SharePoint Permissions Cleanup Before Migration
Permission cleanup is one of the highest-value steps in a SharePoint migration. Without it, the target environment can inherit years of oversharing, broken inheritance, orphaned users, and owner confusion.
Copying bad permissions into SharePoint Online does not reduce risk. It moves the risk into a more visible cloud environment.
Export permissions
Collect a permission baseline before migration:
- Site owners, members, and visitors
- SharePoint groups and Microsoft 365 groups
- Entra ID groups and nested groups
- Guests and external users
- Sharing links
- Broken inheritance points
- Direct user grants
- Service accounts
- Anonymous or organization-wide sharing settings
The export should include both technical access and business ownership.
Prioritize high-risk areas
You do not need to clean every site with the same level of effort. Start with:
- Executive sites
- HR, finance, legal, and compliance content
- Regulated or confidential libraries
- Sites with external sharing
- Sites with many unique permissions
- Sites with no current owner
- Sites tied to forms, workflows, or business-critical processes
Replace individual grants
Where possible, move from individual permissions to role-based groups with accountable owners. Use groups that business owners understand and IT can review.
A good target model includes:
- Named site owners
- Clear member/visitor groups
- Minimal direct grants
- Guest access reviewed separately
- Documented exceptions
- Review cadence after go-live
Validate after migration
Do not rely only on migration-tool success counts. Test access for:
- Owners
- Members
- Visitors
- Guests
- Service accounts
- Business validators
- Help desk support users
Also test negative cases. Some users should not be able to access sensitive content.
Build a review cadence
Permissions will drift again unless ownership and review processes are part of the post-migration operating model. Build periodic access reviews into your governance plan.
Next step
Use the SharePoint Permissions Repair script as a starting point for technical exploration, then pair it with a migration assessment before making broad permission changes.
