Meet Claire. She is a principal consultant at a 12-person MSP that manages Microsoft 365 environments for 23 clients. Every quarter, three or four of those clients ask for a SharePoint permissions report: who has access to what, which external users are still active, and whether any contractors retained access after offboarding. Until recently, Claire handled each request by requesting delegated admin access, opening the SharePoint admin centre, exporting what she could, and filling the gaps with PnP PowerShell scripts that needed updating every few months. Each audit took half a day of billable time she could not charge at full rate because the process was slow and inconsistent.
This is a use case about how Claire standardised that process using ShareMaster's Report Master, cut the per-audit time down to under an hour, and turned a reactive, difficult-to-price service into a repeatable offering her clients now ask for proactively.
The challenge: 23 tenants, 23 separate audit requirements
Every client Claire manages has a different SharePoint structure. One runs a flat site collection with a single document library used by 15 staff. Another has 40 site collections, a mix of Teams-connected sites and classic team sites, and a growing number of external partners with guest access. A third is a professional services firm with strict compliance requirements that mandate a documented permissions review twice a year.
The common thread across all of them is that SharePoint permissions drift over time. Users get added to groups that are too broad. Contractors are given member access instead of read access. External partners retain access to project sites long after the project closes. Nobody notices until either a compliance audit flags it or a departing employee's access review reveals something unexpected.
Claire's clients do not have the internal IT capacity to run these audits themselves. They rely on her to surface the issues before they become problems. That reliance is the service value, but it only works if the audit is fast enough to be economically viable and thorough enough to be defensible.
What MSPs need from a SharePoint permissions audit tool
When Claire evaluated her options, the native SharePoint admin centre fell short on two counts. First, the built-in reports give site-level summaries: the number of external users per site, sharing settings, overall activity. They do not produce a row-per-user, library-level breakdown that shows exactly what each person can do and where. Second, the admin centre UI is designed for a tenant's own admin team, not for an MSP cycling through multiple client environments.
PowerShell is more capable but requires scripting maintenance. PnP PowerShell scripts for permissions audits are well documented in the community but need updating as Microsoft changes API surfaces. For a team of 12 people managing 23 tenants, maintaining a reliable PowerShell audit toolkit is a full-time job in itself.
The requirements Claire settled on were straightforward:
- Connect to any Microsoft 365 tenant with standard admin credentials
- Export a permissions matrix at the library and list level, not just the site level
- Include external and guest users with their Entra ID account type flagged clearly
- Produce an Excel file that a client stakeholder can read without needing a guide
- Run without requiring PowerShell or developer tooling
How Claire runs a permissions audit with Report Master
Connecting to the client tenant
Claire opens ShareMaster and navigates to Report Master. She enters the client's SharePoint Online URL and signs in using the delegated admin account the client provisioned for her. The connection uses standard Microsoft 365 authentication, including multi-factor authentication, so there is no separate credential management outside of the client's own Entra ID setup.
For clients where she does not have persistent admin access, the client's IT contact signs into the ShareMaster session briefly to authorise the connection, then steps away while Claire runs the report. The process takes under two minutes to establish.
Running the permissions matrix
Once connected, Claire selects the site collection to audit, chooses the Permissions Matrix report type, and includes all subsites and document libraries in scope. She runs the report.
Report Master queries the site's permission groups, individual user assignments, and any unique permissions set at the library or list level. For a mid-sized client site with 80 users and 12 document libraries, the export is ready in around four minutes. The resulting Excel file has one row per user-permission pair: the user's display name, login name, account type, the permission level assigned, and the library or list where it applies.
The library-level breakdown is the detail that catches the issues the admin centre misses. It is common to find external guests who were added directly to a library by a team member using the share button rather than through a formal guest invitation. These assignments do not appear in site membership lists but do appear in the permissions matrix.
Reviewing shared links and external access
After the permissions matrix, Claire runs a second report focused on shared links. This captures "Anyone with the link" and organisation-wide links active in the site, flagged by library and by item where unique sharing was applied. She cross-references this with the permissions matrix to build a complete picture of external exposure. The full guide on auditing SharePoint shared links describes this process in detail.
Delivering the report
The Excel export goes to the client with a one-page summary Claire adds manually: total users in scope, number of external and guest accounts found, any permission assignments that look anomalous, and recommended actions ranked by risk. The raw export goes as an appendix. Most clients forward the summary to their management team and file the appendix for compliance records.
For clients with formal compliance requirements, Claire logs the audit date and attaches the summary to the client's governance document. The twice-yearly audit cadence those clients require is met without any custom tooling on her side.
The result: a repeatable, billable process
What took Claire half a day now takes between 45 minutes and two hours depending on the size of the site collection and how much review work the findings require. The time reduction comes entirely from eliminating the manual scripting and the patchy admin centre navigation that the old approach involved.
The consistency also changed the service dynamic. Because Claire can deliver a report in a predictable format every time, the audit is now a packaged offering in her MSP's service catalogue with a fixed price. Clients know what they are getting, and Claire knows what it costs to deliver. Three clients who previously asked for an ad-hoc permissions review once a year now subscribe to a quarterly audit.
The guide on exporting SharePoint permissions to Excel walks through the full Report Master export process for those who want the step-by-step detail behind what Claire's workflow covers at a high level.
Frequently Asked Questions
Can ShareMaster connect to multiple Microsoft 365 tenants?
Yes. ShareMaster connects to any SharePoint Online tenant using standard Microsoft 365 credentials. MSPs can switch between client tenants by signing in with the appropriate admin account for each engagement. There is no limit on the number of tenants you can work with across separate sessions.
What permission level does an MSP engineer need to run a permissions audit?
The account used with Report Master needs SharePoint admin rights in the target tenant, or at minimum Site Collection Administrator rights on the sites being audited. A dedicated SharePoint admin account with delegated access from the client is the preferred approach. Global admin accounts work but carry broader rights than needed for a read-only audit.
How long does a Report Master permissions export take to generate?
A small site with standard permission inheritance and a few dozen users typically completes in under two minutes. A large site collection with many libraries, unique permissions, and hundreds of users may take ten to fifteen minutes. The export runs in the background and produces an Excel file when complete.
Can MSPs deliver the Report Master output directly to clients?
Yes. The Excel export is a standard .xlsx file. MSPs can deliver it as-is, add branding in a cover sheet, or filter and summarise it before presenting to the client. The column structure is consistent across exports, which makes it straightforward to compare reports across audit periods.