When Sharing Breaks Inheritance in SharePoint Online

Introduction

SharePoint Online is designed to facilitate seamless collaboration, but its powerful sharing capabilities can sometimes lead to unintended consequences—particularly when it comes to permissions inheritance. One of the most common pitfalls is the use of the “Share” button, which can silently break inheritance on files or folders, creating unique permissions that complicate governance and security.

Understanding Permissions Inheritance

In SharePoint, permissions are typically inherited from a parent object—such as a site, document library, or folder. This means that if a user has access to a library, they automatically have access to the files and folders within it, unless that inheritance is broken. Inheritance simplifies permission management by ensuring consistency and reducing administrative overhead.

How the Share Feature Breaks Inheritance

The Share button in SharePoint Online is deceptively simple.

When a user clicks Share on a file or folder, it opens a dialog that appears to be a simple way to send a link to other users or just another way to copy the link.

The problem is that the default for most tenants is set to “People in [Tenant Name]” which includes everyone in the Entra ID domain except Guests. Since most sites are not configured to give access to everyone in the domain, clicking on the Share or Copy Link buttons automatically causes SharePoint to create a new sharing link that provides access to those users. In order to do this it must break the permissions inheritance on the object. There is no warning or even a message that this has happened, so most users do it without realizing what they’ve done.

Clicking the gear button in the dialog gives the option to change the link settings. The safest option and the best practice, is to select “Only people with existing access” as this will never break inheritance.

When a user is not familiar with this and breaks the inheritance on the object, it creates a set of unique permissions with a new link called “manage links” to view the link permissions added.

This means that future changes to the permissions of the site will not be inherited by the object with unique permissions.

Not every sharing event causes broken permission. It happens under several conditions:

• The recipient does not already have access: If the person being shared with isn’t part of a group that already has access to the item, SharePoint creates a unique permission entry for them.

• The sharer grants higher permissions than inherited: If the item is inherited with read-only access, but the user shares it with edit or full control, inheritance is broken to accommodate the elevated access.

• The sharer has sufficient privileges: Only users with Edit or Full Control can break inheritance. Users with Read access cannot share items in a way that alters permissions.

Why This Is a Problem

Breaking inheritance introduces several risks and challenges:

• Permission sprawl: Over time, many files and folders accumulate unique permissions, making it difficult to track who has access to what.

• Security risks: when sharing with the setting “People in [Tenant Name]”, documents may be shared with people who should not have access. Even if they don’t know they have access, the document may later appear in search results.

• Administrative complexity: IT administrators must audit and clean up unique permissions, which is time-consuming and error-prone.

• Inconsistent user experience: Users may be confused when access behaves differently across similar-looking files or folders.

How to Minimize Risks

What can administrators do to mitigate these risks? One recommendation is to provide users with training on this feature so that they better understand how it works. Additionally, administrators can change the default sharing settings in the SharePoint Admin portal. This is found under SharePoint Admin -> Policies -> Sharing.

For reasons that Microsoft has never explained, there is no option at the tenant level to set the default to “People with existing access”. The next best option is to set the default sharing link type to “Specific people”. While this does not stop users from breaking inheritance, it avoids users casually granting permissions to the entire domain and encourages users to think more deliberately about who they are granting access to at what level.

Conclusion

The Share feature in SharePoint Online is a powerful tool—but one that must be used with care. Understanding when and how it breaks inheritance is essential for maintaining a secure and manageable permissions structure. By configuring tenant-wide defaults, educating users, and regularly auditing permissions, organizations can strike the right balance between collaboration and control.