How to Audit Permissions for Microsoft 365: A Practical 2026 Guide

Written by: Abigail Ivy
Published on:

Auditing permissions in Microsoft 365 helps you find who can access what across users, groups, files, sites, mailboxes, and apps.

It also reveals stale access, excessive sharing, and privilege creep before they become security or compliance problems.

Why auditing Microsoft 365 permissions matters

Microsoft 365 is built around interconnected services such as Entra ID, SharePoint Online, Exchange Online, Teams, OneDrive, and Microsoft 365 Groups.

That flexibility is useful, but it also makes permissions easy to lose track of as teams change, projects end, and access gets inherited through groups and roles.

Common risks include former employees retaining access, too many people in admin roles, overshared SharePoint sites, external guests with lingering permissions, and nested group memberships that hide effective access.

A permission audit helps you understand both direct access and access granted indirectly through group membership, role assignments, and sharing links.

What to include in a Microsoft 365 permission audit

A complete audit should cover identity, collaboration, and workload-level permissions.

The most useful scope includes:

  • User accounts in Microsoft Entra ID, including enabled, disabled, guest, and service accounts.
  • Directory roles such as Global Administrator, Exchange Administrator, SharePoint Administrator, and Privileged Role Administrator.
  • Group membership for security groups, Microsoft 365 Groups, distribution lists, and role-assignable groups.
  • SharePoint and OneDrive access, including site owners, members, visitors, and unique item-level permissions.
  • Exchange Online permissions, such as mailbox delegation, send-as, and send-on-behalf access.
  • Teams access, including team owners, members, guests, private channels, and shared channels.
  • Application permissions and app role assignments for enterprise applications and registered apps.
  • External sharing settings and guest user access across the tenant.

How to audit permissions for Microsoft 365 step by step

Start by defining what “normal” access looks like in your organization.

This means documenting approved roles, approved groups, business owners for each workload, and what access should be restricted or reviewed regularly.

1. Review administrative roles in Entra ID

Begin with privileged identities because they present the highest risk.

In Microsoft Entra admin center, review directory role assignments and check whether users still need elevated access.

Focus on:

  • Permanent versus eligible role assignments
  • Accounts with multiple high-risk roles
  • Legacy or unused admin accounts
  • Break-glass emergency accounts and whether they are protected properly

Use Privileged Identity Management, or PIM, if available.

PIM lets you assign just-in-time access instead of standing admin privileges, which reduces exposure and improves auditability.

2. Inspect group membership and inheritance

Many Microsoft 365 permissions are granted through groups rather than directly to users.

Audit security groups, Microsoft 365 Groups, and nested memberships to see who effectively has access.

Look for:

  • Groups with no clear owner
  • Large groups that exceed business need
  • Nested groups that obscure effective permissions
  • Old groups tied to completed projects or departed teams

Group ownership matters as much as membership.

A group owner can often add or remove people, so confirm that ownership is limited and actively managed.

3. Check SharePoint Online and OneDrive permissions

SharePoint is one of the most common places for permission sprawl because access can be granted through site membership, folder permissions, item-level sharing, and anonymous links.

Review site owners, members, visitors, and any unique permissions that break inheritance.

Pay special attention to:

  • Sites with external sharing enabled
  • Documents shared with “Anyone with the link” access
  • Folders or files with unique permissions
  • Sites created for old projects or inactive departments

OneDrive audits are just as important because users often share sensitive files from personal storage rather than team sites.

Check sharing links, guest access, and whether files have been transferred when users leave the company.

4. Audit Exchange Online mailbox permissions

Mailbox delegation often goes unnoticed until there is a compliance review or incident.

In Exchange Online, review Full Access, Send As, and Send on Behalf permissions for user, shared, and resource mailboxes.

Key questions to ask include:

  • Who has access to executive or finance mailboxes?
  • Are delegated permissions still needed for assistants or shared service accounts?
  • Are old delegates still present after role changes?
  • Are shared mailboxes controlled by named owners?

In regulated environments, mailbox access should be tied to business justification and reviewed on a recurring basis.

5. Review Teams, channels, and guest access

Microsoft Teams permissions are influenced by the underlying Microsoft 365 Group, but private and shared channels add another layer.

Audit team owners and members, then inspect guest access and channel-specific membership.

Focus on teams that contain:

  • External guests from vendors or partners
  • Private channels with restricted membership
  • Shared channels that cross tenant boundaries
  • Inactive teams with old conversations and files

Because Teams often becomes a default collaboration space, it can accumulate access that no longer matches the business purpose.

6. Examine app permissions and service principals

Permission audits should not stop at human users.

Enterprise applications and service principals can have powerful access to data through Graph API permissions, mailbox access, or tenant-wide scopes.

Review:

  • Which apps have admin consent
  • Whether app permissions are still required
  • Which users own each app registration
  • Whether multi-tenant apps are approved and monitored

This is especially important for third-party SaaS tools integrated with Microsoft 365, because they may retain access long after the original business need ends.

Tools to use for auditing Microsoft 365 permissions

You can perform a basic audit with native Microsoft tools, then extend it with reporting and governance features as needed.

Common options include:

  • Microsoft Entra admin center for directory roles, users, groups, and guest accounts
  • Microsoft Purview for compliance, audit logs, and access reviews in governed environments
  • SharePoint admin center for site sharing and site-level permissions
  • Exchange admin center for mailbox permissions and shared mailbox access
  • Microsoft 365 admin center for tenant-wide user and license visibility
  • PowerShell for exporting permissions at scale and finding exceptions

For larger environments, third-party identity governance and access review tools can help detect entitlement drift, produce historical reports, and automate recertification workflows.

Best practices for a reliable permission audit

A good audit is repeatable, evidence-based, and aligned to business ownership.

Use these practices to keep the process effective:

  • Set a regular review cycle, such as monthly for privileged access and quarterly for standard access.
  • Assign each resource to a business owner who can approve access changes.
  • Document approved access paths, especially where group-based inheritance is used.
  • Remove stale guests, inactive accounts, and obsolete groups.
  • Use least privilege and role-based access control wherever possible.
  • Require multi-factor authentication for sensitive accounts and admins.
  • Export findings so you can compare results over time and prove remediation.

Common findings to watch for

During a Microsoft 365 permission audit, these issues appear frequently and should be prioritized:

  • Users with direct access that bypasses group controls
  • Orphaned sites, mailboxes, or teams with no active owner
  • Guests with access to sensitive content after a project ends
  • Overly broad admin rights assigned for convenience
  • External sharing links that remain active indefinitely
  • Service accounts with interactive login and broad permissions

Each of these findings increases the chance of accidental disclosure or unauthorized access, especially in organizations with frequent hiring, restructuring, or vendor collaboration.

How to turn audit results into remediation

An audit only adds value if it leads to action.

Classify findings by risk level, assign owners, and set deadlines for remediation.

High-risk items usually include privileged roles, external access to sensitive data, and permissions inherited from abandoned assets.

After cleanup, rerun the audit to confirm that changes were applied correctly.

Keep a record of approvals, exceptions, and compensating controls so future reviews are faster and more consistent.

For ongoing control, combine access reviews, lifecycle automation, and least-privilege policies so permissions stay aligned with the actual business need instead of drifting over time.