SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Site Permissions Baseline
description: Produce a per-site SharePoint permissions snapshot of broad access, owners and broken-inheritance scopes as a baseline for least-privilege governance.
---
# Site Permissions Baseline
> **TL;DR:** This skill snapshots SharePoint Online site permissions, identifying users and groups with broad or excessive access, the owners, and unique broken-inheritance scopes, giving you a least-privilege baseline to govern Microsoft 365 Copilot exposure.
## What does the site permissions baseline capture?
This skill produces a per-site permissions snapshot using Microsoft Graph and SharePoint Online site permissions reports. It identifies principals with broad or excessive access, confirms who the site owners are, and locates unique permission scopes where inheritance is broken at library, folder or item level. Broken inheritance and over-broad groups are where least-privilege drift accumulates and where Microsoft 365 Copilot can surface unexpected content. The baseline gives you a defensible starting point for ongoing governance. It reads permission data only and changes nothing.
## When should you run this skill?
- "Give me a permissions baseline for our SharePoint sites"
- "Who has excessive access across our sites?"
- "Find broken permission inheritance in SharePoint"
- "List site owners and broad-access groups"
- "Snapshot permissions before our least-privilege project"
- "Where are unique permission scopes hiding?"
## How this skill works, step by step
1. Connect read-only to Microsoft Graph and SharePoint Online with assessment scopes.
2. Enumerate sites in scope and retrieve their permission assignments.
3. Resolve groups to members to reveal effective access per principal.
4. Flag principals and groups with broad or excessive permission levels.
5. Identify site owners and confirm ownership coverage.
6. Detect unique scopes where inheritance is broken below the site root.
7. Score each site by breadth of access, broken-scope count and ownership health.
8. Assemble the per-site snapshot with effective-access detail.
9. Output the baseline without altering any permission.
## Output format
The skill returns a per-site permissions table, one row per site.
| Site | Owners | Broad-access principals | Broken scopes | Risk | Recommended action |
| --- | --- | --- | --- | --- | --- |
| Finance Hub | 2 | All Staff (Edit) | 14 | High | Tighten group, review scopes |
| HR Policies | 3 | None | 1 | Low | Document exception |
| Legacy Archive | 0 | Everyone (Read) | 31 | High | Assign owner, restore inheritance |
Summary:
- Total sites baselined: 198
- Sites with broad-access principals: 64
- Sites with broken inheritance: 121
- Ownerless sites: 12
- High risk: 47
## Scope and safety
This skill is read-only by default and makes no changes to permissions, ownership or inheritance.
This skill does NOT:
- Add, remove or modify any permission assignment.
- Restore inheritance or break additional scopes.
- Reassign or add site owners.
- Change group membership or access levels.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Reading SharePoint site permissions, owners and members via Microsoft Graph | Microsoft 365 E3 or E5 |
| Data access governance site permissions reports (broad access, ownerless sites) | SharePoint Advanced Management |
### Least-privilege roles
- Global Reader (read-only tenant visibility for the assessment)
- SharePoint Administrator (read) where Data access governance reports are run from the SharePoint admin centre
### Microsoft Graph permissions (read-only)
- `Sites.Read.All` — reads site collections, permission assignments and broken-inheritance scopes
- `Group.Read.All` — resolves Microsoft 365 and security groups to their members for effective access
- `Directory.Read.All` — resolves owners and principals to directory objects
## Sources and compliance
- [Site permissions reports (Data access governance)](https://learn.microsoft.com/en-us/sharepoint/data-access-governance-reports)
- [Manage site permissions](https://learn.microsoft.com/en-us/sharepoint/manage-site-permissions)
- Maps to Essential Eight: Restrict administrative privileges through least-privilege baselines.
- Aligns with ISM controls for access control and privileged access management.
- Reference: [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Site Permissions Baseline
TL;DR: This skill snapshots SharePoint Online site permissions, identifying users and groups with broad or excessive access, the owners, and unique broken-inheritance scopes, giving you a least-privilege baseline to govern Microsoft 365 Copilot exposure.
What does the site permissions baseline capture?
This skill produces a per-site permissions snapshot using Microsoft Graph and SharePoint Online site permissions reports. It identifies principals with broad or excessive access, confirms who the site owners are, and locates unique permission scopes where inheritance is broken at library, folder or item level. Broken inheritance and over-broad groups are where least-privilege drift accumulates and where Microsoft 365 Copilot can surface unexpected content. The baseline gives you a defensible starting point for ongoing governance. It reads permission data only and changes nothing.
When should you run this skill?
- “Give me a permissions baseline for our SharePoint sites”
- “Who has excessive access across our sites?”
- “Find broken permission inheritance in SharePoint”
- “List site owners and broad-access groups”
- “Snapshot permissions before our least-privilege project”
- “Where are unique permission scopes hiding?”
How this skill works, step by step
- Connect read-only to Microsoft Graph and SharePoint Online with assessment scopes.
- Enumerate sites in scope and retrieve their permission assignments.
- Resolve groups to members to reveal effective access per principal.
- Flag principals and groups with broad or excessive permission levels.
- Identify site owners and confirm ownership coverage.
- Detect unique scopes where inheritance is broken below the site root.
- Score each site by breadth of access, broken-scope count and ownership health.
- Assemble the per-site snapshot with effective-access detail.
- Output the baseline without altering any permission.
Output format
The skill returns a per-site permissions table, one row per site.
| Site | Owners | Broad-access principals | Broken scopes | Risk | Recommended action |
|---|---|---|---|---|---|
| Finance Hub | 2 | All Staff (Edit) | 14 | High | Tighten group, review scopes |
| HR Policies | 3 | None | 1 | Low | Document exception |
| Legacy Archive | 0 | Everyone (Read) | 31 | High | Assign owner, restore inheritance |
Summary:
- Total sites baselined: 198
- Sites with broad-access principals: 64
- Sites with broken inheritance: 121
- Ownerless sites: 12
- High risk: 47
Scope and safety
This skill is read-only by default and makes no changes to permissions, ownership or inheritance.
This skill does NOT:
- Add, remove or modify any permission assignment.
- Restore inheritance or break additional scopes.
- Reassign or add site owners.
- Change group membership or access levels.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Reading SharePoint site permissions, owners and members via Microsoft Graph | Microsoft 365 E3 or E5 |
| Data access governance site permissions reports (broad access, ownerless sites) | SharePoint Advanced Management |
Least-privilege roles
- Global Reader (read-only tenant visibility for the assessment)
- SharePoint Administrator (read) where Data access governance reports are run from the SharePoint admin centre
Microsoft Graph permissions (read-only)
Sites.Read.All— reads site collections, permission assignments and broken-inheritance scopesGroup.Read.All— resolves Microsoft 365 and security groups to their members for effective accessDirectory.Read.All— resolves owners and principals to directory objects
Sources and compliance
- Site permissions reports (Data access governance)
- Manage site permissions
- Maps to Essential Eight: Restrict administrative privileges through least-privilege baselines.
- Aligns with ISM controls for access control and privileged access management.
- Reference: ASD Essential Eight Maturity Model
- Output in Australian English
Last updated on