Your input shapes our product. Suggest a feature now →
Features Pricing Demos Add-ons Blog Guides Use cases Compare Tools Alerts FAQ Contact Sign in Start free trial
  1. Home
  2. Guides
  3. Fix Permission Inheritance

How to Fix Broken SharePoint Permission Inheritance

Broken permission inheritance is one of the most common hidden risks in any SharePoint Online tenant. Every time a user shares a single file directly, grants one-off access to a contractor, or clicks "Stop inheriting permissions" in a library, SharePoint carves out a separate permission set for that item. Multiply this across hundreds of sites and thousands of libraries and you end up with an access structure nobody can audit, let alone control systematically.

This guide shows you how to identify libraries and sites with unique permissions, restore inheritance through the SharePoint interface, scale the fix with PowerShell, and set up controls that stop the problem from returning.

What is broken permission inheritance in SharePoint?

Permission inheritance is SharePoint's default: a document library inherits from the site that contains it, and that site inherits from the site collection root. Breaking inheritance creates a separate, independent permission set on that object - it's no longer managed as part of the parent hierarchy at all. "Broken inheritance" as an admin problem is the accumulation of many such breaks across a tenant, each one the result of a legitimate-sounding action at the time it was taken.

The common triggers:

Action What it breaks
Sharing a file with a specific person from within SharePoint Item-level inheritance on that file
Granting a contractor access to a single document library Library-level inheritance
Clicking "Stop Inheriting Permissions" in a library's Permission Settings Library-level inheritance
Running a migration that applied source permissions directly to the destination library Library-level inheritance on migrated libraries
Creating a site from a custom template that included unique permissions Site-level inheritance from the site collection root

How to identify lists and libraries with broken inheritance

In the SharePoint interface

For individual sites, open the site and go to Site Settings (gear icon) then Site permissions. At the top of the permissions page, SharePoint displays whether the site inherits from its parent or has unique permissions. Checking each library within a site requires navigating to Library Settings, then Permissions for this document library for each one separately. This approach is practical for a handful of sites but does not scale across a tenant.

With ShareMaster Report Master

Report Master generates exportable permission matrices across SharePoint sites. The export includes inheritance status per library, making it straightforward to filter for libraries with unique permissions in Excel without clicking through the SharePoint admin interface site by site. Run the report, filter the "Inherits Permissions" column for "No", and you have a prioritised list of libraries to fix.

Using PnP PowerShell

PnP PowerShell can enumerate all lists in a site and report their inheritance status. Connect to the site, retrieve the site's lists, and inspect the HasUniqueRoleAssignments property on each list object. Wrapping this in a loop across multiple site collections produces a tenant-wide inventory. The approach works well for tenants comfortable with PowerShell scripting; Report Master is the faster path for administrators who prefer a GUI output.

How to fix broken SharePoint permission inheritance on a single library

Tip: Restoring inheritance removes all unique permissions on the library and replaces them with the parent site's permissions. Note down any custom access entries before you proceed so you can re-add anyone who legitimately needs access to only that library.
  1. Open the SharePoint site containing the library and navigate to the document library.
  2. Click the Settings gear in the top right and select Library settings. On the classic settings page, click Permissions for this document library.
  3. Review the banner at the top of the permissions page. If it reads "This library has unique permissions", unique permissions are in place. If it reads "This library inherits permissions from its parent", no action is required.
  4. Click Delete unique permissions in the ribbon. A confirmation dialog appears warning that the library's custom permissions will be replaced by the parent site's permissions.
  5. Click OK. The page refreshes. The banner should now read "This library inherits permissions from its parent."
  6. Verify by checking that the permission entries shown match the parent site's groups. If someone needed individual access to the library, add them to the appropriate SharePoint group on the parent site rather than granting direct access to the library again.

The same process applies to individual sites: go to Site Settings, click Site permissions, then use Delete unique permissions to reset the site to inherit from its parent.

Fixing broken inheritance across multiple sites

For large remediation projects covering dozens or hundreds of libraries, a manual click-through approach is not practical. Two options exist for bulk remediation.

PnP PowerShell can iterate through all lists in a site and call the SharePoint CSOM method to reset role inheritance on each list where HasUniqueRoleAssignments is true. Extending the script to loop across multiple site collection URLs makes it possible to cover an entire tenant in a single run. Before running any bulk operation, test on a non-production site and confirm the expected permission change is in place.

Microsoft 365 admin centre does not provide a bulk permission inheritance reset. All bulk remediation for SharePoint permission inheritance requires either manual click-through or scripting.

For environments that need to track who had what access before the reset, export the permissions report from Report Master before running any bulk script. The Excel export serves as an audit trail and a reference for re-adding any access that needs to be restored post-remediation.

After the fix: verifying inheritance is restored

After resetting inheritance on a library or site, confirm the change in three ways:

  • Check the permissions banner. Return to the library's Permissions page and confirm the status reads "This library inherits permissions from its parent."
  • Verify effective access. Use Site Settings > Check Permissions to look up a specific user's effective access. This confirms they see the correct permission level inherited from the parent site group, not a direct grant that survived the reset.
  • Re-run the permissions export. If you used Report Master or PnP PowerShell to identify the libraries before the fix, re-run the same export after remediation. A clean run with no unique-permission libraries confirms the reset completed correctly.

Preventing broken permission inheritance from recurring

Restoring inheritance without addressing the root cause leaves you cleaning up the same problem again in six months. Three controls reduce how often inheritance breaks going forward:

  • Restrict site-level sharing. In the SharePoint admin centre, set the site's external sharing level to Existing access or Only people in your organisation for sensitive sites. For internal sharing, restrict the site's members from sharing files directly by unchecking Allow members to share the site and individual files and folders in the site's sharing settings.
  • Use SharePoint groups, not direct access. Train users and admins to add access at the site group level (Visitors, Members, Owners) rather than granting direct access to specific libraries or files. Direct grants break inheritance; group-based grants do not.
  • Audit regularly. Use ShareMaster's permission audit workflow to export and review unique-permission libraries on a quarterly basis. Finding five new breaks early is far less work than remediation after three years of accumulation.

Frequently Asked Questions

What causes broken permission inheritance in SharePoint?

Inheritance breaks whenever someone grants direct access to a specific item, folder, library, or site rather than using the parent site's permission groups. Common triggers include sharing a file with an individual, granting a contractor access to a single library, or running a migration that applied source permissions directly to destination libraries.

Can you restore SharePoint permission inheritance without losing all custom access?

Restoring inheritance removes the unique permissions on the library or item and replaces them with the parent's permissions. There is no native option to merge the two sets. Record who has direct access before restoring, then re-add them through the parent site's SharePoint groups after the reset.

How do I find every list and library with unique permissions across a SharePoint site?

SharePoint's interface does not provide a tenant-wide view of unique permissions. At the site level, you can check each library individually. For an exportable permission matrix covering multiple sites, Report Master shows inheritance status per library, ready to filter and prioritise in Excel.

Try ShareMaster free for 14 days