Your input shapes our product. Suggest a feature now →
Features Pricing Demos Add-ons Blog Guides Use cases Compare Tools Alerts FAQ Contact Sign in Start free trial
  1. Home
  2. Guides
  3. Export Permissions to Excel

How to Export SharePoint Permissions to Excel

A SharePoint Online tenant with 50 site collections and typical inheritance breaks contains hundreds of unique permission configurations spread across libraries, folders, and individual list items. Documenting that by hand takes days. This guide shows how to get a complete permission matrix into Excel in a single operation using ShareMaster's Report Master.

What SharePoint Online does not give you natively

The SharePoint admin centre shows site-level membership for each site collection. It does not surface library-level or item-level unique permissions, does not export to Excel, and has no cross-site query capability. The classic workaround is PnP PowerShell: enumerate every web, list, library, folder, and item, collect each access control list, write a CSV. That approach works, but it takes time to author, test, and maintain. It also calls the same throttled SharePoint REST API, so a full tenant scan can run for hours in a script versus minutes in a tool built to batch and retry efficiently.

For a reference on what each permission level actually grants, see the SharePoint Permission Levels Reference.

What does a permission matrix export contain?

A well-structured export has one row per permission assignment. Each row answers four questions:

  • Who: a user (display name and email) or a SharePoint group (name, plus its resolved members).
  • What: the site, library, folder, or item, identified by its full URL.
  • How much: the permission level (Full Control, Design, Edit, Contribute, Read, or a custom level).
  • Inherited or unique: whether the permission follows the parent hierarchy or breaks from it.

For governance reviews, the inherited/unique column matters most. Every "Unique" row is a place where someone clicked "Stop inheriting permissions" and manually assigned access. Most of those decisions outlive the reason they were made.

Step 1: Connect with a SharePoint admin account

Open ShareMaster and sign in with a SharePoint Administrator or Global Administrator account. Report Master uses delegated authentication. If you are running this for a client, use an admin account within their tenant.

You need site collection administrator access to read library-level and item-level permissions on any given site. If you are not a site collection admin on all sites, Report Master will still return site-level data and flag sites where deeper access was unavailable.

Step 2: Choose scope and depth

  1. In Report Master, select Permission Matrix from the report menu.
  2. Tick the site collections to include. You can select all sites or pick a specific subset.
  3. Set the scan depth:
    • Site level: shows site membership only. Fast. Good for an initial tenant-wide overview.
    • Library level: adds unique permissions on each document library and list. Covers the majority of access sprawl in most tenants.
    • Full depth: includes folders and individual items with unique permissions. The most complete picture, and the longest to run on large sites.
Tip: run a library-level scan first to identify which sites have the most unique permission breaks. Then target a full-depth scan on just those sites. This surfaces 90% of the risk at a fraction of the total scan time.

Step 3: Export to Excel and read the output

Click Export to Excel. Report Master scans the selected scope, resolves group memberships, handles API throttling, and writes the workbook when complete. The key columns to work with:

Column What it contains Recommended use
Object URL Full URL of the site, library, folder, or item Navigate directly to the object needing review
Object Type Site / Library / Folder / Item Filter to Item to surface item-level unique permissions, which are the noisiest in most tenants
Principal User display name and email, or SharePoint group name Filter by one person's name to see all their access across the tenant
Permission Level Full Control, Design, Edit, Contribute, Read, or custom Filter to Full Control to find highest-privilege assignments outside standard owner groups
Inheritance Inherited or Unique Filter to Unique to isolate all non-standard permission breaks in the tenant
Group Members Individual users inside a SharePoint group (when principal is a group) Expand group membership without opening the SharePoint admin centre

The highest-signal starting filter is Inheritance = Unique combined with Permission Level = Full Control. This surfaces every place where someone has been given site-owner-equivalent access outside the normal group structure. Each of those rows deserves a quick review.

Learn more about Report Master's export capabilities

Step 4: Taking action on the results

A permission export becomes valuable when it drives a specific action rather than sitting in a folder. Three practical follow-up tasks:

Remove stale unique permissions

Filter for users who have left the organisation, changed roles, or no longer need access. Cross-reference with your Entra ID directory to confirm current status. Then use ShareMaster's Shared Links and Permissions tool to bulk-remove the identified assignments without navigating each site individually.

Flatten permission breaks before a migration

Sites with hundreds of unique permission breaks are significantly harder to migrate cleanly. Running a permission cleanup before a migration means that Clone Master carries a simpler, more intentional permission structure to the destination tenant. For a full picture of what a permission audit involves before migration, see the SharePoint permissions audit guide.

Produce a compliance snapshot

Save the exported workbook with a datestamp, filter to Full Control and Edit assignments, and share it with your security or compliance team. The output is self-explanatory and requires no SharePoint access to read. It works well as evidence for internal audits, SOC 2 reviews, or pre-acquisition due diligence where an acquirer needs to understand data access scope across the Microsoft 365 tenant.

Frequently Asked Questions

Can SharePoint Online export permissions to Excel natively?

No. SharePoint Online has no built-in permission export. You can view assignments through Site Settings one object at a time, but there is no export-to-Excel option across a site or tenant. PnP PowerShell provides the raw scripting capability; Report Master automates the same result without requiring any code.

What permission levels appear in the export?

The Report Master export includes all SharePoint permission levels: Full Control, Design, Edit, Contribute, Read, and any custom permission levels defined in the site collection. It also resolves SharePoint group membership so individual users inside groups are visible in the output.

How long does a full export take?

A single site at library depth typically completes in under two minutes. A full tenant scan across hundreds of sites at full depth may take 15 to 30 minutes, depending on how many uniquely-permissioned objects exist. Report Master handles SharePoint API throttling automatically, so the scan runs unattended to completion.

What admin role is required?

A SharePoint Administrator or Global Administrator role in Microsoft 365. You also need site collection administrator access for library-level and item-level depth on a given site. Global Administrators have the necessary permissions automatically.

Try ShareMaster free for 14 days