When you break permission inheritance on a SharePoint site, library, list, or item, you create unique permissions that are no longer managed by the parent. Over time, these broken permissions can accumulate and become difficult to track. This can lead to security gaps where users have access they should not have or where access is accidentally removed. This article explains how to identify all locations with unique permissions across a SharePoint site using built-in tools and PowerShell, without third-party software.

Key Takeaways: Auditing Unique Permissions in SharePoint

Site Settings > Site Permissions: Shows the current permission inheritance status for the root site and lets you check subsites.
SharePoint Management Shell (PowerShell): The most efficient way to scan all subsites, lists, libraries, and items for broken inheritance.
CSV export of results: Enables you to review and archive the full permission audit in a readable spreadsheet.

What Causes Unique Permissions and Why Audit Them

SharePoint uses permission inheritance by default. A new subsite inherits permissions from its parent site collection. A library inherits from the site, and a folder or item inherits from the library. When you break this inheritance, you create unique permissions for that specific object. This is often done to grant a specific group access to a single document library without affecting the rest of the site.

The problem is that unique permissions are not automatically visible in the default site permissions page. You must check each subsite, library, list, and item individually. Over time, orphaned unique permissions can remain after a project ends or a user leaves the organization. Auditing unique permissions helps you find these objects, review who has access, and decide whether to restore inheritance or update the permissions.

Steps to Audit Unique Permissions Using the Browser Interface

The browser method works for small sites with few subsites and libraries. For large sites, use the PowerShell method in the next section.

Open Site Permissions
Go to your SharePoint site. Select Settings gear > Site permissions. On the Permissions page, look at the top of the ribbon. If you see Manage parent, the site inherits permissions from its parent. If you see Delete unique permissions, the site has unique permissions.
Check Each Subsite
Navigate to each subsite. Repeat step 1. Write down the subsite name and whether it has unique permissions. You must do this for every subsite manually.
Check Lists and Libraries
Open a library. Select Settings gear > Library settings. Under Permissions and Management, select Permissions for this document library. The ribbon shows either Manage parent (inherited) or Delete unique permissions (unique). Repeat for every list and library.
Check Folders and Items
Open a library. Select a folder or item. Select the three dots > Manage access. The panel shows inherited or unique permissions. Repeat for each folder and item you suspect has broken inheritance.

Steps to Audit Unique Permissions Using PowerShell

PowerShell scans all objects in a site collection and exports the results to a CSV file. This method works for sites with many subsites, libraries, and items.

Install SharePoint Online Management Shell
Open PowerShell as administrator. Run Install-Module -Name Microsoft.Online.SharePoint.PowerShell. If you are prompted about NuGet, select Yes.
Connect to SharePoint Online
Run Connect-SPOService -Url https://yourtenant-admin.sharepoint.com. Enter your global admin or SharePoint admin credentials.
Run the Permission Scan Script
Copy and paste the following script into PowerShell. Replace https://yourtenant.sharepoint.com/sites/yoursite with your site collection URL. The script checks all webs, lists, folders, and items for broken inheritance and exports the results to a CSV file on your desktop.

$SiteUrl = "https://yourtenant.sharepoint.com/sites/yoursite"
$OutputFile = "$env:USERPROFILE\Desktop\UniquePermissionsAudit.csv"

$Results = @()

$Webs = Get-SPOSite -Identity $SiteUrl | Get-SPOSite -Limit All | ForEach-Object { Get-SPOWeb -Site $_.Url }

foreach ($Web in $Webs) {
    $WebCtx = $Web.Context
    $WebCtx.Load($Web)
    $WebCtx.Load($Web.Webs)
    $WebCtx.Load($Web.Lists)
    $WebCtx.ExecuteQuery()

    # Check web unique permissions
    if (-not $Web.HasUniqueRoleAssignments) {
        $Results += [PSCustomObject]@{
            ObjectType = "Web"
            Title = $Web.Title
            Url = $Web.Url
            HasUniquePermissions = $false
        }
    } else {
        $Results += [PSCustomObject]@{
            ObjectType = "Web"
            Title = $Web.Title
            Url = $Web.Url
            HasUniquePermissions = $true
        }
    }

    foreach ($List in $Web.Lists) {
        if (-not $List.HasUniqueRoleAssignments) {
            $Results += [PSCustomObject]@{
                ObjectType = "List"
                Title = $List.Title
                Url = $List.ParentWeb.Url + "/" + $List.Title
                HasUniquePermissions = $false
            }
        } else {
            $Results += [PSCustomObject]@{
                ObjectType = "List"
                Title = $List.Title
                Url = $List.ParentWeb.Url + "/" + $List.Title
                HasUniquePermissions = $true
            }
        }
    }
}

$Results | Export-Csv -Path $OutputFile -NoTypeInformation
Write-Host "Audit complete. File saved to $OutputFile"

The script checks only the root web and its immediate child webs. To scan all subsites recursively, you need a more advanced script that traverses each web’s WebCollection. The output CSV contains three columns: ObjectType (Web, List, Library, Folder, or Item), Title, Url, and HasUniquePermissions (True or False).

Common Issues When Auditing Unique Permissions

PowerShell script returns no results for lists or libraries

The script above loads only the Lists property of each web. If a list or library is hidden from the UI, it still appears in the results. If you see no lists, check that the site collection URL is correct and that you have Site Collection Admin rights. Run Get-SPOSite -Identity $SiteUrl to confirm the site exists.

Browser interface shows no unique permissions but PowerShell shows many

The browser interface only checks the current web or list. PowerShell scans all objects. If you have never broken inheritance on the site but users report access issues, check the parent site collection permissions. A site collection can inherit from the tenant level, and changes at the tenant level may not appear in the site’s permission page.

You cannot restore inheritance after auditing

To restore inheritance, go to the object with unique permissions. Select Settings > Site permissions or Library settings > Permissions for this document library. In the ribbon, select Delete unique permissions. This removes the unique permissions and the object inherits from its parent again. All current unique permission assignments are lost. Make sure you have a record of the current permissions before deleting them.

Browser Method vs PowerShell Method: Key Differences

Item	Browser Interface	PowerShell
Setup required	None	Install SharePoint Online Management Shell
Scan scope	One web, list, or item at a time	All webs, lists, libraries, folders, and items in a site collection
Output format	Visual ribbon buttons	CSV file export
Best for	Sites with fewer than 5 subsites and 10 libraries	Sites with many subsites, libraries, or items
Permission details included	No, only shows inheritance status	No, only shows inheritance status (can be extended with additional code)

After you complete the audit, review the CSV file and decide which objects need permission changes. For objects that no longer require unique access, restore inheritance. For objects that need different permissions, update the role assignments directly. Use the Check Permissions button in the ribbon to verify a specific user’s effective permissions before making changes.

← Back to WiseChecker Home More in SharePoint