Episode Details

Your SharePoint permissions are probably a mess. Not because you don’t manage them — but because nobody can keep up with thousands of sites changing daily. The shocking part? Most organizations have no single report showing who has access to what. In this session, I’ll show you the exact steps to scan every site, every library, every user — without touching a single site manually. By the end, you’ll know how to automate the work that normally takes weeks into something that delivers daily, accurate reports — and actually sleep better knowing you have control.Why Traditional Permission Reviews Break at Enterprise ScaleYou know that annual permissions review everyone gets so excited about? The spreadsheet goes out, site owners tick through their lists, managers sign off, and for about twenty-four hours it feels like you’ve got everything under control. By the next week, someone’s shared a folder with a new contractor, a project site has been spun up without notice, and the “final” record you just archived is already missing reality by a mile. On a small collection, it’s still possible to catch changes before they spiral. You pull the list of site members, maybe check a couple of groups, and confirm no one has oddball access. In that world, manual review works. The permissions tree is short enough to see in one screen, and the number of hands making changes is small enough to track. It’s boring, but it’s manageable. At enterprise scale, that model falls apart fast. You’re no longer looking at a tidy set of five intranet sites. You might be staring down ten thousand sites across departments, regions, and business units — and they’re not static. Teams create new sites daily, archived projects never quite disappear, and content churn means permission changes happen constantly. The window between your review and the next significant change is sometimes measured in hours. Even worse, SharePoint is deceptive when you try to eyeball it. Permissions can be inherited from the parent site, overridden at the library level, tweaked on a folder, and then patched again on a single file. A user’s access might not be obvious because they’re coming in through a nested group — maybe even through a security group synced from Azure AD that itself holds other groups. One missing click into those layers, and you have no clue they’re in there. Compliance teams still expect clean audit logs and evidence of regular reviews. The reality is, you’d need an army of admins to manually walk through each site’s structure, note every permission, and confirm it’s valid. That’s without factoring in time to re-check inherited and group-based access, which changes the moment someone moves a user between teams. The practicalities just don’t match the scale. I worked with an organization that dedicated over 80 admin hours to one quarterly review. They split the workload, pulled membership reports, even had a formal process mapped out. The end file looked thorough — but two weeks later, a penetration test found guests with edit access to confidential folders that had been missed entirely. Not because anyone failed at their job, but because the access came through a nested group that never appeared on the manual report. That’s the gap that will keep you awake. Stale permissions hiding deep in site structures. Terminated employees whose accounts linger in synced groups. Guest accounts that were supposed to expire but didn’t. They’re easy to miss, and if you’re relying on a manual sweep, you’re counting on luck as much as process. You start to realise the “snapshot once a year” model isn’t broken because people are lazy — it’s broken because the system it’s trying to capture moves constantly. Permissions are living data. Treating them like a static list means you’re always in the past, never in the live state of your environment. The solution isn’t throwing more people at the review. It’s building a way to query and consolidate this data automatically, so the moment somet