Uncover the access your users and groups respectively have in your environments with a Permissions Matrix Report.
- You have connected to an environment as a Global Administrator or SharePoint Administrator.
- You have Site Collection Administrator rights for the environments within the scope of the report.
- If you're running the report on the whole farm, you should have Farm Administrator rights.
- Report options
- Click Security.
- Click Run permissions matrix report under Security essentials.
- Select the target of the report.
- Click .
- Set your options (see below for details).
- Click Schedule or Run now.
Tip: Alternatively, you can run the report from Explorer. You have to select the target first, and click from the Quick Actions panel.
Note: The Permissions Matrix Report scans all the objects in your target to find your permissions. If you run into issues while running the report on a whole tenant or a lot of sites, try running the report in batches of smaller targets (i.e. a couple of sites at a time instead of the whole tenant).
Users and groups
Select All users and groups, External users, or Specific users and groups. If you select Specific users and groups, begin typing the user's name, and select the appropriate user from the dropdown.
Select whether or not you wish to include lists and list content in the scope of the report.
Note: For your list content the report will only show you permissions on folders, documents, and list items that have custom permissions (permissions not inherited by the parent).
Setup automatic export for this report's results
View the inherited permissions by clicking on View.
Permissions for SharePoint groups and Active Directory security groups are not initially expanded. To view the members of a given group, you can expand the group by clicking on the expand icon.
Expanding a group will add all the group's members into the permissions matrix, so that you can see the unique permissions that member has.
To expand or collapse all groups, use the icons at the top right of the report.
Note: If you are exporting your results to Excel, you should expand all groups so that you have access to the permissions matrix information of all members.
Guest Links and External User Invitations
Guest Links: SharePoint in Microsoft 365 has a feature called Guest Links which allows you to easily share documents with external, anonymous users. There are two types of links depending on the permissions that should be given out to anyone with the link: View Only and Edit. By default, these links do not exist and must be enabled manually. When this happens, SharePoint creates hidden user accounts, one for each link type: Guest Reader and Guest Contributor. ShareGate Desktop represents these accounts in the Permissions Matrix Report as a single user account, Anonymous Guest Link with Contribute and/or Read access, allowing you to quickly gather the documents that are accessible from outside your enterprise.
External User Invitations: Sites, lists, libraries and documents can be shared with external users in Microsoft 365, through the means of an invitation. Invitations usually expire after a week. Since these invitations can be used to access certain resources in your site, ShareGate Desktop displays them in the Permissions Matrix Report. As long as the invitation is not accepted and doesn't expire, an entry will be added in the Permissions Matrix Report displaying the email address associated with the invitation, along with a special icon as depicted in the image below.
External users can also be invited to SharePoint groups. These invitations are displayed in the Permissions Matrix Report upon expanding their associated SharePoint group.
Click the Export button to export the report to excel.
- If a group is expanded, its users will be visible in the Excel spreadsheet, but it if it is collapsed, only the group will be included. The same applies to permissions matrix, which will not be included in the spreadsheet when they are collapsed.
- The Permissions Matrix Report will not display Limited Access permission levels, however you can run a Clean Limited Access Access action to get rid of unused Limited Access permission levels that no longer relate to any existing permissions on site elements.