When you invite an external guest to a SharePoint site, you need to confirm exactly what that guest can see and do. The permissions a guest receives may come from a SharePoint group, a Microsoft 365 group, a sharing link, or direct item-level access. Checking only the site-level permissions often misses folder or file-level restrictions.
This article explains why effective permissions for external guests can differ from what you expect. It covers the step-by-step workflow to check effective permissions for a guest user in SharePoint. You will learn how to verify access at the site, folder, and document level so you can confirm the guest has exactly the access you intend.
By the end, you will know how to use the Check Permissions tool and how to read the results correctly for external guests.
Key Takeaways: Check Guest Effective Permissions in SharePoint
- SharePoint site settings > Site permissions > Check Permissions: The primary tool to view what a specific guest user can access at the site level.
- Folder or file sharing dialog > Manage Access: Shows direct permissions granted to the guest on a specific item, including sharing links.
- SharePoint admin center > Active sites > Site permissions: Lets you audit all external users and their access for a site collection.
Why Effective Permissions for a Guest Can Be Misleading
A guest user in SharePoint is an external person who authenticates with a Microsoft account or a Microsoft Entra ID credential. Their effective permissions are the sum of all permissions they inherit or receive directly. This includes:
Membership in a SharePoint group such as Visitors, Members, or Owners. Membership in the associated Microsoft 365 group if the site is group-connected. Access through a sharing link that grants view or edit rights on a specific file or folder. Direct permission added on a folder or document that overrides site-level restrictions.
Because permissions can be granted at multiple levels, a guest who appears to have only Read access at the site level might have Edit access on a specific document library through a sharing link. Conversely, a guest who is a site visitor might be blocked from a folder that has unique permissions. The Check Permissions tool in SharePoint resolves this by calculating the exact permission set for that user on that object.
Prerequisites Before You Check Permissions
Before you run the Check Permissions tool, confirm the following:
- You have at least Site Owner permissions on the SharePoint site. The Check Permissions option is only visible to users with Full Control or Site Owner access.
- You have the guest user’s email address or display name as it appears in the Microsoft 365 People Picker.
- The guest user has accepted the invitation and has a valid Microsoft Entra ID guest account in your tenant. If the guest has not accepted, the Check Permissions tool will not find them.
Step-by-Step Workflow to Check Effective Permissions for an External Guest
Method 1: Use the Check Permissions Tool at the Site Level
- Open the site where the guest has access
Navigate to the SharePoint site. Click the gear icon on the top right and select Site permissions from the dropdown menu. - Access the Check Permissions dialog
On the Site permissions page, click the Check Permissions button on the command bar. A dialog box opens. - Enter the guest user’s name or email
Type the full email address of the external guest in the text box. Click Check Now. The tool searches for the user in your tenant. - Review the results
SharePoint displays all permission levels the guest has on the site. The result shows the source of each permission, such as a SharePoint group name or a direct assignment. If the guest has no access, the tool shows No permissions.
Method 2: Check Permissions on a Specific Folder or Document
- Navigate to the item
Browse to the document library and locate the folder or file you want to check. - Open the Manage Access pane
Click the three dots (ellipsis) next to the item and select Manage Access from the menu. A panel opens on the right side. - View direct permissions for the guest
The Manage Access panel lists all users and groups with direct permissions on that item. If the guest has a sharing link, it appears here. You can see the permission level, such as Can edit or Can view. - Click Advanced Settings to see inherited permissions
At the bottom of the Manage Access panel, click Advanced Settings. This opens the full permissions page for the item. Use the Check Permissions button again to run the tool for that specific item.
Method 3: Audit All External Users for a Site Using the SharePoint Admin Center
- Open the SharePoint admin center
Go to admin.microsoft.com. In the left navigation, select Admin centers and then SharePoint. - Locate the site
Under Sites, select Active sites. Find the site that contains the guest user. Click the site name to open its details panel. - Go to Site permissions
In the details panel, scroll to the Site permissions section. Click Manage or View permissions. This shows all users with access, including external guests. - Filter to see only guests
Use the filter drop-down to select External users. You can see each guest’s permission level. Click a guest name to view their exact permissions on the site.
Common Mistakes When Interpreting Guest Permissions
The Check Permissions tool returns no results for a guest
This happens when the guest has not accepted the invitation or their account has been deleted from Microsoft Entra ID. Resend the sharing invitation and ask the guest to accept. If the guest account is deleted, remove the old guest and add them again.
A guest can access a file but the Check Permissions tool shows no access
This occurs when the guest has access through a sharing link that grants them permission only to that specific file. The Check Permissions tool at the site level does not evaluate sharing links. Use Method 2 and check the Manage Access panel on the specific file to see the link-based permission.
Permission level shown is different from what the guest actually experiences
If a guest is a member of both a SharePoint group and a Microsoft 365 group, the effective permission is the combination of both. For example, if the SharePoint Visitors group grants Read access but the Microsoft 365 group grants Edit access, the guest will have Edit access. Always check both group memberships in the Check Permissions results.
| Item | Check Permissions Tool | Manage Access Panel |
|---|---|---|
| Scope | Entire site, folder, or file | Specific item only |
| Sharing links included | No | Yes |
| Inherited permissions shown | Yes | Yes, via Advanced Settings |
| Best for | Confirming site-level access | Confirming item-level access |
You can now verify effective permissions for any external guest in SharePoint using the Check Permissions tool, the Manage Access panel, or the SharePoint admin center. Always start at the site level and then drill into specific items if the guest reports access issues. As an advanced tip, use the SharePoint admin center to generate a report of all external users across your sites for a quarterly access review. This workflow helps you maintain security and compliance when collaborating with external guests.