When you invite an external guest to a SharePoint site, you need to confirm exactly what that guest can access. A guest might have permissions from multiple sources such as a Microsoft 365 Group, a SharePoint site group, or direct item-level sharing. Without checking effective permissions, you risk giving a guest access to sensitive content you did not intend. This article explains the technical root cause of permission stacking and provides a step-by-step checklist to verify effective permissions for any external guest. By following this checklist, you can enforce your governance policies and prevent data leaks.
Key Takeaways: Governance Checklist for External Guest Permissions
- SharePoint site > Settings > Site permissions > Check permissions: Use this tool to view the effective permissions of any guest user across the site, lists, and items.
- Microsoft Entra admin center > External Identities > External collaboration settings: Configure guest access policies that limit external sharing and guest permissions at the tenant level.
- Microsoft 365 admin center > Groups > Active groups > Group settings: Review group-level permissions that grant guests access to associated SharePoint sites, Teams, and Planner plans.
Why Effective Permissions Differ from Explicit Permissions for Guests
SharePoint uses a permission model where a user’s final access is the combination of all permissions they receive from every source. An external guest may be added directly to a site as a member, added to a Microsoft 365 Group that owns the site, or granted access to a specific document through a sharing link. Each permission source adds a separate access token. The effective permission is the sum of these tokens, not just the most restrictive one. SharePoint does not automatically show this combined view in the standard permission lists. You must use the Check Permissions tool to see the actual result.
The Role of Microsoft 365 Group Membership
When a guest is added to a Microsoft 365 Group, they receive the group’s access to all connected services including the SharePoint site, the shared mailbox, the calendar, and Planner. If the group is set to Private, the guest gets the Member permission level on the site. If the group is Public, the guest gets the Visitor permission level. This group membership is often invisible from the site’s direct permission pages. You must check the group’s membership in the Microsoft 365 admin center to understand this source of permissions.
Direct Sharing and Link Sharing
A guest can also receive permissions through a direct sharing invitation sent from a document or folder. SharePoint creates a unique sharing link that grants the guest a specific role such as Edit or View. These links are not displayed in the site’s standard permission list. They appear only in the Sharing report or in the item’s sharing settings. The Check Permissions tool accounts for these links when computing effective permissions.
Steps to Check Effective Permissions for an External Guest
Follow these steps to verify what an external guest can actually access on a SharePoint site. Perform these checks before granting final access and repeat them periodically as part of your governance review.
- Open the SharePoint site and navigate to Site permissions
Go to the SharePoint site where the guest has or will have access. Select the gear icon in the top-right corner and choose Site permissions. This opens the permissions panel for the site. - Click the Check permissions button
In the Site permissions panel, find and click Check permissions. A dialog box appears where you can enter a user name or email address. - Enter the guest’s email address
Type the full email address of the external guest into the User/Group field. Click Check Now. SharePoint resolves the guest identity and displays a list of all permission sources that apply to that guest. - Review the permission sources and effective permission level
The results page shows each permission source such as a SharePoint group, a Microsoft 365 Group, or a direct sharing link. The Effective Permission Level at the top of the page shows the highest permission the guest has on the site. For example, if the guest is a Member of the site but also has a direct Edit link on a document, the effective level is Edit. - Check permissions on specific items such as libraries and lists
To check permissions on a specific library or list, navigate to that library or list. Select the gear icon and choose Library settings or List settings. Under Permissions and Management, click Permissions for this document library or Permissions for this list. Then click Check permissions and enter the guest’s email again. This shows item-level effective permissions. - Verify Microsoft 365 Group membership in the admin center
Open the Microsoft 365 admin center. Go to Teams & groups > Active teams & groups. Select the group associated with the SharePoint site. Click the Membership tab and look for the guest in the list. If the guest is a member, they inherit the group’s permissions on the site. - Review external sharing settings in SharePoint admin center
Open the SharePoint admin center. Go to Policies > Sharing. Review the external sharing settings at the tenant level and the site level. Ensure that guest access is limited to the intended scope such as Existing guests or New and existing guests. If the tenant allows Anyone links, a guest could potentially access content without being explicitly invited. - Generate a sharing report for the site
In the SharePoint admin center, go to Reports > Sharing. Select the site and click Export. Download the CSV file. This report lists every sharing link and invitation for the site, including those sent to external guests. Review the report to confirm that no unintended links exist.
Common Governance Gaps and How to Fix Them
Guest Has More Access Than Expected
If the Check Permissions tool shows a higher permission level than you intended, the guest likely belongs to a Microsoft 365 Group that grants Member access to the site. Remove the guest from the group in the Microsoft 365 admin center. Then re-invite them with a direct sharing link that uses the desired permission level such as View only.
Guest Can Access Content After Removal from Site Permissions
A guest removed from the site’s direct permissions may still have access through a sharing link. Run the Check Permissions tool again after removal. If the tool still shows access, locate the sharing link in the Sharing report and delete it. Alternatively, use the Manage Access option on the specific item to remove the guest’s link.
Sharing Links Are Not Visible in Site Permissions
Sharing links are stored at the item level, not the site level. To see all links for a document, open the document’s sharing dialog by clicking the share icon. Click Manage access. A list of all users and links with access to that item appears. Remove any link that grants unintended guest access.
Site Permission Sources vs Guest Access Methods
| Item | Direct Site Permission | Microsoft 365 Group | Sharing Link |
|---|---|---|---|
| Where to check | Site permissions > Check permissions | Microsoft 365 admin center > Groups | Item sharing dialog > Manage access |
| Permission level examples | Full Control, Design, Edit, Contribute, Read | Member (Edit) or Visitor (Read) depending on group privacy | Edit, View, or View and Comment |
| How to revoke | Remove user from SharePoint group | Remove guest from the Microsoft 365 Group | Delete the specific sharing link |
| Visibility in Check Permissions | Shown as a direct permission source | Shown as a group membership source | Shown only if the link was created for the guest directly |
You can now audit external guest permissions using the Check Permissions tool, the Microsoft 365 admin center, and the Sharing report. Run this checklist quarterly for sites that contain sensitive data. For advanced governance, create a Power Automate flow that automatically runs the Check Permissions tool and emails the results to the site owner. This automation ensures continuous compliance without manual effort.