Your input shapes our product. Suggest a feature now →
Features Pricing Demos Add-ons Blog Guides Use cases Compare Tools Alerts FAQ Contact Sign in Start free trial
  1. Home
  2. Use Cases
  3. Contractor Offboarding

How to Remove Contractor Access from SharePoint Online

Contractor access left open after an engagement ends is one of the most common permission gaps in SharePoint Online tenants. Unlike full-time employees, contractors often accumulate permissions across multiple project sites over the course of their work, and the standard offboarding checklist rarely captures all of it.

Why Contractor Offboarding in SharePoint Is Harder Than It Looks

When should you treat contractor permission removal as a priority rather than a routine admin task? The answer depends on the type of access granted during the engagement:

  • Direct site member access: The contractor was added as a member to one or more SharePoint sites. Removing them from each site's Members group is straightforward if you know which sites they accessed.
  • Unique item or folder permissions: Someone granted the contractor access to a specific folder or document, breaking permission inheritance. These entries persist independently of group membership and are harder to find without scanning each library.
  • Shared links pointed at contractor email: Anyone-with-the-link or specific-people sharing links sent to the contractor's address remain active even after the contractor stops responding. The link does not expire automatically.
  • Guest account in Entra ID: If the contractor was invited as a Microsoft 365 guest, disabling or deleting the account removes most access, but does not clean up shared links or unique permissions already in place.

Most tenants handle the first case well. The last three are where gaps appear.

The Scenario: Bridgeford Consulting Faces a Busy Month-End

Meet Marcus, IT admin at Bridgeford Consulting, a 150-person professional services firm. Three external contractors are finishing their engagements on the same Friday: a design agency wrapping up a brand project, a developer who spent four months on a client portal build, and an independent consultant who had been embedded with the finance team for six months.

Each of these contractors had been working directly in SharePoint. The design agency accessed a dedicated project site and two shared document libraries. The developer had access to the dev team's SharePoint site, a staging environment site, and had been granted direct access to several folders in the IT library by a colleague. The finance consultant had broad read access to the finance team site and had received several specific-people sharing links to budget files.

Marcus has until end of business Friday. His HR system generates an offboarding ticket, but the ticket just says "remove Microsoft 365 access" - it doesn't enumerate the SharePoint sites. Marcus has to find them all himself.

What the Microsoft 365 Admin Centre Can and Cannot Do

The Microsoft 365 admin centre lets Marcus disable or delete accounts, which removes the users from security group memberships and, by extension, SharePoint group memberships inherited from those groups. That handles the surface-level access.

What it does not provide: a list of all SharePoint sites a user has direct access to, a view of unique permissions granted at the folder or item level, or a report of active sharing links associated with a specific user. To find those, an admin must either visit each site individually, run PowerShell against each site collection, or use a third-party tool.

In a 150-person firm with dozens of SharePoint sites, the manual approach takes hours per contractor. With three contractors and a Friday deadline, Marcus needed something faster.

Using ShareMaster to Audit Contractor Permissions

ShareMaster's Report Master and Shared Links and Permissions tool give Marcus a cross-site view of each contractor's permissions without manually visiting every site. From a single interface he can see which sites each account has access to, whether access is via group membership or a unique direct permission, and which sharing links reference each contractor's email address.

The output is an exportable report he can attach to the offboarding ticket, giving the security team a documented before-and-after record.

See Report Master features

Step by Step: What Marcus Did Over Two Hours

  1. Disabled the three Microsoft 365 guest accounts immediately. This blocked active sign-ins while Marcus continued the audit in the background. Disabling rather than deleting gave him 30 days to verify the cleanup before the accounts were gone.
  2. Ran a cross-site permission export using ShareMaster. The report listed every site where each contractor appeared, along with the access path (direct member, unique permission, or via a security group) and the permission level assigned.
  3. Identified three sites where the developer had direct folder permissions not visible from the Sites list in admin centre. These had been granted by a colleague during the project. Marcus removed these unique permissions directly from the ShareMaster interface.
  4. Ran a sharing link audit for each contractor's email address. The finance consultant had 11 active specific-people sharing links pointing to their work email. Marcus bulk-revoked all 11 from the audit view without navigating to each file individually.
  5. Removed group memberships. ShareMaster confirmed that group-based access for the design agency and developer had already been removed when the accounts were disabled. No additional action was needed on those.
  6. Exported the final permission state for each contractor to an Excel file and attached it to the offboarding ticket as a completion record.
Tip: Run the permission audit before disabling the account if you want to see the full picture. Some tooling reports fewer permissions for disabled accounts. Marcus disabled accounts first because speed of lockout was the priority, then audited immediately after.

The Result: Three Contractors Fully Offboarded in Two Hours

Marcus completed all three offboardings in the same afternoon. The combination of cross-site permission reporting and bulk sharing link revocation cut what would have been a half-day task into a two-hour one. He had a documented audit trail for each contractor and zero open sharing links by the end of business Friday.

Contractor offboarding is one of the tasks that looks simple on a checklist but hides significant complexity in a real SharePoint environment. The hidden permission entries and lingering sharing links are what create ongoing risk, and they require a tool that can surface them quickly.

For a broader look at auditing permissions across your tenant, see the guide on how to audit SharePoint permissions.

Frequently Asked Questions

Does deleting a contractor's Microsoft 365 account remove their SharePoint permissions?

Deleting an account removes the user from SharePoint group memberships, but unique item-level permissions granted directly to that user may persist as orphaned entries. Audit and revoke those unique permissions before or immediately after deleting the account to prevent these orphaned entries from lingering.

How do I see all the SharePoint sites a specific user has access to?

The Microsoft 365 admin centre does not provide a single view of all sites a user can access. You can run SharePoint admin centre reports per site, use PowerShell (Get-SPOUser across each site collection), or use ShareMaster's Shared Links and Permissions feature to export a cross-site permission report in a single run.

What happens to files a contractor uploaded to SharePoint when you remove their access?

Files uploaded to a SharePoint library stay in the library after a user's permissions are removed - they are not deleted. Everyone else who had access to the library can still reach the content. Only the removed user's access changes.

Try ShareMaster free for 14 days