SharePoint Access Denied — Broken Permission Inheritance, Group Sync Lag, or Sharing Policy Misconfiguration
Users receive 'Access Denied' or 'Request Access' prompts when accessing SharePoint sites, libraries, or items despite appearing to have correct permissions. Root causes include broken permission inheritance isolating users from parent-level grants, Azure AD group membership sync lag (up to 24 hours in SharePoint Online), deleted SharePoint groups, missing Site Collection Administrators, or restrictive tenant/site sharing policies. Resolution requires auditing effective permissions via the Check Permissions tool, correcting inheritance breaks, synchronising identity provider group membership, and validating tenant-level access control policies.
Indicators
- User receives 'Access Denied' error when navigating to a SharePoint site, subsite, library, or list item
- User is prompted to 'Request Access' on a page they previously had access to
- User can access the parent site but cannot open a specific document library or list (broken inheritance suspected)
- Newly added group members cannot access the site despite the group being present in the site's permissions
- External sharing links return 'This link has expired' or 'You need permission to access this item'
- Site collection administrator cannot be found or site has no active administrator
- Users report intermittent access — able to access sometimes but not consistently (stale token or caching issue)
Likely causes
- Broken permission inheritance on a subsite, library, list, or item that excludes the affected user
- User's Azure AD or Active Directory security group membership has not yet synchronised to SharePoint (cache lag up to 24 hours for SharePoint Online)
- User was granted access via a SharePoint Group that was subsequently deleted or had its membership removed
- Tenant-level external sharing policy prevents the user (external) from accessing content
- Site collection has no active Site Collection Administrator, preventing administrative remediation
- Conditional Access Policies or Azure AD Identity Protection blocking the user's token
- User's account is unlicensed in Microsoft 365, removing their SharePoint entitlement
- On-premises: Claims-based authentication misconfiguration or UPN mismatch between AD and SharePoint user profile
- On-premises: User Profile Service Application not synchronising, causing stale or missing profiles
Diagnostic steps
-
Check the user's effective permissions directly on the affected site or item using the SharePoint 'Check Permissions' tool. Navigate to the site → Site Settings → Site Permissions → Check Permissions → enter the user's name or email. Review the output for which groups or direct assignments grant or deny access.Establishes exactly what permissions SharePoint believes the user has, distinguishing between no-permission, explicit deny, and group-inherited access.
-
Inspect the permission inheritance chain for the affected object. Navigate to the Library/List → Library Settings or List Settings → Permissions for this document library → verify whether 'This library inherits permissions' or 'This library has unique permissions' is displayed. If unique permissions exist, review the permission levels assigned.Identifies whether a permission inheritance break is isolating the user from access granted at the parent site level.
-
Verify the affected user's group memberships in Azure AD (for SharePoint Online) or Active Directory (for on-premises). For SharePoint Online, run: Get-MgGroupMember -GroupId <GroupObjectId> | Where-Object {$_.Id -eq '<UserObjectId>'} or review the group in the Azure AD portal under Groups → Members.Confirms whether the user is actually a member of the security or Microsoft 365 group that has been granted access, ruling out group membership sync issues.
-
Review the SharePoint Unified Audit Log (SharePoint Online) or SharePoint diagnostic logs (on-premises) for access-denied events tied to the user. In Microsoft 365: Security & Compliance Centre → Audit → Search for 'AccessDenied' operations filtered by the affected user's UPN and the site URL within the relevant time window.Provides a timestamped record of exactly when and where access was denied, and which policy or permission level was evaluated at the point of denial.
-
For SharePoint Online, verify the user has an active SharePoint-enabled licence. In Microsoft 365 Admin Centre → Users → Active Users → select the user → Licences and apps → confirm a licence with SharePoint Online (Plan 1 or Plan 2, or via Microsoft 365 suite) is assigned and the SharePoint toggle is enabled.An unlicensed or SharePoint-disabled licence silently removes access without a clear error message, and is frequently overlooked.
-
Check the SharePoint Online tenant external sharing settings and site-level sharing settings if the affected user is external. SharePoint Admin Centre → Policies → Sharing → confirm the tenant sharing level permits external users. Then navigate to the specific site in the admin centre → Sharing → confirm site-level policy is not more restrictive than expected.Tenant or site sharing policies can silently block external users even when a sharing link or direct permission was previously granted.
Resolution path
- If broken inheritance is confirmed: Navigate to the affected library/list/item → Permissions → 'Delete Unique Permissions' to restore inheritance from the parent, OR manually add the missing user or group with the appropriate permission level via 'Grant Permissions'.
- If the user is missing from the required SharePoint Group: Navigate to Site Settings → People and Groups → select the relevant group → New → Add Users/Groups → add the affected user or their security group. For SharePoint Online backed by Azure AD groups, add the user to the Azure AD group instead to maintain group-driven access.
- If Azure AD group membership sync lag is suspected (SharePoint Online): Ask the user to clear their browser cache and cookies, sign out and sign back in to force a new token, and wait up to 1 hour for SharePoint's group membership cache to refresh. As an interim workaround, grant the user direct access to the site.
- If no Site Collection Administrator exists: In SharePoint Online Admin Centre → Sites → Active Sites → select the site → Membership → Owners → add a valid Site Collection Administrator. On-premises: use Central Administration → Application Management → Site Collections → Change Site Collection Administrators.
- If the user's licence is missing or SharePoint is disabled: In Microsoft 365 Admin Centre → Users → Active Users → select user → Licences and apps → assign an appropriate licence or enable the SharePoint component within their existing licence. Allow up to 30 minutes for propagation.
- If Conditional Access is blocking access: Work with the Azure AD/Identity team to review the Conditional Access policy in Azure AD → Security → Conditional Access → review policies targeting SharePoint Online (Office 365) and confirm the user meets all conditions (compliant device, MFA, network location).
Prevention
- Enforce group-based access management: always grant SharePoint permissions to Azure AD security groups or Microsoft 365 groups rather than individual users, so that joiners/movers/leavers are handled through identity lifecycle processes rather than manual SharePoint permission changes.
- Implement a regular permissions audit schedule using PnP PowerShell (Get-PnPGroupMember, Get-PnPSiteCollectionAdmin) or Microsoft 365 access reviews (Azure AD → Identity Governance → Access Reviews) to detect and remediate stale or orphaned permissions before they become incidents.
- Prevent accidental inheritance breaks by training site owners and restricting 'Manage Permissions' rights to a controlled group; use SharePoint site designs or PnP provisioning templates to enforce a standard, well-understood permissions structure at provisioning time.
- Enable SharePoint site owner alerts for significant permission changes (Site Settings → Site Policies or via Microsoft Purview audit alerts) so that unexpected permission modifications are surfaced immediately rather than discovered when a user is denied access.
- For on-premises environments, ensure the User Profile Service Application sync schedule is configured and monitored, and that the SharePoint farm account has appropriate permissions to the Active Directory OU containing user accounts.
Tools
- SharePoint 'Check Permissions' UI tool — verifies effective permissions for a named user on any site, library, or item
- SharePoint Admin Centre (Microsoft 365) — tenant-wide site management, sharing policies, site collection admin
- Microsoft 365 Admin Centre — licence management, user account status
- Azure AD Portal / Entra ID — group membership verification, Conditional Access policy review
- Microsoft 365 Compliance / Security & Compliance Centre — Unified Audit Log search for access-denied events
- SharePoint Management Shell (PnP PowerShell or SPOM) — scripted permissions audit and remediation
- SharePoint Central Administration — on-premises farm administration, site collection admin assignment
- ULS Log Viewer (on-premises) — parsing SharePoint ULS logs for detailed error traces