Table of Contents
- Why SharePoint Online Permissions Not Working Is a High-Severity Event
- Understanding SharePoint Online Permission Architecture
- Prerequisites and Affected Systems
- Step-by-Step: How to Fix SharePoint Online Permissions Not Working
- SharePoint Online Permission Methods Compared
- Real-World Case Study: External Access Misrouted to Wrong Site
- Verification and Testing
- Troubleshooting Common SharePoint Online Permissions Issues
- Best Practices
- Security Considerations
- People Also Ask — FAQ
- Conclusion
Why SharePoint Online Permissions Not Working Is a High-Severity Event
SharePoint Online permissions not working is rarely a minor inconvenience. When SharePoint Online permissions stop working, users are locked out of business-critical documents — contracts, financial reports, project files, HR records — at exactly the moment they need them. We have seen organisations lose hours of productivity across entire departments because a single inheritance break cascaded down a document library containing 4,000 files.
The compliance risk compounds the operational impact. If SharePoint Online permissions not working causes unintended external access to confidential documents, or if the lockdown mode bug prevents legitimate users from accessing a regulated data store, organisations face both a productivity crisis and a potential audit finding under GDPR, ISO 27001, or local data protection requirements.
SharePoint Online permissions not working is particularly frustrating to diagnose because the symptom — “Access Denied” — can be produced by at least six different root causes, and the user-facing error message is identical regardless of which layer the failure is in. This guide covers every layer systematically.
Understanding SharePoint Online Permission Architecture
SharePoint Online permissions not working can originate at four distinct layers. A failure at any layer produces an identical “Access Denied” error, which is why diagnosing each layer in sequence is essential before making changes.
Permission Layers
- Layer 1 — M365 / Azure AD Identity: The user account must exist and be licensed in Entra ID. Azure AD group memberships must have synced from on-premises AD (if using AD Connect). SharePoint Online permissions not working at this layer appears as an unresolvable user identity.
- Layer 2 — Site Collection Permissions: Users must be granted access at the site collection level — either as Site Members (Edit), Site Visitors (Read), or Site Owners (Full Control). SharePoint Online permissions not working at this layer means the user was simply never added.
- Layer 3 — Inheritance: Libraries, folders, and files can break inheritance from the parent site and have unique permissions. A user with site-level access may find SharePoint Online permissions not working at the folder level if inheritance is broken and they are not listed explicitly.
- Layer 4 — Site Features and Policies: The Limited-Access User Permission Lockdown Mode feature, sharing policies, and conditional access policies from Azure AD can override all other permission grants and cause SharePoint Online permissions not working even for correctly configured users.
How AD Group Sync Works (and Why It Causes SharePoint Online Permissions Not Working)
When you add a user to an on-premises Active Directory security group, the change must flow through Azure AD Connect sync (default: every 30 minutes), then propagate through Azure AD to SharePoint Online’s user profile service (up to 24 additional hours in large tenants). This sync delay is the most common cause of “I’ve been added to the group but SharePoint Online permissions are still not working” complaints — the permissions are correct, but the sync hasn’t completed.
Prerequisites and Affected Systems
- Affected systems: SharePoint Online (all M365 plans), connected via Azure AD / Entra ID and optionally Azure AD Connect for hybrid identity
- Admin access required: SharePoint Administrator or Global Administrator in the M365 tenant
- Tools needed: SharePoint Admin Centre, SPO Check Permissions tool (built-in), PnP PowerShell, Azure AD admin portal
- Licensing note: SharePoint sharing capabilities depend on M365 plan tier — Business Basic limits external sharing differently to Business Premium. See the Microsoft 365 Business Plans Buyer’s Guide 2026 for plan comparison.
Step-by-Step: How to Fix SharePoint Online Permissions Not Working
Phase 1: Use the Built-In Check Permissions Tool First
Before running any PowerShell to fix SharePoint Online permissions not working, use SharePoint’s built-in Check Permissions tool. It shows exactly what permissions a specific user has at the current location and why SharePoint Online permissions are not working for them.
- Navigate to the affected SharePoint site or library in a browser
- Click the gear icon → Site Settings → Site Permissions
- In the Permissions tab ribbon → click Check Permissions
- Type the affected user’s name or email → click Check Now
- Read the output — it shows their effective permission level and which group or direct assignment grants it
Common mistake here: Many admins skip this tool and go straight to adding the user again when SharePoint Online permissions are not working. This creates duplicate permission entries and makes the site harder to audit. Always Check Permissions first — it tells you in 30 seconds whether the user has a permission or not.
Phase 2: Verify Azure AD Group Membership and Sync Status
If SharePoint Online permissions not working is traced to a group sync issue, use PnP PowerShell to check the user’s presence in the site and force a delta sync:
# Install PnP PowerShell if not already installed
Install-Module PnP.PowerShell -Scope CurrentUser
# Connect to your SharePoint Admin Centre
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
# Check if the user exists in the site's user list
Get-PnPUser | Where-Object { $_.Email -eq "user@domain.com" }
# If the user is not listed — SharePoint Online permissions are not working due to missing user
# Add user directly to verify (temporary test)
Add-PnPGroupMember -LoginName "user@domain.com" -Group "Site Members"To check Azure AD Connect sync status and fix SharePoint Online permissions not working due to sync delay:
# Check last sync time from Azure AD
Import-Module MSOnline
Connect-MsolService
Get-MsolCompanyInformation | Select LastDirSyncTime
# Force a delta sync (run on the Azure AD Connect server)
Start-ADSyncSyncCycle -PolicyType Delta
# For a full sync (use sparingly — takes longer)
Start-ADSyncSyncCycle -PolicyType InitialVerification: After forcing a delta sync, wait 5 minutes and recheck the user’s group membership in the Azure AD portal. If SharePoint Online permissions are still not working after sync, the user may need to log out and back in to get a new token.
Phase 3: Check and Fix Broken Permission Inheritance
Broken inheritance is a leading cause of SharePoint Online permissions not working at the library or folder level. A user may have site-level access but find SharePoint Online permissions not working on a specific library because inheritance was broken and they were not added explicitly.
# Connect to the affected site
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com/sites/yoursite" -Interactive
# Check if a specific list/library has unique permissions (broken inheritance)
$list = Get-PnPList -Identity "Documents"
$list.HasUniqueRoleAssignments
# Returns True = inheritance broken, False = inheriting from site
# Check all lists for broken inheritance (scan for SharePoint Online permissions not working)
Get-PnPList | Select Title, HasUniqueRoleAssignments
# To restore inheritance on a library (removes all unique permissions)
Set-PnPList -Identity "Documents" -ResetRoleInheritance
# To restore inheritance on a specific folder
$folder = Get-PnPFolder -Url "/sites/yoursite/Documents/ProjectFolder"
Set-PnPFolderPermission -Url $folder.ServerRelativeUrl -ResetRoleInheritanceCommon mistake here: Restoring inheritance removes ALL unique permissions on that library or folder — any intentional unique permissions will be lost. Document unique permissions before resetting to avoid making SharePoint Online permissions not working for other users.
Phase 4: Check and Disable Limited-Access Lockdown Mode
The Limited-Access User Permission Lockdown Mode site feature is one of the most frequently missed causes of SharePoint Online permissions not working. When enabled, it prevents users from accessing the site root and certain pages even if they have valid permissions on a library.
# Check if Lockdown Mode is causing SharePoint Online permissions not working
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com/sites/yoursite" -Interactive
Get-PnPFeature -Scope Site | Where-Object { $_.DisplayName -like "*LimitedAccess*" }
# If the feature appears in the output, it is enabled and likely causing the issue
# Disable Lockdown Mode to fix SharePoint Online permissions not working
Disable-PnPFeature -Identity "7c637b23-06c4-472d-9a9a-7c175762c5c4" -Scope Site -Force
# Alternatively via SharePoint Admin Centre:
# Site Settings → Site Collection Features → Limited-Access User Permission Lockdown Mode → DeactivatePhase 5: Fix Orphaned Users
Orphaned user accounts are another common cause of SharePoint Online permissions not working after account migrations or staff changes. The old account identity remains in the site’s user list but is no longer resolvable in Azure AD, making SharePoint Online permissions not working for the affected user.
# List all users — identify orphaned accounts causing SharePoint Online permissions not working
Get-PnPUser | Select Title, Email, LoginName
# Remove an orphaned user from the site user list
Remove-PnPUser -LoginName "i:0#.f|membership|olduser@domain.com" -Confirm:$false
# Re-add the user with their current account to restore permissions
Add-PnPGroupMember -LoginName "newuser@domain.com" -Group "Site Members"Phase 6: Check External Sharing Policy
# Check tenant-level sharing policy
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
Get-PnPTenant | Select SharingCapability
# Check site-level sharing policy
Get-PnPSite -Url "https://yourtenant.sharepoint.com/sites/yoursite" | Select SharingCapability
# Possible values:
# Disabled - No external sharing (causes SharePoint Online permissions not working for guests)
# ExistingExternalUserSharingOnly - Only previously invited externals
# ExternalUserSharingOnly - Any Azure AD guest
# ExternalUserAndGuestSharing - Anyone with a link
# Update site sharing capability
Set-PnPSite -Url "https://yourtenant.sharepoint.com/sites/yoursite" -SharingCapability ExternalUserSharingOnlySharePoint Online Permission Methods Compared
| Method | Sync Delay | Best For | Scalability | Audit Ease |
|---|---|---|---|---|
| Direct user add to SP group | Immediate | Individual users, guests | Poor (>50 users) | Easy |
| Azure AD / M365 group | Minutes (cloud-only) | Teams-connected sites, modern sites | Good | Good |
| On-prem AD security group (synced) | 30 min – 24 hrs | Hybrid environments, large orgs | Excellent | Moderate |
| Sharing link (Anyone/Org) | Immediate | One-off external sharing | Poor | Poor |
| Access request + approval | Immediate (after approval) | Self-service access model | Moderate | Good |
Real-World Case Study: External Access Misrouted to Wrong Site
A professional services firm in Islamabad asked us to investigate why an external client partner was accessing documents from the wrong project site. The client had been added as a guest in Azure AD and given Read access to Site A — but SharePoint Online permissions were not working as expected and the user could also see files from Site B, which contained confidential internal communications.
The investigation took less than an hour. The firm’s SharePoint admin had shared a folder from Site B using an “Anyone with the link” sharing link weeks earlier, and that link had been forwarded to the new external guest. The tenant-level sharing policy allowed anonymous link sharing, and the link was still active — a classic example of SharePoint Online permissions not working as intended due to overly permissive sharing policies.
We resolved this in three steps: first, we disabled “Anyone with the link” sharing at the tenant level and set it to “New and existing guests only”. Second, we ran a sharing report on Site B using the SharePoint Admin Centre to identify and expire all active sharing links. Third, we enabled the Restricted Access Control policy on both sites so that only explicitly added members could access content — regardless of link. This permanently prevented SharePoint Online permissions from not working due to forwarded sharing links.
The lesson: sharing link expiry dates should be mandatory in the tenant sharing policy for any externally shared content. Set the maximum guest link expiry to 30 days to prevent stale SharePoint Online permissions issues from forwarded links.
Verification and Testing
# 1. Verify user's effective permissions
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com/sites/yoursite" -Interactive
Get-PnPUser | Where-Object { $_.Email -eq "user@domain.com" }
# 2. Confirm group membership
Get-PnPGroupMembers -Identity "Site Members"
# 3. Verify inheritance on target library
(Get-PnPList -Identity "Documents").HasUniqueRoleAssignments
# False = inheriting from site (SharePoint Online permissions not working due to inheritance break is resolved)
# 4. Confirm Lockdown Mode is disabled
Get-PnPFeature -Scope Site | Where-Object { $_.DisplayName -like "*LimitedAccess*" }
# No output = feature is disabled (SharePoint Online permissions not working due to lockdown mode is resolved)
# 5. Confirm sharing policy
Get-PnPSite | Select SharingCapabilityTroubleshooting Common SharePoint Online Permissions Issues
Issue 1: “Access Denied” After Being Added to a SharePoint Group
Symptoms: User receives the invitation, clicks the link, and SharePoint Online permissions are not working — they see “Access Denied” despite appearing in the Site Members list.
Root cause: Broken permission inheritance on the target library, or Lockdown Mode is preventing access to site assets needed to render the page.
# Diagnose SharePoint Online permissions not working on a library
(Get-PnPList -Identity "Documents").HasUniqueRoleAssignments
# Check for Lockdown Mode
Get-PnPFeature -Scope Site | Where-Object { $_.DisplayName -like "*LimitedAccess*" }
# Fix: restore inheritance or disable Lockdown Mode per Phase 3 and 4 abovePrevention: Audit inheritance breaks monthly using Get-PnPList | Select Title, HasUniqueRoleAssignments.
Issue 2: AD Group Permissions Not Applying After Group Membership Change
Symptoms: Admin confirms user is in the AD group, but SharePoint Online permissions are still not working. Check Permissions shows the group is assigned, but the user has no effective access.
Root cause: Azure AD Connect sync has not yet propagated the on-premises group change to Azure AD.
# Force delta sync to resolve SharePoint Online permissions not working due to sync delay
Start-ADSyncSyncCycle -PolicyType Delta
# Check last sync in Azure AD
Connect-MsolService
Get-MsolCompanyInformation | Select LastDirSyncTime
# Workaround: add user directly to SP group while sync completes
Add-PnPGroupMember -LoginName "user@domain.com" -Group "Site Members"Prevention: For immediate access requirements, add users directly to SharePoint groups rather than relying on synced on-premises groups to prevent SharePoint Online permissions not working during sync windows.
Issue 3: “Check Permissions” Tool Shows Greyed Out or Unavailable
Symptoms: The Check Permissions button is not visible in Site Permissions — making it impossible to diagnose why SharePoint Online permissions are not working.
Root cause: User running the check does not have Site Collection Administrator permissions.
# Confirm you are a Site Collection Admin
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
Get-PnPSiteCollectionAdmin -Url "https://yourtenant.sharepoint.com/sites/yoursite"
# Add yourself as Site Collection Admin if needed
Add-PnPSiteCollectionAdmin -Owners "admin@domain.com"Prevention: Ensure at least two Global or SharePoint Administrators are designated as Site Collection Admins on all sites.
Issue 4: External User Reports SharePoint Online Permissions Not Working
Symptoms: External guest has been added, can sign in, but SharePoint Online permissions are still not working and they see the permission request page instead of site content.
Root cause: External sharing is disabled at the site level, or the guest account is in a “pending” state in Azure AD and has not accepted the invitation.
# Check guest invitation status in Azure AD
Connect-AzureAD
Get-AzureADUser -Filter "UserType eq 'Guest'" | Where-Object { $_.Mail -eq "guest@external.com" } | Select DisplayName, UserState
# If UserState = PendingAcceptance — resend invitation to fix SharePoint Online permissions not working
New-AzureADMSInvitation -InvitedUserEmailAddress "guest@external.com" -InviteRedirectUrl "https://yourtenant.sharepoint.com/sites/yoursite" -SendInvitationMessage $true
# Check site-level sharing
Set-PnPSite -Url "https://yourtenant.sharepoint.com/sites/yoursite" -SharingCapability ExternalUserSharingOnlyPrevention: Always confirm guest accounts are in “Accepted” state in Azure AD before assuming a SharePoint Online permissions not working issue exists at the site level.
Issue 5: SharePoint Online Permissions Not Working After Site Migration
Symptoms: After a site migration or Teams upgrade, existing permissions stop working and users report losing access.
Root cause: When a SharePoint site is connected to a Microsoft Teams team or an M365 Group, the M365 group controls site membership and legacy SharePoint groups may be overridden — causing SharePoint Online permissions not working for previously configured users.
# Check if site is group-connected
Get-PnPSite | Select GroupId
# Non-empty GroupId = group-connected (M365 Group owns membership)
# For group-connected sites, manage membership via M365 Group
Add-UnifiedGroupLinks -Identity "YourGroup" -LinkType Members -Links "user@domain.com"Prevention: Document whether sites are group-connected before any migration. Group-connected sites require membership management through M365 Groups or Teams to prevent SharePoint Online permissions not working post-migration.
Best Practices to Prevent SharePoint Online Permissions Not Working
Permission Design
- Use M365 Groups or Azure AD security groups — never add individuals directly at scale. Direct user assignments create an unmanageable permission structure and increase the risk of SharePoint Online permissions not working after organisational changes.
- Minimise inheritance breaks. Every broken inheritance point is a potential source of SharePoint Online permissions not working. Keep your site structure flat and use inheritance breaks only at the document library level where genuinely needed.
- Never share at folder level if avoidable. Folder-level permissions are invisible from the site permission report and difficult to audit when SharePoint Online permissions are not working.
Operational Hygiene
- Run a quarterly permissions audit. Use the SharePoint Admin Centre → Reports → Sharing → Export to CSV. Review all active sharing links and remove those that are expired or unnecessary.
- Set sharing link expiry policies. Enforce maximum link expiry of 30 days for guest links to prevent SharePoint Online permissions not working due to stale or forwarded sharing links.
- Enable access request notifications. Site Permissions → Access Request Settings → enable email notifications so site owners are informed when SharePoint Online permissions are not working for a specific user.
- Document every inheritance break. Maintain a permissions register — when the original admin leaves, undocumented permission decisions cause SharePoint Online permissions not working issues that are nearly impossible to trace.
Security Considerations
SharePoint Online permissions not working has a dual security dimension. A permission that is too restrictive locks legitimate users out; a permission that is too permissive grants unintended access to confidential data. Both are risk events.
For organisations subject to compliance frameworks — GDPR, PCI-DSS, ISO 27001 — SharePoint sharing reports and permission change audit logs must be retained. The Microsoft Purview audit log captures SharePoint permission events including sharing link creation, permission grants, and inheritance changes. Ensure Purview audit logging is enabled for your tenant and that retention is configured to meet your compliance policy.
Conditional Access policies from Azure AD (Entra ID) interact with SharePoint Online permissions — a user may have valid SharePoint permissions but find SharePoint Online permissions not working because a Conditional Access policy requires a compliant device or specific network location. If users report SharePoint Online permissions not working from specific devices or locations, check Entra ID sign-in logs before assuming the issue is at the SharePoint layer. This is a common escalation path covered in the Microsoft Intune Setup Guide.
People Also Ask — FAQ
Why is SharePoint not recognising my permissions even though I’ve been added to a group?
SharePoint Online permissions not working after being added to a group is almost always caused by Azure AD Connect sync delay. If you were added to an on-premises Active Directory group, the change can take 30 minutes to 24 hours to propagate to SharePoint Online. Ask your admin to add your account directly to the SharePoint site group as a temporary fix while the sync completes, then sign out and back in to get a new token.
How do I fix “Access Denied” in SharePoint Online?
When SharePoint Online permissions are not working and you see Access Denied, start with the built-in Check Permissions tool in Site Settings → Site Permissions. The most common fixes are: restoring permission inheritance on the target library (Set-PnPList -ResetRoleInheritance), disabling Limited-Access Lockdown Mode via Site Collection Features, or forcing an Azure AD Connect delta sync if the SharePoint Online permissions not working issue is group-related.
Why do SharePoint Online permissions take so long to sync from Active Directory?
SharePoint Online permissions not working after an AD group change is caused by Azure AD Connect sync running every 30 minutes, followed by the SharePoint user profile service update which can add several more hours in large tenants. Force a delta sync using Start-ADSyncSyncCycle -PolicyType Delta on the Azure AD Connect server to speed up the process.
How do I reset permissions in SharePoint Online?
To reset a library where SharePoint Online permissions are not working due to broken inheritance, use PnP PowerShell: Set-PnPList -Identity "Library Name" -ResetRoleInheritance. Always backup your current permission structure first using Get-PnPList | Select Title, HasUniqueRoleAssignments before resetting, as this removes all unique permissions on the library.
Related Articles
- Azure AD Hybrid Join Not Working: Complete Fix Guide 2026 — SharePoint Online permissions not working is frequently rooted in Azure AD sync issues; diagnose hybrid identity problems here first.
- Microsoft Intune Setup Guide 2026 — Intune Conditional Access policies can cause SharePoint Online permissions not working from non-compliant devices.
- Microsoft 365 Business Plans: Complete Buyer’s Guide 2026 — M365 licensing tier directly affects SharePoint external sharing capabilities.
- Active Directory Explained: Beginner to Advanced Guide 2026 — AD group membership and nested groups are the primary cause of SharePoint Online permissions not working in hybrid environments.
Conclusion
SharePoint Online permissions not working consistently traces back to one of six root causes — and the built-in Check Permissions tool eliminates most of them in under two minutes. The discipline is in following the diagnostic sequence rather than jumping to fixes whenever SharePoint Online permissions are not working for a user.
Check before you change. The Check Permissions tool and PnP PowerShell give you a complete picture of a user’s effective access before you make modifications that could cause SharePoint Online permissions not working for other users.
Understand sync delay. Azure AD Connect sync delay is the most common cause of SharePoint Online permissions not working — know the timelines before escalating.
Audit inheritance breaks regularly. Every broken inheritance point is a future SharePoint Online permissions not working ticket. Keep your permission structure as flat as possible.
Group-connected sites need group-based management. If a site is connected to a Teams team or M365 Group, manage membership through that group to prevent SharePoint Online permissions not working after migrations.
Lock down external sharing proactively. Set sharing link expiry policies before an external sharing incident forces a reactive audit into why SharePoint Online permissions are not working as intended.
Need Expert Help Fixing SharePoint Online Permissions?
I provide professional M365 administration and SharePoint consulting for businesses across Pakistan and internationally. Whether SharePoint Online permissions are not working due to sync issues, broken inheritance, or licensing problems — I can diagnose and fix it.
- SharePoint Online permission architecture and audit
- Azure AD / Entra ID hybrid identity configuration
- Microsoft 365 tenant administration and governance
- Azure AD Connect deployment and troubleshooting
- M365 Conditional Access and Intune MDM
Email: itexpert@navedalam.com
WhatsApp: +92 311 935 8005
Website: navedalam.com
Free 30-minute consultation — no obligation.
About the Author — Naveed Alam
Naveed Alam is a certified Network and Cloud Engineer specialising in Microsoft 365 administration, Azure cloud infrastructure, and enterprise identity management. He holds CCNA, AZ-900, and CompTIA A+ certifications and has resolved SharePoint Online permissions not working issues for organisations ranging from 50 to 2,000 users across Pakistan and internationally.
Specialisations: SharePoint Online, Azure AD / Entra ID, Azure AD Connect, Microsoft Intune, Exchange Online, and Windows Server infrastructure.
LinkedIn · navedalam.com · itexpert@navedalam.com
