Your input shapes our product. Suggest a feature now →
Features Pricing Demos Add-ons Blog Guides Use cases Compare Tools Alerts FAQ Contact Sign in Start free trial
  1. Home
  2. Compare
  3. SharePoint Permissions Cleanup Options

3 Ways to Clean Up SharePoint Permissions: An Admin Guide

The table below shows how three approaches to SharePoint permissions cleanup compare across the dimensions that matter most to admins managing more than a handful of sites.

Capability Native Admin Center PnP PowerShell ShareMaster
Bulk remove unique permissions No (item by item) Yes (scripted) Yes (GUI)
Shared link audit and bulk removal Partial (site-level report only) Yes (scripted) Yes (GUI)
Tenant-wide scope Partial Yes Yes
Export audit report to Excel No Possible (custom script) Yes (built-in)
Skill level required Basic Advanced Basic
Preview before deletion No Possible (audit mode) Yes
Cost Included in Microsoft 365 Included in Microsoft 365 Paid (trial available)

Approach 1: SharePoint Admin Center and Native UI

The Microsoft 365 admin center and the SharePoint admin center provide some visibility into permissions, but bulk cleanup tools are limited.

What you can do natively:

  • View permission levels at the site collection level
  • See a list of sharing links for a specific site from the admin center's Sharing report
  • Change external sharing settings at the site or organisation level
  • Remove individual users from individual items from within each library

What you cannot do natively:

  • Identify all items with broken inheritance across a tenant in one view
  • Bulk-restore inheritance on a folder tree without navigating each item
  • Remove all shared links of a given type (Anyone, Specific People, Organisation) across a library in one action
  • Export a full permission matrix to Excel directly from the admin center

For a site with a clean permission structure and a few dozen items, native tools are sufficient. For anything larger, you quickly reach the limits of what the UI was designed to support.

Microsoft Entra ID (formerly Azure AD) does give admins a view of external user access tokens and lets you revoke access at the identity level, but this approach affects all services, not just SharePoint, and does not address intra-tenant unique permissions.

Approach 2: PnP PowerShell

PnP PowerShell exposes the full SharePoint permissions API and can automate almost any cleanup task. Common operations include:

  • Enumerating all lists and libraries in a site with broken inheritance: Get-PnPList -Includes HasUniqueRoleAssignments
  • Restoring inheritance on a specific item: Set-PnPListItemPermission -ResetRoleInheritance
  • Listing sharing links on a file: Get-PnPFileSharingLink
  • Removing a specific sharing link: Remove-PnPFileSharingLink
Note: PnP PowerShell's sharing link cmdlets require a delegated or application permission with at least Sites.ReadWrite.All. Removing organisation-wide sharing links may require GlobalAdmin or SharePoint admin roles depending on your tenant configuration. Test in a non-production site first and run any deletion loop with a dry-run flag before committing.

The case for PnP PowerShell is strongest when you need a repeatable, schedulable cleanup job. A well-written script runs on a nightly schedule, keeps permissions tidy without manual intervention, and logs every change to the Microsoft 365 audit trail.

The case against: writing a reliable, tenant-wide permissions cleanup script takes significant time. Handling pagination, throttling, error recovery, and the edge cases around items with deeply nested unique permissions can turn a weekend script into a multi-week project. If you need to run a cleanup once or quarterly rather than nightly, the scripting overhead is hard to justify.

Approach 3: ShareMaster Shared Links and Permissions

ShareMaster's Shared Links and Permissions tool targets the two most common permission sprawl problems: orphaned sharing links (Anyone links, expired guest invitations, broad organisation links) and items with unique permissions that should inherit from their parent.

The workflow in ShareMaster:

  1. Connect to your Microsoft 365 tenant with an admin account.
  2. Select the site collection or library to audit.
  3. Run the Shared Links scan to see all active sharing links, sorted by link type, creation date, and scope.
  4. Filter to Anyone links, links with no expiry, or links shared with external users.
  5. Select the links to remove and click Delete. ShareMaster confirms before taking action.
  6. Optionally run the Unique Permissions scan to identify items with broken inheritance. Review the list, then restore inheritance in bulk on selected items.

Report Master's permission export complements this workflow. Before removing any permissions, export the current permission matrix to Excel as a baseline record. This gives you evidence of the pre-cleanup state and simplifies any subsequent compliance or audit query.

How to Choose the Right Approach for Permissions Cleanup

The right choice depends on your team's skills, the size of your tenant, and how often you need to run the cleanup:

  • Use the native admin center if you are cleaning up a single site, your team does not use PowerShell, and the permission structure is straightforward with fewer than a hundred unique assignments.
  • Use PnP PowerShell if you need a fully automated, scheduled cleanup that integrates with your existing scripts, you are comfortable with API throttling and error handling, and you have the development time to build and test the script properly.
  • Use ShareMaster if you need to clean up permissions across multiple sites without scripting, you want a preview of changes before committing, you need an Excel export for compliance, or you are running a one-off or quarterly cleanup where building a PowerShell script is not cost-effective.

For most SharePoint admins managing between 20 and 500 sites, ShareMaster's approach offers the best balance of scope, safety, and speed. The built-in audit export and preview step reduce the risk of accidental over-removal, which is the most common pitfall of scripted approaches.

See also: how to audit SharePoint shared links step by step, which covers the audit workflow in more detail before you start removing anything.

Frequently Asked Questions

What is a unique permission in SharePoint Online?

A unique permission is a permission assignment on a list, library, folder, or item that has been broken from its parent site's inherited permission chain. Once inheritance is broken, that object has its own permission list managed independently. Unique permissions accumulate over time and are the primary driver of SharePoint permission sprawl.

How do I know if my SharePoint tenant has a permissions sprawl problem?

Key indicators include: permission reports that take many minutes to generate, users regularly accessing content they should not see, a high count of unique permission entries in any report you run, and many active Anyone sharing links with no expiry date.

Can I remove SharePoint shared links in bulk?

Not through the native admin center UI. The admin center shows sharing link reports at the site level but does not offer bulk removal. PnP PowerShell can enumerate and revoke links via the API. ShareMaster's Shared Links and Permissions tool provides a GUI for filtering links by type or age and removing them in bulk across multiple libraries.

Does restoring inheritance delete custom permissions I set intentionally?

Yes. Restoring inheritance on an item replaces its unique permission list with the parent's inherited permissions. Any custom assignments made after inheritance was broken are removed. Always export a permission report first so you can re-apply intentional custom permissions if needed.

See ShareMaster pricing