Document SharePoint Permissions for an Audit: SharePoint Admin Guide

When an auditor requests a complete map of who has access to what in your SharePoint environment, manually checking each site is slow and error-prone. The core challenge is that SharePoint permissions can be inherited, unique, and layered through Microsoft 365 groups, security groups, and direct user assignments. This guide explains how to use built-in SharePoint admin tools and PowerShell to generate a permissions report that meets audit requirements. You will learn the exact steps to export permission data for all sites, document external sharing settings, and verify access levels for compliance.

Why SharePoint Permissions Are Hard to Audit

SharePoint permissions are not stored in a single flat table. A user might have access through a direct permission on a site, membership in a Microsoft 365 group, inclusion in a SharePoint group, or inheritance from a parent site. The permission model includes three layers: the site level, the list or library level, and the item level. Auditors need to see all paths of access, not just direct assignments.

Another complication is that external sharing settings differ between the organization level and each site. A site may allow sharing with anyone, while the tenant default is more restrictive. The audit report must capture both the effective sharing policy and the actual permissions granted to external users.

SharePoint does not have a single built-in report that combines all this data. You must use the SharePoint admin center for a high-level site inventory and PowerShell for detailed permission dumps. This guide covers both methods so you can produce a complete audit package.

Steps to Export SharePoint Permissions for an Audit

Method 1: Export Site Inventory from SharePoint Admin Center

1. Open the SharePoint admin center
   Sign in to Microsoft 365 as a SharePoint admin or global admin. Go to the Microsoft 365 admin center, select Admin centers, then choose SharePoint. Alternatively, navigate directly to https://admin.microsoft.com/SharePoint.
2. Navigate to Active sites
   In the left navigation menu, select Active sites. This page lists every SharePoint site in your tenant, including team sites, communication sites, and hub sites.
3. Apply filters to narrow the scope
   If the auditor only needs a subset of sites (for example, all sites in a specific hub or with a certain template), use the filter bar at the top. You can filter by site type, hub association, or URL.
4. Export the site list
   Click the Export button on the toolbar. The export generates a CSV file that contains the site URL, title, template, owner, storage used, and the External sharing status. The sharing status column shows the site-level external sharing setting (Anyone, New and existing guests, Existing guests, or Only people in your organization).
5. Save and review the CSV
   Download the CSV file and open it in Excel. Verify that the External sharing column matches the auditor’s requirements. This file serves as the site inventory part of the audit report.

Method 2: Use PowerShell to Extract Detailed Permissions

The admin center export does not include individual user permissions or group memberships. For that, you need the SharePoint Online Management Shell. Install the module if you have not already:

Install-Module -Name Microsoft.Online.SharePoint.PowerShell

1. Connect to SharePoint Online
   Run Connect-SPOService -Url https://yourtenant-admin.sharepoint.com. Replace yourtenant with your tenant name. Enter your admin credentials when prompted.
2. Get all site collections
   Use Get-SPOSite -Limit All to retrieve every site collection. Store the output in a variable, for example $sites = Get-SPOSite -Limit All. The -Limit All parameter ensures no site is missed.
3. Export site-level permission groups
   Run Get-SPOSiteGroup -Site $site.Url for each site. This cmdlet returns the SharePoint groups (Visitors, Members, Owners) and their members. Pipe the output to Export-Csv to save it. Example script:

   $sites | ForEach-Object {
       Get-SPOSiteGroup -Site $_.Url | 
       Select-Object Title, Users, Roles, @{N='SiteUrl';E={$_.Url}} | 
       Export-Csv -Path 'C:\audit\sitegroups.csv' -NoTypeInformation -Append
   }

4. Document external users and sharing links
   Use Get-SPOExternalUser to list all external users in the tenant. For sharing links, run Get-SPOSite -IncludePersonalSite $false | Get-SPOSharingLink to retrieve all sharing links across sites. This data is critical for auditors who need to see who has anonymous access.
5. Check unique permissions on subsites and lists
   Unique permissions break inheritance. Use Get-SPOSite -Detail to see which sites have unique permissions. For deeper inspection, use CSOM (Client Side Object Model) scripts or third-party tools, as the built-in cmdlets do not list item-level permissions. A simple check: Get-SPOSite -Limit All | Where-Object {$_.HasUniqueRoleAssignments -eq $true} lists sites with broken inheritance.

Method 3: Verify External Sharing Settings

1. Check organization-level sharing
   In the SharePoint admin center, select Policies from the left menu, then choose Sharing. The External sharing section shows the tenant-level default. Note the setting and any domain allowlists or blocklists.
2. Compare site-level sharing to the tenant default
   From the Active sites page, select a site, then click Settings and find the External sharing section. Document any sites where the site-level sharing is more permissive than the tenant default. Auditors flag these as potential security gaps.
3. Export sharing settings for all sites
   Run Get-SPOSite -Limit All | Select-Object Url, SharingCapability and export to CSV. The SharingCapability property shows the exact sharing level for each site.

Common Gaps in SharePoint Permission Audits

PowerShell script fails with access denied

The account running the script must have SharePoint admin or global admin role. If you receive an access denied error, confirm the role assignment in the Microsoft 365 admin center under Roles > Role assignments. Also verify that the SharePoint Online Management Shell is connected to the correct tenant URL.

Export CSV does not include all users

The Get-SPOSiteGroup cmdlet only returns users who are direct members of SharePoint groups. Users who gain access through a Microsoft 365 group membership are not listed. To capture those, run Get-UnifiedGroupLinks -Identity "GroupName" -LinkType Members from Exchange Online PowerShell. Then cross-reference the group members with the site permissions.

Unique permissions on subsites or items are missing

The built-in cmdlets do not drill into subsite, list, or item-level permissions. If the auditor requires this depth, consider using a third-party governance tool or writing a CSOM script that enumerates all securable objects. A simpler workaround is to export a list of sites with unique permissions and note that manual inspection is needed.

SharePoint Permission Audit Methods: Admin Center vs PowerShell

Item	SharePoint Admin Center Export	PowerShell (SPO Management Shell)
Data coverage	Site URL, owner, template, storage, external sharing status	All of the admin center data plus group members, roles, external users, sharing links
Permission detail level	None (no user or group permissions)	Site-level groups and their members; does not include Microsoft 365 group memberships or item-level permissions
Ease of use	No coding required; export via browser	Requires PowerShell knowledge and module installation
Automation	Manual export each time	Can be scripted and scheduled
External sharing detail	Shows site-level sharing setting only	Shows sharing setting and can list external users and sharing links

Now you can generate a comprehensive SharePoint permissions report using the admin center export for the site inventory and PowerShell for detailed permission data. Start by running the admin center export to get the high-level view, then complement it with the PowerShell scripts to capture group memberships and external sharing links. For a complete audit, also document any Microsoft 365 group memberships that grant site access, and flag sites with unique permissions for manual review. Save all CSV outputs in a dated folder and label them clearly for the auditor.