As a SharePoint site owner, you share content with external guests and need to confirm they can access only the files and folders you intend. Without a direct check, a guest may see content from a parent site or a connected Microsoft 365 Group that you did not explicitly share. This article explains how to use the Effective Permissions feature in SharePoint to verify a guest user’s exact access rights. You will learn a step-by-step checklist to run this check, understand common permission pitfalls, and see a comparison of permission types that affect guest access.
Key Takeaways: Check Guest Effective Permissions in SharePoint
- Site Settings > Site Permissions > Check Permissions: Run the Effective Permissions tool for any guest user by entering their email address.
- Microsoft 365 Group membership: Guests added to the connected group inherit group-level permissions on the site, which may be broader than intended.
- Unique permissions on items: Break inheritance on subfolders or documents to limit guest access without affecting the rest of the site.
Why Effective Permissions Matter for External Guests
SharePoint uses a permission inheritance model by default. When you add an external guest to a site, that guest receives the permission level assigned to the group they join — typically Members, Visitors, or Owners. If the site uses unique permissions on specific items, the guest’s effective access may be a combination of inherited and directly assigned rights. The Check Permissions tool calculates the final permission set for a user by evaluating all security groups, sharing links, and direct assignments. This calculation is critical for external guests because they may belong to an Azure AD guest group or a Microsoft 365 Group that grants access to multiple SharePoint sites, lists, or libraries without your direct knowledge.
The root cause of unexpected guest access is often permission inheritance from a parent object or group membership that grants a higher permission level than the guest needs. For example, adding a guest to the Members group gives them Edit rights to the entire site, including all document libraries and lists that inherit permissions. If you later break inheritance on a sensitive folder and deny the Members group, the guest might still retain access through a direct sharing link or a different group. The Effective Permissions tool resolves this uncertainty by showing the exact permissions the guest has on the specific item you select.
What Effective Permissions Does Not Show
The Check Permissions tool evaluates SharePoint permissions only. It does not check OneDrive sharing links, Azure AD Conditional Access policies, or sensitivity labels. These external controls can further restrict or allow access after SharePoint grants permission. For a complete security review, you must combine the Effective Permissions result with your organization’s identity and compliance policies.
Step-by-Step Checklist to Check Effective Permissions for a Guest
Follow these steps on a SharePoint Online site that you own. You must have Full Control or Manage Permissions permission on the site.
- Navigate to Site Settings
Open your SharePoint site in a browser. Select the gear icon in the upper right corner and choose Site Settings. If you do not see Site Settings, select Site Information then View All Site Settings. - Open Site Permissions
Under Users and Permissions, select Site Permissions. This page shows all groups and users who have direct access to the site. - Launch the Check Permissions Tool
On the ribbon, select Check Permissions. A dialog box appears with a single text field labeled User or Group. - Enter the Guest Email Address
Type the full email address of the external guest. Select Check Now. SharePoint resolves the user and displays a list of all permission levels the guest has on the current site. - Review the Permission Summary
The results show each permission level (Read, Contribute, Edit, Full Control, etc.) and the source of that permission — for example, via a SharePoint group, a direct assignment, or a sharing link. If the guest has multiple sources, the highest permission level applies. - Check a Specific Item or Folder
To verify access on a particular document or folder, navigate to that item first. Open the item’s context menu, select Manage Access, then choose Advanced Permissions Settings. From the Permissions tab, select Check Permissions on the ribbon and enter the guest email again. This method shows permissions for that specific item only, not the entire site. - Document the Result
Record the effective permission level and its source. If the guest has more access than intended, proceed to step 8. - Remove or Modify Unwanted Access
Go back to the Site Permissions page. Select the group or user that grants the excessive permission. Remove the guest from that group or change the group’s permission level. Alternatively, break permission inheritance on the specific item and assign a more restrictive permission level directly.
Common Issues When Checking Guest Permissions
Guest Email Does Not Resolve in Check Permissions
If the guest email returns no results, the user has not been added to the SharePoint site or the Microsoft 365 Group connected to the site. The guest must first be invited and accept the invitation. After acceptance, the user appears in the site’s People Picker. You can verify the guest’s presence by going to Site Permissions and looking under the Members or Visitors group. If the guest is not listed, send a new sharing invitation from the site.
Effective Permissions Shows Read but Guest Can Edit
This discrepancy usually occurs because the guest belongs to a Microsoft 365 Group that grants Edit permissions on a different site or a hub site that the current site inherits from. Check the guest’s membership in the Microsoft 365 admin center under Groups > Active groups. If the guest is a member of the connected group, they inherit the group’s permission level on all sites associated with that group. Remove the guest from the group or change the group’s SharePoint permission level in the site settings.
Guest Has Access to a Folder That Was Not Shared
The folder may inherit permissions from the parent library or site. Even if you did not share the folder directly, the guest may have received a sharing link from another user with Edit or Contribute rights. Use the Check Permissions tool on the specific folder as described in step 6. If the source is a sharing link, go to the library settings and select Manage Access to revoke the link. If the source is group membership, remove the guest from that group.
Site Permission vs Item Permission vs Group Membership: Key Differences
| Item | Site Permission | Item Permission | Group Membership |
|---|---|---|---|
| Scope | Entire site, all lists and libraries | Single file, folder, or list item | All sites and resources connected to the Microsoft 365 Group |
| Assignment method | Add user or group to site Visitors/Members/Owners | Break inheritance on item and assign directly | Add guest to the Group in Outlook or Teams |
| Permission levels | Read, Edit, Contribute, Full Control | Same levels but can be more restrictive | Same levels as site permission for the group |
| Inheritance | Child items inherit by default | Does not affect parent or sibling items | Applies to all group-connected SharePoint sites |
| Management location | Site Settings > Site Permissions | Item context menu > Manage Access > Advanced Permissions | Microsoft 365 admin center > Groups > Active groups |
| Impact on guest | Guest sees everything on the site | Guest sees only the specific item | Guest may see multiple sites without separate invitations |
Understanding these three permission scopes helps you predict what the Effective Permissions tool will show. If a guest has site-level Edit permission, they can read and edit all documents unless an item permission explicitly denies them. Group membership can grant access to sites you did not directly share, so always check the guest’s group memberships in Azure AD when the Effective Permissions result seems incorrect.
You now have a repeatable checklist to verify an external guest’s effective permissions on any SharePoint site or item. Run the Check Permissions tool after every guest invitation and after any permission change on a site or library. For ongoing audits, use SharePoint’s Access Reviews in the compliance center to automatically review and remove stale guest access.