847. That was the number of unique permission scopes flagged in the report David's internal audit team handed him in March. He manages Microsoft 365 for the Western District Water Authority, a government agency with 620 staff and a SharePoint environment that had been growing for seven years without a formal governance policy.
The audit itself took three weeks. Every scope was catalogued, every external account listed, every anomalous sharing link noted in a spreadsheet. Now David had to fix it. The how-to-remediate question was left entirely to him.
What the audit uncovered
What is a unique permission scope in SharePoint Online?
When an item, folder, or subsite in SharePoint has its permissions disconnected from its parent, it creates a unique permission scope. That item no longer inherits the access rules of the library or site above it. Each such break is one scope. SharePoint tracks them per site collection, and both audit complexity and platform performance degrade as the count rises.
David's 847 scopes were spread across 38 SharePoint sites. Most had accumulated from well-intentioned file shares during project delivery: someone sent a specific document to an external contractor without wanting to expose the whole site. Others were subfolders that a team lead had locked down for sensitive HR content years ago and never reviewed. A handful were the result of errors from a previous migration.
Beyond the scopes, the audit found:
- 1,247 active sharing links across those 38 sites, including 41 set to "Anyone with the link" (fully anonymous, no sign-in required).
- 68 external user accounts still holding permissions, 29 of whom had not accessed any agency resource in over 90 days.
- 12 subsites where permission inheritance had been broken at creation and never subsequently reviewed.
Mapping remediation priorities
Not all findings carry the same risk. David worked through the audit spreadsheet with the compliance team and categorised each issue into one of three tiers before touching anything.
| Issue type | Count | Priority | Reason |
|---|---|---|---|
| Anonymous sharing links ("Anyone with the link") | 41 | High | No authentication required; anyone with the URL can access content without signing in |
| External accounts with no activity in 90+ days | 29 | High | Likely stale; may belong to former contractors whose engagement ended without offboarding |
| Remaining sharing links (org or specific-person) | 1,206 | Medium | Require authentication; lower immediate risk, but many were created without oversight and never reviewed |
| Broken inheritance at subsite level | 12 | Medium | Subsites can hide access grants from site-level permission views; harder to audit without tooling |
| Item and folder-level unique permission scopes | 835 | Lower | Numerous but many are legitimate; require individual review before bulk remediation |
Fixing broken permission inheritance across the tenant
The quickest wins were the 12 subsites with broken inheritance at the subsite level. David used ShareMaster's Report Master to pull a permissions matrix for each site, then exported each subsite's current permission set to Excel before making any changes. That record was required by the compliance team for the audit trail: every access grant in place before remediation needed to be documented.
For the 835 item and folder scopes, he worked site by site. The goal was not to eliminate every unique scope (some legitimate file-level grants needed to stay) but to reduce the count by restoring inheritance where permissions had been set unnecessarily. The guide to fixing broken SharePoint permission inheritance covers this process step by step.
Revoking shared links and removing external accounts
The 41 anonymous links were cleared within two hours. David used ShareMaster's Shared Links and Permissions tool to list all sharing links across each site, filter to the "Anyone with the link" type, select all, and revoke in a single operation per site. No file-by-file navigation required.
The remaining 1,206 organisational and specific-person links took longer to triage. Some were recent and deliberate; others dated back several years and predated any sharing governance policy. David's rule: links created more than 18 months ago and not accessed in the last 90 days were revoked without further case-by-case review. Links under 18 months old were checked against the audit categorisation before removal.
The 68 external accounts required individual review, since each represented a real person whose relationship with the agency needed to be confirmed before access was removed. Of those, 29 had not accessed any agency resource in over 90 days and were removed outright. The remaining 39 were verified with relevant project owners and either retained, downgraded to visitor access, or removed depending on whether the working relationship was still active.
See what Report Master exportsThe result: from 847 scopes to 94
The remediation ran over two working days. At the end:
- All 41 anonymous sharing links were revoked.
- 29 stale external accounts were removed; 39 were confirmed as current and adjusted where needed.
- 1,147 of the 1,247 sharing links were revoked; the remaining 100 were confirmed as intentional and documented.
- The 12 subsite broken-inheritance cases were resolved: 8 had inheritance restored, 4 retained unique permissions that were documented and signed off by the compliance team.
- Total unique permission scopes across the 38 sites dropped from 847 to 94.
For a 620-person government tenant, 94 remaining scopes is still not zero. But every one of them is now documented and intentional. That is the goal of a SharePoint permissions remediation: not perfection, but defensible governance.
Building a process to prevent the next backlog
One-off remediation solves the present problem without stopping the same patterns from accumulating again. David's agency put two measures in place after the project concluded.
First, a quarterly permissions export using Report Master now runs automatically and lands in David's inbox as an Excel file. It covers all 38 sites and highlights any increase in unique scope counts from the previous quarter. A rising count is the earliest signal that ad-hoc file sharing is creating governance debt before it becomes an audit finding.
Second, the IT team added a SharePoint access step to the contractor offboarding checklist. When an engagement ends, removing SharePoint access is now a named task in the offboarding ticket rather than an afterthought. That single change would have prevented the majority of the 29 stale external accounts the original audit found.
For a structured approach to auditing external users before they become a problem, see the guide to auditing external users in SharePoint Online.
Frequently Asked Questions
What is broken permission inheritance in SharePoint Online?
Broken permission inheritance occurs when an item, folder, or subsite in SharePoint has its permissions disconnected from its parent. Instead of inheriting the parent site's or library's access rules, the item holds its own separate permission set. Each break creates a unique permission scope, which complicates audits, inflates the unique permissions count, and makes consistent access management significantly harder across a large tenant.
How do I bulk-remove sharing links across multiple SharePoint sites?
ShareMaster's Shared Links and Permissions tool lists all active sharing links across a site or library and lets you select and revoke multiple links in a single operation. Working through sites in batches, you can remove hundreds of links far faster than navigating to each file's sharing settings individually in the SharePoint interface.
How long does it take to remediate SharePoint permissions after a full tenant audit?
Editing permissions manually through the SharePoint admin centre can take days or weeks for a large tenant. With ShareMaster's bulk tools, the active work time is substantially shorter. The Western District Water Authority resolved 847 unique permission scopes and over 1,200 sharing links across 38 sites in two working days.