SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Broken Permission Inheritance Audit
description: Find SharePoint Online items with broken permission inheritance and rank them by access scope and sensitivity, aligned to ASD Essential Eight Control 5.
---
# Broken Permission Inheritance Audit
> **TL;DR:** This skill walks SharePoint Online sites and libraries in scope, finds every object where permission inheritance has been broken, and ranks the unique permissions by access scope and content sensitivity so owners can restore inheritance or formalise the exception.
## What does the broken permission inheritance audit do?
The audit identifies every site, library, folder, or item in scope where SharePoint Online permission inheritance has been broken, evaluates the access scope of the resulting unique permissions, and ranks each finding by risk. Site owners can then decide whether to restore inheritance or formally document the exception. The data is read through Microsoft Graph, and Microsoft Purview sensitivity labels are captured to weigh the exposure of each broken-inheritance object. Broken inheritance is the leading cause of oversharing surprises, so this audit is essential Copilot-readiness work: restoring least-privilege at the data layer is what keeps Microsoft 365 Copilot answers trustworthy and scoped to what each user should see.
## When should you run this skill?
- "Find broken permission inheritance in SharePoint"
- "Audit unique permissions across our sites"
- "Surface item-level permission drift"
- "Review where inheritance was broken in the last review window"
## How this skill works, step by step
1. Enumerate sites in scope (or a named site).
2. For each site walk the object hierarchy: site, lists / libraries, folders, items.
3. Identify objects where inheritance is broken (unique permissions present).
4. For each broken-inheritance object capture: object path, principals with access, permission level, sensitivity label of contents.
5. Calculate access scope: count of users with effective access through the unique permissions.
6. Compute risk score: High (external principals or Anyone with Restricted content), Medium (broad internal access), Low (single delegated owner).
7. Produce the table below.
## Output format
| Site | Object Path | Object Type | Principals | Permission Level | Scope | Sensitivity | Risk |
| --- | --- | --- | --- | --- | --- | --- | --- |
Followed by a summary:
- Sites scanned: N
- Objects with broken inheritance: N
- High risk: N (requires immediate review)
- Recommended remediation order
## Scope and safety
This skill is read-only by default and takes no destructive actions. It does NOT:
- Restore inheritance or remove permissions (read-only)
- Modify sharing links
- Read file contents
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Read SharePoint sites, libraries, items and unique permissions via Microsoft Graph | Microsoft 365 E3 (or Office 365 E3) |
| Read Microsoft Purview sensitivity labels on content | Microsoft 365 E3 |
| Site-level Data Access Governance and oversharing reports at scale | SharePoint Advanced Management (included in Microsoft 365 E5 or as an add-on) |
### Least-privilege roles
- Global Reader — tenant-wide read-only visibility for the audit
- SharePoint Administrator (read) — where site-level permission detail or SharePoint Advanced Management reports are needed
### Microsoft Graph permissions (read-only)
- `Sites.Read.All` — enumerate sites, lists, libraries and folders in scope
- `Files.Read.All` — read item metadata and identify objects with unique permissions
- `Group.Read.All` — resolve group principals granted access through broken inheritance
- `Directory.Read.All` — resolve user and directory principals on unique permissions
- `InformationProtectionPolicy.Read.All` — read the Purview sensitivity label definitions applied to content
## Sources and compliance
- Supports E8 ML2 evidence for Control 5 (administrative privilege restriction at the data layer)
- Pair with External Sharing Deep Audit and SharePoint Oversharing Audit for a complete access posture view
- Re-run before any Microsoft 365 Copilot rollout — broken inheritance is the leading cause of oversharing surprises
- [Check permissions on a SharePoint site](https://learn.microsoft.com/en-us/sharepoint/check-permissions-on-site)
- Output in Australian English
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Broken Permission Inheritance Audit
TL;DR: This skill walks SharePoint Online sites and libraries in scope, finds every object where permission inheritance has been broken, and ranks the unique permissions by access scope and content sensitivity so owners can restore inheritance or formalise the exception.
What does the broken permission inheritance audit do?
The audit identifies every site, library, folder, or item in scope where SharePoint Online permission inheritance has been broken, evaluates the access scope of the resulting unique permissions, and ranks each finding by risk. Site owners can then decide whether to restore inheritance or formally document the exception. The data is read through Microsoft Graph, and Microsoft Purview sensitivity labels are captured to weigh the exposure of each broken-inheritance object. Broken inheritance is the leading cause of oversharing surprises, so this audit is essential Copilot-readiness work: restoring least-privilege at the data layer is what keeps Microsoft 365 Copilot answers trustworthy and scoped to what each user should see.
When should you run this skill?
- “Find broken permission inheritance in SharePoint”
- “Audit unique permissions across our sites”
- “Surface item-level permission drift”
- “Review where inheritance was broken in the last review window”
How this skill works, step by step
- Enumerate sites in scope (or a named site).
- For each site walk the object hierarchy: site, lists / libraries, folders, items.
- Identify objects where inheritance is broken (unique permissions present).
- For each broken-inheritance object capture: object path, principals with access, permission level, sensitivity label of contents.
- Calculate access scope: count of users with effective access through the unique permissions.
- Compute risk score: High (external principals or Anyone with Restricted content), Medium (broad internal access), Low (single delegated owner).
- Produce the table below.
Output format
| Site | Object Path | Object Type | Principals | Permission Level | Scope | Sensitivity | Risk |
|---|
Followed by a summary:
- Sites scanned: N
- Objects with broken inheritance: N
- High risk: N (requires immediate review)
- Recommended remediation order
Scope and safety
This skill is read-only by default and takes no destructive actions. It does NOT:
- Restore inheritance or remove permissions (read-only)
- Modify sharing links
- Read file contents
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Read SharePoint sites, libraries, items and unique permissions via Microsoft Graph | Microsoft 365 E3 (or Office 365 E3) |
| Read Microsoft Purview sensitivity labels on content | Microsoft 365 E3 |
| Site-level Data Access Governance and oversharing reports at scale | SharePoint Advanced Management (included in Microsoft 365 E5 or as an add-on) |
Least-privilege roles
- Global Reader — tenant-wide read-only visibility for the audit
- SharePoint Administrator (read) — where site-level permission detail or SharePoint Advanced Management reports are needed
Microsoft Graph permissions (read-only)
Sites.Read.All— enumerate sites, lists, libraries and folders in scopeFiles.Read.All— read item metadata and identify objects with unique permissionsGroup.Read.All— resolve group principals granted access through broken inheritanceDirectory.Read.All— resolve user and directory principals on unique permissionsInformationProtectionPolicy.Read.All— read the Purview sensitivity label definitions applied to content
Sources and compliance
- Supports E8 ML2 evidence for Control 5 (administrative privilege restriction at the data layer)
- Pair with External Sharing Deep Audit and SharePoint Oversharing Audit for a complete access posture view
- Re-run before any Microsoft 365 Copilot rollout — broken inheritance is the leading cause of oversharing surprises
- Check permissions on a SharePoint site
- Output in Australian English
Licensed under CC BY 4.0 by Educ4te . Adapted from the open HybridSP skills catalogue.
Last updated on