Skip to Content

Understanding the challenges with M365 permissions and how to remediate

M365 SharePoint, OneDrive, Teams and Groups are managed in different consoles and often times by different administrators and in some cases even by the power user.  Without centralized visibility into these permissions and reporting enterprises may be left with governance issues that expose enterprise data to the wrong internal and external teams. Being able to review, audit and remediate is critical the proper governance needs.  Today we will review these challenges more closely and look at ways to remediate.

M365 Permissions and Challenges

M365 and its built-in capabilities are the usage is simple and most anyone can get started quickly if they have the permissions to do so.  While ease of use is a great benefit it can cause content sprawl and lack of control around permissions. By default, permissions are typically elevated enough to allow most users to add content in SharePoint sites, their own OneDrive and Teams sites they have access to. As a practitioner I have seen many times organizations that deployed M365 tools without proper governance in place.  


Remediation projects for these are typically complex but will vary in complexity based upon how much content is being dealt with and the number of folders, sites and documents that have been created within SharePoint, Teams and OneDrive.  In many cases PowerShell script creation and .csv level file review had been the best option for data and permissions review.  Let’s look at remediation on a case-by-case basis.

  • SharePoint: If the site admin has global permissions, then each site can be reviewed manually, or by PowerShell script to export to csv.  Both are time consuming and can become large scale projects depending on the number of sites and subsites.  

Note: There also can be the one-off scenario where the site admin permissions are removed by someone and then visibility can be lost.

  • Teams: Setting up sites in Teams is very simple and requires some governance policy as well.  Given that Teams can be used for documents, meetings, chat and more permissions matter. Another platform that without proper governance can leave admins scrambling to understand if anything important is visible to those that shouldn’t see it.
  • OneDrive: Permissions in a user’s OneDrive are a bit more controlled in that they are initially limited to the individual users OneDrive plus the tenant admin.  However, the individual user can add permissions to docs in their own OneDrive permissions and so can your tenant admin. So being able to report on these is critical to understand and audit properly.

Thes considerations leave us in scenarios where permissions are near impossible to understand or have visibility into without a 3rd party tool to help evaluate permissions. 

365 Permissions Manager by Hornetsecurity

  • Easy-to-Use: Offers a convenient and user-friendly interface for M365 admins to get a more comprehensive view of permissions and whether items are shared with others, helping them to better protect sensitive information.
  • Timesaving: Saves time and effort for M365 admins enabling them to perform bulk actions to manage permissions and maintain a compliant SharePoint, Teams, and OneDrive infrastructure.
  • Compliance Monitoring: Offers a convenient and user-friendly interface for M365 admins to get a more comprehensive view of permissions and whether items are shared with others, helping them to better protect sensitive information.
  • Govern Compliance: Enables M365 admins to set and enforce compliance policies for sharing sites, files, and folders in Microsoft 365. In addition, 365 Permission Manager also enables the assignment of out-of-the-box best practice policies or custom defined policies at the site, folder, and file level.

Concluding Thoughts

Understanding M365 permissions throughout SharePoint, OneDrive and Teams is critical to understanding and protecting enterprise data.  Take the time to audit your M365 workloads and evaluate solutions that will ensure that this work can be done simply and efficiently.


Sponsored by Hornetsecurity