When you upload a new file into a SharePoint document library folder, the file may not inherit the folder’s unique permissions. Instead, the file inherits permissions from the parent library or site. This breaks your intended access control and can expose sensitive data to the wrong users. The root cause is how SharePoint handles permission inheritance at the folder and item level. This article explains why this happens and provides a reliable fix using Power Automate.
Key Takeaways: Breaking Permission Inheritance for New Files
- SharePoint permission inheritance model: Files inherit permissions from the parent library, not from the folder, unless the folder has unique permissions.
- Power Automate flow trigger: Use the “When a file is created in a folder” trigger to detect new uploads in a specific folder.
- Send HTTP request to SharePoint action: Use this action to break permission inheritance on the new file and apply folder-level permissions.
Why Folder Permissions Do Not Apply to Newly Uploaded Files
SharePoint uses a hierarchical permission inheritance model. By default, every item in a document library inherits permissions from the library itself. When you break permission inheritance on a folder and assign unique permissions to that folder, those permissions apply only to the folder object. Any new file uploaded into that folder does not automatically inherit the folder’s unique permissions. Instead, the new file inherits permissions from the parent library. This is by design. SharePoint does not propagate folder-level permissions to child items unless you explicitly break inheritance on each item.
The technical term for this behavior is “broken inheritance at the item level.” The folder has unique permissions, but newly created files within it do not. To enforce folder permissions on new files, you must break permission inheritance on each file and then copy the folder’s permission assignments to the file. This is not possible through the SharePoint user interface in bulk. You must use a Power Automate flow or a PowerShell script to automate the process.
How to Fix New Files Not Inheriting Folder Permissions
The following steps create a Power Automate flow that triggers when a file is added to a specific folder. The flow breaks permission inheritance on the new file and applies the same permissions that exist on the folder.
- Go to Power Automate and create an automated cloud flow
Sign in to Power Automate at make.powerautomate.com. Select Create from the left menu, then choose Automated cloud flow. Give your flow a name such as “Apply Folder Permissions to New Files.” - Add the SharePoint trigger “When a file is created in a folder”
Search for the trigger When a file is created in a folder and select it. Set the Site Address to your SharePoint site. Set the Folder to the specific folder that has unique permissions. This trigger runs each time a file is added to that folder. - Add a step to get the folder’s permission assignments
Click New step and search for the action Send an HTTP request to SharePoint. Set the Site Address to your site. Set the Method to GET. In the Uri field, enter:_api/web/lists/getbytitle('Documents')/items({Folder_ID})/roleassignments
Replace{Folder_ID}with the folder’s ID. Use the ID dynamic content from the trigger if available. If not, use a separate action to retrieve the folder’s ID by its path. - Parse the JSON response from the folder permissions request
Add a Parse JSON action. Set the Content to the body of the HTTP request response. Use this schema to extract the role assignments:{"type":"object","properties":{"value":{"type":"array","items":{"type":"object","properties":{"PrincipalId":{"type":"string"},"RoleDefinitionBinding":{"type":"string"}}}}}}
This schema may need adjustment based on your environment. The goal is to capture each principal ID and role definition. - Break permission inheritance on the new file
Add another Send an HTTP request to SharePoint action. Set the Method to POST. In the Uri field, enter:_api/web/lists/getbytitle('Documents')/items({Item_ID})/breakroleinheritance(copyRoleAssignments=false, clearSubscopes=true)
Replace{Item_ID}with the ID dynamic content from the trigger. Set the Headers to includeContent-Type: application/json;odata=verbose. Set Body to empty or{}. - Apply the folder’s permissions to the new file
Add a Apply to each control. In the Select an output from previous steps, choose the value array from the parsed JSON. Inside the loop, add a third Send an HTTP request to SharePoint action. Set the Method to POST. In the Uri field, enter:_api/web/lists/getbytitle('Documents')/items({Item_ID})/roleassignments/addroleassignment(principalid={PrincipalId}, roledefid={RoleDefinitionId})
Replace{Item_ID}with the file’s ID,{PrincipalId}with the current item’s PrincipalId, and{RoleDefinitionId}with the role definition ID from the parsed JSON. - Save and test the flow
Click Save at the top. Upload a test file to the target folder. Check the flow run history to confirm it ran successfully. Verify the new file’s permissions in SharePoint by selecting the file, clicking the information icon, then Manage access.
If the Flow Does Not Work or You Need an Alternative
Power Automate flow fails with 403 Forbidden
The flow account must have at least Edit permissions on the document library and the target folder. If the account lacks permissions to break inheritance on items, the HTTP request returns a 403 error. Grant the flow owner full control on the library or use a service account with appropriate permissions.
Permission inheritance breaks but permissions are empty
If the folder itself has no explicit role assignments after breaking inheritance, the folder may still inherit from the parent. Verify the folder has unique permissions with at least one user or group assigned. If the folder’s role assignments array is empty, the flow copies nothing. Assign at least one permission to the folder first.
You need to apply permissions to files in all subfolders
The trigger in this flow watches a single folder. To cover all subfolders, create a separate flow for each subfolder or use a PowerShell script with PnP PowerShell. The script can iterate through all folders with broken inheritance and apply permissions to new files recursively.
Manual Fix vs Automated Fix: Comparison
| Item | Manual Fix | Power Automate Flow |
|---|---|---|
| Effort per file | High — requires clicking through permissions for each file | None after flow is created |
| Scalability | Not scalable beyond a few files | Handles hundreds of files automatically |
| Error risk | High — easy to miss a file or misassign permissions | Low — flow applies exact same permissions as folder |
| Maintenance | None | Requires monitoring flow runs and updating if folder permissions change |
You now understand why folder permissions do not apply to newly uploaded files in SharePoint. The fix requires breaking permission inheritance on each new file and copying the folder’s role assignments. Use the Power Automate flow in this article to automate this process. For a faster alternative, consider using PnP PowerShell with a scheduled Azure Automation runbook to scan and fix permissions daily.