Uncover the access your users and groups have in your environments with a Permissions matrix report.
Index
Prerequisites
You have site collection admin permissions on your targeted site collection(s).
โNote: To avoid any possible error messages while running the report, it is best practice to have site collection admin permissions even if you have higher privileges like SharePoint admin or global admin permissions. When running the report on a OneDrive for Business, it is essential to have site collection admin permissions. For more information, see Administrative permissions and Security settings - Auto-assign as a site collection administrator.
Tip: To manage all your site collections, you can connect to your central admin or admin center with SharePoint admin, farm admin, or global admin permissions.
How-to
Click Security.
Click Run permissions matrix report under Security essentials.
Select the target of the report.
Click Next.
Set your options (see below for details).
Click Schedule or Run now.
Tip: Alternatively, you can run the report from Explorer. Select the target first, then click Permissions matrix report from the Quick actions menu.
Note: The Permissions matrix report scans all the objects in your target to find your permissions. If you run into issues while running the report on a whole tenant or a lot of sites, try running the report in batches of smaller targets (i.e. a few sites at a time instead of the whole tenant).
Report options
Users and groups
Select All users and groups, External users, or Specific users and groups. If you select Specific users and groups, begin typing the user's name, and select the appropriate user from the dropdown.
Object types
Select whether or not you wish to include lists and list content in the scope of the report.
Note: For your list content the report will only show you permissions on folders, documents, and list items that have custom permissions (i.e. permissions not inherited by the parent).
Setup automatic export for this report's results
For more information, see Setup automatic export to a SharePoint library.
Results
Inherited Permissions
View the inherited permissions on any item by clicking on View next to it.
Levels
Permissions for SharePoint groups and Active Directory security groups are not initially expanded. To view the members of a given group, you can expand the group by clicking on the
expand button.
Expanding a group will add all the group's members to the permissions matrix so you can see the unique permissions each member has.
To expand or collapse all groups, use the Expand all groups and Collapse all groups buttons at the top right of the report.
You can find how a permission is granted to a user in the Given Through column. There you can see if that permission is granted explicitly to a user or group, or if it is granted through a group.
Note: If you are exporting your results to Excel, you should expand all groups so that you have access to the permissions matrix information of all members.
Guest Links and External User Invitations
Guest Links: SharePoint in Microsoft 365 has a feature called Guest Links which allows you to easily share documents with external, anonymous users. There are 2 types of links depending on the permissions that should be given out to anyone with the link: View Only and Edit. By default, these links do not exist and must be enabled manually. When this happens, SharePoint creates hidden user accounts, one for each link type: Guest Reader and Guest Contributor. ShareGate Migrate represents these accounts in the Permissions matrix report as a single user account, Anonymous Guest Link with Contribute and/or Read access, allowing you to quickly gather the documents that are accessible from outside your enterprise.
External User Invitations: Sites, lists, libraries, and documents can be shared with external users in Microsoft 365, through the means of an invitation. Invitations usually expire after a week. Since these invitations can be used to access certain resources in your site, ShareGate Migrate displays them in the Permissions matrix report. As long as the invitation is not accepted and doesn't expire, an entry will be added in the Permissions matrix report displaying the email address associated with the invitation, along with a special icon.
External users can also be invited to SharePoint groups. These invitations are displayed in the Permissions matrix report upon expanding their associated SharePoint group.
Export
Click the Export button to export the report to Excel.
If a group is expanded, its users will be visible in the Excel spreadsheet, but if it is collapsed, only the group will be included. The same applies to the permissions matrices, which will not be included in the spreadsheet when they are collapsed.
The Permissions matrix report will not display Limited Access permission levels; however, you can run a Clean Limited Access action to get rid of unused Limited Access permission levels that no longer relate to any existing permissions on-site elements.