T The Triage ManualTechnical Guides for IT Emergencies
P2 · Microsoft 365 & Collaboration

SharePoint Access Denied — Broken Permission Inheritance, Group Sync Lag, or Sharing Policy Misconfiguration

Users receive 'Access Denied' or 'Request Access' prompts when accessing SharePoint sites, libraries, or items despite appearing to have correct permissions. Root causes include broken permission inheritance isolating users from parent-level grants, Azure AD group membership sync lag (up to 24 hours in SharePoint Online), deleted SharePoint groups, missing Site Collection Administrators, or restrictive tenant/site sharing policies. Resolution requires auditing effective permissions via the Check Permissions tool, correcting inheritance breaks, synchronising identity provider group membership, and validating tenant-level access control policies.

Indicators

Likely causes

Diagnostic steps

  1. Check the user's effective permissions directly on the affected site or item using the SharePoint 'Check Permissions' tool. Navigate to the site → Site Settings → Site Permissions → Check Permissions → enter the user's name or email. Review the output for which groups or direct assignments grant or deny access.
    Establishes exactly what permissions SharePoint believes the user has, distinguishing between no-permission, explicit deny, and group-inherited access.
  2. Inspect the permission inheritance chain for the affected object. Navigate to the Library/List → Library Settings or List Settings → Permissions for this document library → verify whether 'This library inherits permissions' or 'This library has unique permissions' is displayed. If unique permissions exist, review the permission levels assigned.
    Identifies whether a permission inheritance break is isolating the user from access granted at the parent site level.
  3. Verify the affected user's group memberships in Azure AD (for SharePoint Online) or Active Directory (for on-premises). For SharePoint Online, run: Get-MgGroupMember -GroupId <GroupObjectId> | Where-Object {$_.Id -eq '<UserObjectId>'} or review the group in the Azure AD portal under Groups → Members.
    Confirms whether the user is actually a member of the security or Microsoft 365 group that has been granted access, ruling out group membership sync issues.
  4. Review the SharePoint Unified Audit Log (SharePoint Online) or SharePoint diagnostic logs (on-premises) for access-denied events tied to the user. In Microsoft 365: Security & Compliance Centre → Audit → Search for 'AccessDenied' operations filtered by the affected user's UPN and the site URL within the relevant time window.
    Provides a timestamped record of exactly when and where access was denied, and which policy or permission level was evaluated at the point of denial.
  5. For SharePoint Online, verify the user has an active SharePoint-enabled licence. In Microsoft 365 Admin Centre → Users → Active Users → select the user → Licences and apps → confirm a licence with SharePoint Online (Plan 1 or Plan 2, or via Microsoft 365 suite) is assigned and the SharePoint toggle is enabled.
    An unlicensed or SharePoint-disabled licence silently removes access without a clear error message, and is frequently overlooked.
  6. Check the SharePoint Online tenant external sharing settings and site-level sharing settings if the affected user is external. SharePoint Admin Centre → Policies → Sharing → confirm the tenant sharing level permits external users. Then navigate to the specific site in the admin centre → Sharing → confirm site-level policy is not more restrictive than expected.
    Tenant or site sharing policies can silently block external users even when a sharing link or direct permission was previously granted.

Resolution path

Prevention

Tools

References

sharepointsharepoint-onlinesharepoint-serverpermissionsaccess-deniedmicrosoft-365azure-adentra-idsecurity-groupssite-collectionexternal-sharingconditional-accessidentitycollaborationinheritancegroup-sync