Permissions Report
The Permissions Report tab performs a comprehensive audit of who has access to what across one or more SharePoint Online sites. Results are exported as a CSV or interactive HTML file for review, archiving, and compliance purposes.
What Is Audited
The report covers every security principal (users, groups, and SharePoint groups) and their associated permission levels on sites, libraries, lists, folders, and optionally sub-sites.
| Column | Description |
|---|---|
| Site | URL of the site |
| Object type | Site / Library / List / Folder |
| Object path | Relative path of the item |
| Principal type | User / SharePoint Group / Azure AD Group |
| Principal name | Display name |
| Principal login | Login name or email |
| Permission level | e.g. Full Control, Edit, Read |
| Inherited | Whether the permission is inherited or unique |
Options
Folder Depth
Controls how deeply the scanner descends into library folder trees.
| Setting | Behavior |
|---|---|
| Disabled | Folders are not scanned; only libraries and lists |
| 1 | Top-level folders only |
| 2 – ∞ | All folders up to the specified depth |
| ∞ (unlimited) | Full recursive folder scan |
⚠️ Note: Scanning deep folder trees on large libraries can take a significant amount of time. Start with depth 1 or 2 and increase only if needed.
Recursive (Include Sub-Sites)
When enabled, the scanner follows all sub-site URLs beneath the selected site and audits each one in turn. This is useful for site collections that contain multiple levels of sub-sites.
⚠️ Note: Sub-site scanning increases run time proportionally to the number and size of sub-sites. Use the multi-site picker instead of recursive scanning when auditing a known set of top-level sites.
Include Inherited Permissions
| Option | Output |
|---|---|
| Off (default) | Only unique permission entries |
| On | All permissions, inherited and unique |
Use "Include Inherited" when you need a complete picture of effective access, or when proving to auditors that no item has been left uncontrolled.
Running the Report
- Connect to your tenant (see Connection and Profiles).
- Switch to the Permissions Report tab.
- Configure folder depth, recursive, and include inherited options.
- Choose the output format: CSV or HTML.
- Click Generate Report.
Progress is shown in the status bar. The export file is created in the configured Output folder.
Output Formats
CSV
The CSV file uses semicolons as delimiters and UTF-8 with BOM encoding to ensure correct display in Microsoft Excel.
Filename pattern: Permissions_<SiteName>_<YYYYMMDD>.csv
Site;ObjectType;ObjectPath;PrincipalType;PrincipalName;PrincipalLogin;PermissionLevel;Inherited
https://contoso.sharepoint.com/sites/HR;Library;Shared Documents;User;Jane Doe;jane@contoso.com;Edit;NoHTML
The HTML report is a self-contained file with no external dependencies. Features include:
- Column sorting — click any column header to sort ascending/descending
- Real-time filter — a text box at the top filters all rows instantly
- Group by user — toggle to collapse the table into groups per principal
Filename pattern: Permissions_<SiteName>_<YYYYMMDD>.html
Tips and Best Practices
- Use depth 1 for a fast overview; increase depth only to investigate specific libraries.
- Combine with the multi-site picker to audit an entire group of project sites in one run.
- Archive HTML reports after every major permission change for a historical audit trail.
- To find all users with Full Control, open the HTML report and filter on
Full Controlin the Permission Level column. - The CSV is ideal for importing into Power BI, SIEM tools, or compliance platforms.
See Also
- Connection and Profiles — Selecting one or multiple sites
- Storage Metrics — Complement permissions audits with storage data
- Output Files — File naming conventions