Meet Dana, IT systems manager at Meridian Wealth Partners, a 400-person registered investment adviser operating across four regional offices. Dana received a 90-day notice that the firm's annual regulatory review would include a detailed inspection of its Microsoft 365 environment, with specific attention to how sensitive client documents were being accessed and shared in SharePoint Online.
The compliance challenge
Meridian had built its SharePoint Online environment over six years. Dozens of department sites, project libraries, and client folders had accumulated permissions as staff joined and left, contractors came and went, and teams restructured. No one had done a systematic permission review since the tenant was provisioned.
What the auditors required
| Audit requirement | What it meant in practice |
|---|---|
| Permission matrix | A complete list of who can access each site and library, with group membership expanded to individual users and inherited versus unique permissions clearly distinguished |
| External sharing evidence | Documentation of active sharing links accessible outside the organisation, with creation dates and recipients where available |
| Remediation evidence | Confirmation that access for departed contractors and former staff had been revoked at the SharePoint level, not just disabled in Entra ID |
| Governance statement | A written summary of the process used to review and tighten permissions before the audit date |
The 90-day window
Ninety days sounds generous. Two weeks were lost to scope negotiation with the auditors, and another week to getting legal sign-off on what would be shared externally. Dana had roughly ten working weeks to produce four deliverables for a tenant that had never had its permissions formally audited.
Why the native SharePoint admin center fell short
Dana's first instinct was to pull the required reports from the Microsoft 365 admin center and SharePoint admin center. The SharePoint admin center shows site-level access summaries, but it does not produce a cross-site permission matrix that shows every user, every group, and every site in a single export. Building that manually meant opening each site, navigating to Site permissions, documenting what was found, then repeating for every library with broken permission inheritance. Meridian had 47 sites and an unknown number of libraries that had diverged from their parent site's permission settings.
For external sharing, the admin center shows whether a site has sharing enabled - it does not enumerate active sharing links across the tenant. Drilling into individual links requires navigating into each library and reviewing each file. With thousands of files across 47 sites, this was not achievable within the available timeline through native tooling alone.
Step 1: Building the permission matrix with Report Master
Dana connected ShareMaster's Report Master to the tenant and generated a cross-site permission matrix exported to Excel. The report covered all 47 sites, flagged which libraries carried unique permissions that differed from the parent site, and expanded group membership so individual users appeared in the matrix rather than just group names.
The Excel output arrived formatted for direct submission: rows for users, columns for sites and libraries, cells showing the permission level applied. Dana spent less than a day generating the initial export and a further day reviewing it for unexpected entries before presenting it to the compliance team. The same exercise done manually would have taken one to two full weeks.
The matrix surfaced several findings immediately. Six contractors who had left the firm between six and eighteen months earlier still held active read or edit access to client project libraries. Two of those libraries contained documents classified as sensitive under the firm's data handling policy. These were the highest-priority items to remediate before the audit date.
Step 2: Auditing external sharing with Shared Links and Permissions
The external sharing requirement was more complex. Meridian routinely used sharing links to give clients temporary access to draft proposals and reports, but most had been created without expiry dates. Others pointed to contacts who had since left the client organisations.
Removing stale links before the audit
Dana used ShareMaster's Shared Links & Permissions tool to enumerate all active external sharing links across the tenant. The results listed each link, the file it pointed to, when it was created, and, where captured, the recipient. Dana revoked links associated with the six former contractors immediately. Any link older than six months without a documented business justification was flagged for removal.
The bulk removal capability in the tool meant Dana could act on dozens of links in a single operation rather than navigating into each file through the SharePoint interface. The full external sharing cleanup took one working day.
The result
Meridian entered the audit with four clean deliverables: the full permission matrix from Report Master, a sharing links remediation log, a record of the contractor access removals, and a one-page governance summary describing the process used. The auditors reviewed the Excel permission matrix, asked two clarifying questions about the timing of contractor access removal, and moved on.
The SharePoint component of the audit produced zero findings. Dana's total active working time across the ten-week preparation period was approximately fifteen hours - most of it reviewing and acting on the outputs from Report Master and the sharing links audit rather than collecting data manually.
The permission matrix is now maintained on a quarterly schedule. Each quarter's export is compared to the previous one to identify new unique permissions, new external sharing links, or group membership changes outside the expected pattern. For the permission level definitions that appear in those exports, see the SharePoint permission levels reference. The step-by-step process for auditing shared links on a recurring basis is in the shared links audit guide.
Frequently Asked Questions
What do compliance auditors look for in a SharePoint environment?
Compliance auditors reviewing SharePoint Online typically want a full permissions matrix showing who has access to what, including inherited versus unique permissions; evidence that external sharing is governed and sharing links to departed users have been revoked; confirmation that sensitive content is restricted to appropriate groups; and documentation of the review process itself.
Can I export SharePoint permissions to Excel for auditors?
Yes. ShareMaster's Report Master produces an Excel export of the permission matrix across SharePoint sites, libraries, and folders, showing group memberships, individual user assignments, and inherited versus unique permissions. The output can be submitted directly to auditors without manual reformatting.
How long does a SharePoint permissions audit take?
Using the native SharePoint admin center, building a full cross-site permissions report is a multi-day manual process for any tenant with more than a handful of sites. Report Master automates the export and typically produces the full matrix in hours, depending on tenant size and the number of sites involved.