Site owners sometimes open the Advanced Permissions page in a SharePoint site and find that the standard permission levels — Full Control, Edit, Contribute, Read — are missing or only a subset appears. This problem usually occurs because the site is connected to a Microsoft 365 group, which changes how permissions are managed. Instead of using classic permission levels, the site relies on group membership roles. This article explains why the permission levels disappear and shows exactly what site owners should check in SharePoint admin center and site settings to restore or understand the behavior.
Key Takeaways: What to Check When SharePoint Permission Levels Are Missing
- Site Settings > Site Permissions > Advanced Permissions Settings: Opens the classic permissions page where permission levels are listed; missing levels indicate group-connected site behavior.
- SharePoint admin center > Active sites > site properties > Group-connected: Shows whether the site is connected to a Microsoft 365 group, which hides most permission levels by design.
- SharePoint admin center > Permission levels: Custom permission levels can be created here and assigned to groups even for group-connected sites, restoring granular control.
Why SharePoint Permission Levels Are Missing From Advanced Permissions
When a SharePoint site is connected to a Microsoft 365 group, the site uses group roles — Owner, Member, and Visitor — instead of the classic SharePoint permission levels. The Advanced Permissions page in Site Settings still exists, but it shows only a limited set of permission levels. Specifically, you may see only Limited Access, and the standard levels like Full Control, Edit, Contribute, and Read are absent. This is by design. Microsoft 365 group-connected sites do not allow direct assignment of classic permission levels to users. Instead, permissions are managed through the group’s membership. The group Owner role maps to Full Control, Member maps to Edit, and Visitor maps to Read. If you attempt to add a user directly via the Advanced Permissions page, the system may block the action or show an error. The root cause is the site’s connection to the Microsoft 365 group, not a configuration error or a bug.
Group-Connected Sites vs Classic Sites
A classic SharePoint site — one not connected to a Microsoft 365 group — displays all standard permission levels in the Advanced Permissions page. Site owners can assign any level to any user or group. In a group-connected site, the Advanced Permissions page is still accessible, but the permission levels dropdown is restricted. This difference confuses many site owners who expect to see the full list. The missing levels are not a sign of corruption or misconfiguration. They are a deliberate limitation enforced by the Microsoft 365 group architecture.
How the Permission Inheritance Chain Works
SharePoint sites can inherit permissions from the parent site or break inheritance. In a group-connected site, the top-level site always inherits permissions from the Microsoft 365 group. If you break inheritance on a subsite, you can assign custom permission levels, but the top-level site remains tied to the group. This means that even if you create custom permission levels for a subsite, the top-level site will still show limited levels in the Advanced Permissions page. Understanding this inheritance chain helps site owners know where to look when levels appear missing.
Steps to Check and Resolve Missing Permission Levels
Follow these steps to verify the site type, review current permission levels, and, if needed, create custom permission levels for group-connected sites.
- Check if the site is group-connected
Open the SharePoint admin center. Go to Active sites. Find your site in the list. Click the site name to open the properties panel. Look for the Group-connected field. If it shows Yes, the site is connected to a Microsoft 365 group. This confirms that the missing permission levels are by design. - Open Advanced Permissions Settings
Navigate to your SharePoint site. Click the gear icon and select Site Permissions. On the Permissions page, click Advanced Permissions Settings in the ribbon. This opens the classic permissions page. On the ribbon, click Permission Levels. Here you will see a list of available permission levels. If only Limited Access appears, the site is group-connected and classic levels are hidden. - Review the Microsoft 365 group membership
In the SharePoint admin center, go to Active teams and groups > Microsoft 365 groups. Find the group associated with your site. Click the group name to see Owners and Members. Owners have Full Control, Members have Edit, and guests or external users have Read. Adjust group membership here instead of using classic permission levels. - Create custom permission levels for the site
Even for group-connected sites, you can create custom permission levels. In the Advanced Permissions page, click Permission Levels. Click Add a Permission Level. Give the level a name, such as Custom Contribute. Select the permissions you want to include. Click Create. The new level will now appear in the permission levels list and can be assigned to SharePoint groups, though it will not override the Microsoft 365 group roles for the top-level site. - Assign custom permission levels to a SharePoint group
In the Advanced Permissions page, click Create Group. Name the group, set the group owner, and select the custom permission level from the dropdown. Add members to the group. This group can be used on subsites or libraries where you have broken inheritance. The custom level will apply to those items.
If SharePoint Still Has Issues After the Main Fix
Even after checking the group connection and creating custom levels, you may encounter scenarios where permission levels remain missing or behave unexpectedly. Below are common issues and their solutions.
Permission Levels Missing on a Subsites After Breaking Inheritance
If you break inheritance on a subsite, the Advanced Permissions page should show all standard permission levels. If they are still missing, the subsite may be inheriting from a parent that is group-connected. To fix this, go to the subsite, click Site Permissions, and click Break Permissions Inheritance. Then check the Permission Levels page again. The full list should appear.
Cannot Assign Custom Permission Level to a User
If you try to assign a custom permission level to a user directly on a group-connected site, SharePoint may block the action. This is because the user must be added to the Microsoft 365 group first. Add the user to the appropriate group role (Owner, Member, Visitor) instead. For subsites with broken inheritance, you can add users directly and assign the custom level.
Permission Levels Show but Are Grayed Out
Grayed-out permission levels indicate that the current user does not have permission to assign them. Only site owners and users with Full Control can assign permission levels. If you are a site owner and levels are grayed out, check that your account has Full Control in the Microsoft 365 group. You may need to ask a global admin to promote you to Owner in the group.
| Item | Group-Connected Site | Classic Site |
|---|---|---|
| Default permission levels shown | Limited Access only | Full Control, Edit, Contribute, Read, Limited Access |
| How users get permissions | Through Microsoft 365 group membership | Direct assignment or SharePoint groups |
| Custom permission levels supported | Yes, on subsites with broken inheritance | Yes, on any site |
| Advanced Permissions page accessible | Yes, but limited functionality | Yes, full functionality |
| Best for | Teams, project collaboration | Document management, intranet publishing |
Site owners now understand that missing permission levels on the Advanced Permissions page are a normal behavior for group-connected sites. Check the site’s group connection status in SharePoint admin center as the first step. If you need granular control, create custom permission levels for subsites or libraries where inheritance is broken. For top-level permissions, manage users through the Microsoft 365 group membership. An advanced tip: use the SharePoint admin center Permission levels page to create a custom level named Restricted Read that removes the ability to view version history, and assign it to a SharePoint group on a document library with broken inheritance. This gives you fine-grained control without affecting the group’s default roles.