheritance, they lose access when inheritance is restored.
The Role of the Primary Site Collection Administrator
The primary site collection administrator is always able to access the site, even after inheritance is restored. This user is stored at the site collection level, not in the permission set. If you are the primary admin, you will not lose access. But any additional owners added through unique permissions will be removed.
What Happens to SharePoint Groups
SharePoint groups like Members and Visitors are also affected. If you added custom groups or changed group membership after breaking inheritance, those changes are lost. The site reverts to the parent’s default groups and membership.
Steps to Restore Inheritance While Keeping Owners
Follow these steps in order. You will need SharePoint admin permissions and the SharePoint Online Management Shell installed.
- Check current permission inheritance
Go to the SharePoint admin center. Select Active sites. Find the site you want to modify. Click the site name to open the details panel. Under Permissions, look for Permission inheritance. If it says Unique permissions, inheritance is broken. Write down the current owners from the Site owners section. - Back up current unique permissions
Open SharePoint Online Management Shell as an administrator. RunConnect-SPOService -Url https://[tenant]-admin.sharepoint.com. Replace[tenant]with your tenant name. Then runGet-SPOSite -Identity https://[tenant].sharepoint.com/sites/[sitename] | Select -ExpandProperty Ownerto see the primary owner. For a full list of owners, use the PnP PowerShell cmdlet:Connect-PnPOnline -Url https://[tenant].sharepoint.com/sites/[sitename] -Interactive. Then runGet-PnPWebPermission -Identity $webto list all unique permissions. Save the output to a text file. - Temporarily disable the deny add and customize pages setting
Some sites block permission changes through the DenyAddAndCustomizePages setting. RunSet-SPOSite -Identity https://[tenant].sharepoint.com/sites/[sitename] -DenyAddAndCustomizePages 0to allow permission modifications. You can re-enable this after the restore. - Restore inheritance using the browser
Go to the site where inheritance is broken. Navigate to Settings (gear icon) > Site permissions. Click Delete unique permissions. Confirm the action. This restores inheritance. The site now uses the parent’s permissions. All unique permissions are removed. - Add owners back using PowerShell
After restoring inheritance, the parent site’s owners are the only ones with owner access. To add the original owners back, use PnP PowerShell. RunConnect-PnPOnline -Url https://[tenant].sharepoint.com/sites/[sitename] -Interactive. Then runSet-PnPWebPermission -User 'user@domain.com' -AddRole 'Full Control'for each owner you need to restore. Replaceuser@domain.comwith the actual email. The Full Control role gives owner-level access. Repeat for each owner. - Re-enable the deny add and customize pages setting
RunSet-SPOSite -Identity https://[tenant].sharepoint.com/sites/[sitename] -DenyAddAndCustomizePages 1to re-enable the setting. This prevents unintended permission changes. - Verify permissions
Go to the site. Click Settings > Site permissions. Confirm that inheritance shows Inherited. Check the Site owners section to ensure the restored owners appear. Test access by signing in as one of the restored owners.
If SharePoint Still Has Issues After the Main Fix
Restored Owners Cannot Access the Site Immediately
If a restored owner still sees a permission denied error, wait 15 minutes for permission changes to propagate across SharePoint. If the issue persists, check that the user was added to the site collection and not just the parent site. Run Get-PnPSiteCollectionAdmin in PnP PowerShell to see site collection admins. Add the user as a site collection admin if needed: Set-PnPSiteCollectionAdmin -Owners 'user@domain.com'.
Inheritance Reverts to Unique After Adding Owners
If after adding owners, the site shows unique permissions again, you likely used the Share button or the Advanced permissions settings incorrectly. The Share button can break inheritance if the user is not already in the parent permission set. Always use PowerShell to add owners after restoring inheritance. The Set-PnPWebPermission cmdlet adds the user to the inherited permission set without breaking inheritance.
PowerShell Connection Fails
If Connect-PnPOnline fails, ensure you have the latest PnP PowerShell module. Run Install-Module PnP.PowerShell -Force in an elevated PowerShell window. If you still get errors, check that your account has SharePoint admin or global admin permissions. You can also use Connect-PnPOnline -Url $url -UseWebLogin to authenticate through the browser.
| Item | Before Restore | After Restore (Without This Guide) | After Restore (With This Guide) |
|---|---|---|---|
| Permission inheritance | Unique | Inherited | Inherited |
| Site owners from unique permissions | Present | Removed | Restored via PowerShell |
| Primary site collection admin | Present | Present | Present |
| Custom SharePoint groups | Present | Removed | Removed (must be recreated) |
| Access for restored owners | Full access | No access | Full access |
Restoring permission inheritance does not have to remove your site owners. By following the steps in this guide, you can use PowerShell to re-add owners after the restore without breaking inheritance again. Start by backing up your current permissions. Then use the browser to restore inheritance and PowerShell to add owners back. Always verify access after the process. For sites with many custom permissions, consider documenting the unique permission set before making any changes.