When you share a SharePoint library directly with specific users, those permissions can override broader site-level access settings. This creates confusion when users gain access to documents they should not see or when changes to a Microsoft 365 group do not revoke access as expected. Direct permissions also make audits and permission management more difficult because each unique permission entry must be tracked individually. This article explains why direct permissions cause problems, shows you how to remove them from a library, and provides the best settings to prevent them from being added again.
Key Takeaways: Remove Direct Permissions From a SharePoint Library
- Library Settings > Permissions for this document library: Lists all users and groups with direct access to the library separate from site-level permissions.
- Stop Inheriting Permissions > Remove User Permissions: Breaks permission inheritance so you can selectively delete direct user entries without affecting the site.
- SharePoint admin center > Sharing > External sharing: Disables external sharing at the tenant level to prevent new direct sharing links from being created.
Why Direct Permissions in a Library Cause Management Problems
SharePoint libraries inherit permissions from the parent site by default. When you add a user or group directly to a library, you break that inheritance. The library now has its own unique permission set. This means a user who does not have site access can still open files in that library if they were added directly. Conversely, removing a user from the Microsoft 365 group does not remove their direct access to the library. You must track and manage these direct entries separately.
Direct permissions are often created unintentionally. A user shares a file or folder using the Share button in the document library. SharePoint creates a sharing link that grants access to specific people. This adds a direct permission entry on the library. Over time, a library can accumulate dozens of unique permission entries. Each entry must be reviewed during audits. If someone leaves the organization, their direct permissions remain unless manually removed.
The best practice for Microsoft 365 is to manage access through Microsoft 365 groups or SharePoint groups at the site level. Libraries should inherit permissions from the site. This keeps permission management centralized and reduces the risk of orphaned access. If you must grant unique access to a library, limit it to a small number of SharePoint groups, never individual users.
Steps to Remove Direct User Permissions From a Library
Follow these steps to identify and remove any direct permission entries on a SharePoint library. You must have Full Control or Manage Permissions permission on the site.
- Open the library in SharePoint
Navigate to the site that contains the library. Click the library name in the left navigation or go to Site contents and click the library. - Access library settings
Click the gear icon (Settings) in the upper right corner. Select Library settings from the menu. If you do not see Library settings, you may need to click the library name first, then click the gear icon. - Open permissions for the library
On the Library Settings page, click Permissions for this document library under the Permissions and Management section. This shows the current permission inheritance status. - Check inheritance status
Look at the ribbon at the top of the page. If you see a button labeled Inherit Permissions, the library is currently unique (broken inheritance). If you see Stop Inheriting Permissions, the library is still using site permissions. If inheritance is broken, proceed to the next step. If not, there are no direct permissions to remove. - Remove direct user entries
Select the check box next to each user or group that was added directly to the library. These are entries that do not match the site-level groups. Click Remove User Permissions on the ribbon. Confirm the removal. - Restore inheritance (optional but recommended)
If you want the library to use site permissions again, click Delete Unique Permissions on the ribbon. This removes all direct entries and restores inheritance. Confirm the action.
Alternative Method: Remove Permissions Using SharePoint Designer
- Open the site in SharePoint Designer
Launch SharePoint Designer 2013. Click Open Site and enter the site URL. Sign in with your credentials. - Navigate to the library
In the left navigation, click Lists and Libraries. Find your library in the list and click its name. - Manage permissions
Click Permissions on the ribbon. You will see the same permission interface as in the browser. Follow the same steps to remove users or restore inheritance.
Best Settings to Prevent Direct Permissions in Libraries
After removing existing direct permissions, configure these settings to stop new ones from being added in the future.
1. Disable External Sharing at the Library Level
- Open library settings
Go to Library settings as described above. - Click Permissions for this document library
On the permissions page, click Access Request Settings on the ribbon. - Disable external sharing
Uncheck Allow access requests. Uncheck Allow members to share the site and individual documents and folders. Click OK.
2. Restrict Sharing to Site Members Only
- Go to site settings
Click the gear icon and select Site permissions. - Click Sharing settings
Under the Sharing section, click Change how members can share. - Select the most restrictive option
Choose Only site owners can share files, folders, and the site. This prevents members from creating direct sharing links.
3. Use a SharePoint Group for Unique Permissions
If a library truly needs unique permissions, create a SharePoint group and add users to that group. Then grant the group permissions on the library. This keeps the number of direct entries low. When a user leaves, you remove them from the group, not from 50 individual library permissions.
Common Issues When Removing Direct Permissions
Users Lose Access to Files They Still Need
If you delete unique permissions and restore inheritance, users who only had direct access to the library will lose access. Before doing this, check which users have direct permissions and verify they have site-level access through a Microsoft 365 group or SharePoint group. Add them to the appropriate group first if needed.
Stop Inheriting Permissions Button Is Grayed Out
This means the library already has unique permissions. You cannot stop inheritance again because it is already broken. Instead, use the Remove User Permissions button to delete individual entries or click Delete Unique Permissions to restore inheritance entirely.
Share Button Still Appears After Changes
The Share button is controlled by site-level sharing settings, not library permissions. Even after removing direct permissions, users with edit access can still share files using the Share button. To disable this, change the site sharing setting to Only site owners can share as described in the best settings section above.
Site Permissions vs Library Permissions: Key Differences
| Item | Site Permissions | Library Permissions |
|---|---|---|
| Scope | Applies to all content in the site | Applies only to the specific library |
| Inheritance | Default for all child objects | Can be broken to be unique |
| Management | Centralized via Microsoft 365 groups | Must be managed per library |
| Audit complexity | Low – one group per role | High – many individual entries |
| Best practice | Use for most access | Only for exceptions, use groups |
By keeping permissions at the site level and using Microsoft 365 groups, you reduce management overhead and improve security. Direct library permissions should be the exception, not the default. After removing existing direct entries and applying the best settings, you will have a cleaner permission structure that is easier to audit and maintain.