SharePoint Online

How to Audit SharePoint Online Permission Changes

Ever wondered what happens if SharePoint Online site permission levels are changed without your knowledge? It could grant unauthorized access to users inside and outside your organization. But don't worry! This guide will show you how to audit site permission level changes in SharePoint Online. By doing so, you can ensure that your data remains secure and accessible only to the right users.

Using Microsoft Purview Compliance Portal

Microsoft 365 Permission Required

Audit Reader Least Privilege

Global Admin Most Privilege

Sign in to the Microsoft Purview Compliance Portal.
Navigate to Solutions»Audit»Search.
Choose the Date and time range for your audit (start date and end date).
In the Activities - friendly names, search and select the following operations.
Added permission level to site collection, Modified permission level on site collection, Removed permission level from site collection.
Click Search to start the search.
You can also export the SPO site permission level changes report using the 'Export' option after the search is completed.

Using Microsoft Purview Compliance Portal

Note: You need a license for long-term audit log retention to access audit logs older than the default period of 180 days.

Using Windows PowerShell

Microsoft 365 Permission Required

Audit Reader Least Privilege

Global Admin Most Privilege

Connect to the Exchange Online PowerShell using the below cmdlet.
Windows PowerShell
```
 Connect-ExchangeOnline
```
Run the below cmdlet to get the SharePoint Online permission level changes report.

Windows PowerShell

 Search-UnifiedAuditLog -StartDate MM/DD/YYYY -EndDate MM/DD/YYYY -Operations PermissionLevelAdded, PermissionLevelModified, PermissionLevelRemoved | Format-Table -Property RecordType, CreationDate, UserIds, Operations

Using AdminDroid
Simple & Quick

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Log in to the AdminDroid Office 365 reporter.
Navigate to the Site Permission Level Changes report under Audit»General»Sharing and Access»Sensitivity Labels & Permission Changes.

This report offers comprehensive details about the SharePoint Online permission level changes such as the user who made the change, when it was changed, and more.

AdminDroid SharePoint Online Auditing tool

Identify and address gaps in SharePoint Online permissions with AdminDroid’s advanced reporting!

AdminDroid's SharePoint Online reporting tool keeps you updated on all SPO permission changes within your organization by generating dedicated reports for permissions added, removed, and modified. By continuously tracking these modifications, you can swiftly address any unauthorized changes and safeguard your sensitive data.

Make Informed Decisions on SPO File Access Requests

Gain full visibility into SPO file access requests with AdminDroid’s reports to evaluate file confidentiality and grant the necessary permissions.

Ensure Data Security of SharePoint Online Shared Items

Track SharePoint Online shared items report to verify the permission levels of all shared files and ensure sensitive information remains protected.

Stay Alert to Unauthorized Permission Changes in SPO

Use AdminDroid’s pre-built default alert policy template to stay updated on every permission level change in SharePoint Online.

Analyze SPO Site-Sharing Settings to Ensure Proper User Access

Monitor SharePoint site sharing configurations report to identify any unnecessary site-sharing permissions or unique role assignments assigned to users.

Review External Sharing Capability of SPO Sites to Prevent Risks

Audit SPO site external sharing report to get insights into external sharing permissions for all site collections and proactively identify potential data leaks.

Export All SPO Permission Reports in Multiple Formats

AdminDroid empowers you to seamlessly export SharePoint Online permissions report in various formats such as CSV, HTML, XLS, XLSX, PDF, and RAW.

Ensuring proper permissions is critical for maintaining security and compliance in your SPO environment. AdminDroid’s
SharePoint Online management tool simplifies the process by making it effortless to monitor and control access rights.

Explore a full range of reporting options

Download Live Demo

Important Tips

Group users with similar permission needs into a SharePoint group for easier SPO permission management down the line.

Regularly audit and clean up the
unique permissions of lists within SharePoint Online to simplify the administration and permission structure.

Use SharePoint Online sync hub permissions to centrally control visitor access across all hub-associated sites without manually adding them to each site.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints when auditing permission level changes in SharePoint Online.

Error Search-UnifiedAuditLog : The term 'Search-UnifiedAuditLog' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs in PowerShell when you execute the 'Search-UnifiedAuditLog' cmdlet before connecting to the Exchange Online module.

Fix Install and connect to the Exchange Online PowerShell module before running this cmdlet.

//Execute the below cmdlet to install the Exchange Online module.
Install-Module ExchangeOnlineManagement
//Run the below command to connect to the Exchange Online PowerShell.
Connect-ExchangeOnline

Error Cannot process argument transformation on parameter 'StartDate'. Cannot convert value "DD/MM/YYYY" to type "Microsoft.Exchange.ExchangeSystem.ExDateTime".

This issue occurs in Microsoft PowerShell when you provide the date in a different format like "DD/MM/YYYY".

Fix Ensure the date format ("MM/DD/YYYY") when using audit search cmdlets in PowerShell.

Error Error with the inputs provided. RequestId:5727707a-909d-402e-b23f-447547946026; Search duration is too long.

This issue occurs in the Microsoft Defender portal during an audit when the search duration exceeds the allowed limit.

Fix Select a date range that is less than 6 months. This ensures that the search query remains within the allowable timeframe.

Error Sorry, you don't have access.

This error might occur in SPO when you try to manage the permissions or settings of site contents.

Fix Verify whether you have the necessary permissions (site owner or admin) to manage the site contents. If you have the required permissions at the site level, check for any unique permissions applied to the file or folder that might also restrict you.

Error You need Permission to access this site.

This error occurs in SharePoint Online when you try to access a site without necessary permission.

Fix Verify whether you have the appropriate permissions like site owner, member, etc., to access the site.

SharePoint Online

Frequently Asked Questions

Monitor SPO Site Permission Level Changes to Prevent Unauthorized Access

What are the default site permission levels in SharePoint Online?

How to create custom permission levels in SharePoint Online?

How to create a custom permission level from a default permission level in SPO?

How to assign permission levels to users in a SharePoint site?

How to manage the permission level of users on a SharePoint group?

How to create unique permissions for a folder?

What are the best practices for managing permissions in SharePoint Online?

1. What are the default site permission levels in SharePoint Online?

Imagine you have created a new SharePoint site in your organization and want to assign user access to the site. SharePoint Online simplifies this process with default permission levels designed to manage access efficiently. These permission levels let users securely and quickly access the resources they need by assigning rights like read, edit, and more.

The default site permission levels of SharePoint Online are mentioned below.

Full Control: Grants all available access to the site with permissions, settings, and content. This permission level is typically reserved for site administrators and site owners.
Design: Includes permissions for users to view, add, update, delete, approve, and customize the layout of site pages. This is ideal for users who manage site design and structure.
Read: Grants permission to view items on site pages without making any changes. Users can download documents stored on the SharePoint site but are restricted from uploading or deleting documents. This permission is recommended for clients who only need to view the pages and list items.
Edit: Provides users with full control over lists and their associated content. This allows them to add, edit, and delete lists. It also grants access to view, create, update, and delete list items and documents. Suitable for users who need to manage content and lists actively.
Contribute: Enables users to view, add, modify, and delete list items and documents on the site.

You can view the default permission levels for the SharePoint sites by navigating to the site's Permission Levels page.

2. How to create custom permission levels in SharePoint Online?

Not every employee requires the same level of permissions as those provided by default permission levels. Some employees may only need access to view and manage sites without the permission of deletion. To accommodate these requirements, you can create custom permission levels and assign them to users.

Follow the below steps to create a new custom permission level in SharePoint Online.

Open the SharePoint Online site where you want to create a permission level.
Navigate to the Settings (gear icon)»Site permissions»Advanced permission settings.
Click on Permission Levels to create a custom permission level in SharePoint Online.
Select Add a Permission Level and provide a suitable name & description for your new custom permission level.
Select the permissions under the List Permissions, Site Permissions, and Personal Permissions based on your requirements.
Finally, click Create to set a custom permission level.

Stay informed on the addition of custom permission levels in SPO with AdminDroid’s real-time reports!

The Permission Level Added report provides comprehensive details such as the site where the permission level was added, who added it, when it was added, and more.

Handy Tip: Utilize the Permission Level Added To filter to find the permission level added to a specific confidential site and ensure precise tracking and enhanced security.

3. How to create a custom permission level from a default permission level in SPO?

If you only need slight changes to default permissions, why bother creating a custom permission level from scratch?

You can create a custom permission level by simply modifying the default permissions using the below steps.

Log in to the desired SharePoint Online site.
Navigate to the Settings»Site permissions»Advanced permissions settings.
Click on the existing permission level under Permission Levels.
Select Copy Permission Level at the bottom of the page.
Provide a unique name and description for the new permission level.
Customize the base permissions such as List Permissions, Site Permissions, and Personal Permissions.
Scroll down and click Create to save the custom permission level.

You can also modify an existing permission level other than Full Control and Limited Access. Click on the permission level you wish to edit and adjust the permissions as needed. Click Submit to apply your changes.

Note: It is recommended not to modify default permission levels directly. Instead, create custom permission levels by copying existing ones or creating new ones in SharePoint Online.

4. How to assign permission levels to users in a SharePoint site?

Creating a permission level in SharePoint Online doesn't automatically grant access to sites. To give access, you need to assign specific permission levels to users. The assigned permission levels control what they can do on your site, like viewing documents, editing content, or even managing the entire site.

Manage user permissions in SharePoint Online

Open the respective SharePoint Online site.
Navigate to the Settings»Site permissions»Advanced permissions settings.
Click the Grant Permissions and enter the name of the user in the Invite people section.
Click on the SHOW OPTIONS and select the required permission level.
Click Share to assign the selected permission level to the specific user.

As projects evolve, your users' access requirements may change. To ensure everyone has the right level of control, it's important to check user permissions and adjust them accordingly.

Navigate to the Advanced permissions settings»Check Permissions in the SharePoint site. Enter the user’s name and click Check Now to identify their current permissions. After reviewing their permissions, you may modify them if required.

Edit the permission level of users in SharePoint Online

Navigate to the Advanced permissions settings in SharePoint Online.
Click Show user to list all the users who have access to your site.
Select the user check box and click Edit User Permissions.
From the list of permissions, select the permissions you need and click ‘OK’.

5. How to manage the permission level of users on a SharePoint group?

A SharePoint site comes with default SharePoint Online groups such as Site Owners, Site Members, and Site Visitors for managing permissions. Each group has a predefined permission level that controls access.

You can also create SharePoint groups with different permission levels as per your requirements. When you add users to the group, they inherit the permission level of the group.

Add users to a SharePoint group in SharePoint Online

Log in to the SharePoint Online site and go to the Settings»Site permissions»Advanced permissions settings.
Click on the group name where you wish to add users.
Select New and choose the desired users on the Invite people field to add.
Click ‘Share’ and complete the process.

Note: Adding users to the SharePoint group will only grant them access to the site. It doesn’t change the membership of the connected Microsoft 365 group.

Remove unwanted members from a SharePoint group in SPO

If a user no longer requires the permissions granted by a specific SharePoint group, you can remove them from that group using the following steps.

Click on the SharePoint group name where you wish to remove users.
Select the checkbox near to user and choose Remove Users from Group under Actions.
Click ‘Ok’ to confirm the removal of the users.

Verify and remove unnecessary members from the group using AdminDroid’s detailed reports.

Utilize the SharePoint Online group members report to track users in the SharePoint site groups across all sites.
This helps in identifying and removing inactive SharePoint users from groups, which will revoke their permissions to access sensitive sites.

6. How to create unique permissions for a folder?

When you create folders on a site, it will inherit permissions from its parent site. To set different permissions for a specific folder, you can set unique permissions in SharePoint Online. This allows you to create folder-level permissions in SharePoint Online. It specifies access to certain users without affecting other files and lists on the site.

Check user permissions in SharePoint Online before assigning unique permission.

Open the SharePoint site and navigate to the Settings»Site contents.
Select the folder or file you want to assign permission.
Click on the ellipsis (…) and select Manage Access.

You can view all the users and groups who have access to the specific file or folder on this page.

Create unique permission for a folder or a file in SharePoint Online

Navigate to the Manage Access of the file or folder and click ellipsis (...).
Select Advanced settings and click Stop Inheriting Permissions, then click 'OK' to break the inheritance.
Click Grant Permissions and enter the user's name or UPN in the Invite people section.
Click on the SHOW OPTIONS and select the appropriate Permission Level.
Select 'Share' to grant access to those users.

If you want to set permission for a specific list or document library, you can also
create unique permissions for a document library and list.

7. What are the best practices for managing permissions in SharePoint Online?

Permissions dictate who can access, modify, and share content, thereby making it crucial to manage them with precision and care. Mismanagement can lead to unauthorized access, data leaks, and compliance issues, which can significantly impact your organization.

To maintain secure and efficient SharePoint Online environment, consider the best practices listed below.

Grant Minimum Permissions: Assign users the bare minimum access level required for their specific tasks. This reduces security risks and simplifies permission management.
Limit Owners: Minimize the number of users in the default SPO owners group. Assign most users as members or visitors for better control and reduce the risk of accidental changes or unauthorized actions.
Centralized Security for Sensitive Data: Create separate SharePoint sites or libraries for highly sensitive documents. This avoids scattering them across a larger library with complex permission structures.
Limited Use of Custom Permissions: Avoid creating and using custom permission levels excessively. Utilize them only when needed to avoid unnecessary complexity in access control.
Leverage Inherited Permissions: For subsites within your SharePoint Online environment, utilize site-level permissions to provide the same level of access control as the parent site.
Minimize Breaking Inheritance: While you can stop inheriting permissions for specific site content, strive to minimize this practice. Breaking inheritance can lead to complex structures that are difficult to manage.

Whether you're an experienced admin or new to SharePoint, these ideas for managing permissions will help you maintain secure, efficient, and compliant SharePoint Online.