SharePoint Diary » Permission » SharePoint Online: How to Stop Inheriting Permission and Setup Unique Access to a Subsite?

SharePoint Online: How to Stop Inheriting Permission and Setup Unique Access to a Subsite?

February 5, 2023 Salaudeen Rajack 2 Comments how to break inheritance in sharepoint online, how to give permission to subsite in sharepoint online, sharepoint online prevent subsite from inherit permissions, sharepoint online stop inheriting permissions, sharepoint online subsite permissions

Requirement: Break permission inheritance of a Subsite in SharePoint Online.

How to Break Subsite Permission Inheritance in SharePoint Online?

When we create a new subsite in SharePoint Online, we have the option to set its permission: whether the subsite should inherit permissions from its parent site or it should have unique permissions. In case you have a requirement to change the subsite permission inheritance after the site has been created, we can change its permission settings. Giving permission to a subsite in SharePoint Online is quick and easy. In just a few steps, you can grant someone access to your subsite so that they can collaborate with you on documents and projects:

Navigate to the subsite in which you need to change permission inheritance.
Click on the Settings gear and then select “Site Settings” from the settings menu.
On the Site Settings page, click on the “Site Permissions” link under the “Users and Permissions” section.
On the site permissions page, you’ll get a message saying: “This web site inherits permissions from its parent. (Parent Site Title)”, If the site inherits permissions from its parent.
To configure unique permissions for the subsite, click on the “Stop inheriting permissions” button from the ribbon and confirm the prompt.
This takes us to the “Set Up Groups for this Site” page, where you need to set up groups for this subsite, such as: default owners, members, and visitors of the subsite. You can either select an existing SharePoint group or create a new group.
Click the OK button to save.

How to give permission to a subsite in SharePoint Online?

Here is how you can grant access to subsites:

Click on Settings gear >> Site settings >> Site permissions. You’ll find the site is using unique permissions.
Now, You can add new users to the site by clicking the Grant Permissions button.
Or remove the existing users and groups that you don’t want to have access to the subsite by selecting them and clicking on the “Remove User Permissions” button in the ribbon.

SharePoint Online: PowerShell to break permission inheritance of a Subsite

By default, SharePoint Online uses inheritance to manage permissions, meaning that a subsite automatically inherits the permissions of its parent site. While this can be convenient in some cases, there may be instances where you need to set up unique access to a subsite.

Here is how to set up unique permissions in a subsite by breaking permission inheritance:

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Variables
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/2018"
 
Try {
    #Get Credentials to connect
    $Cred= Get-Credential
 
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
   
    #Get the web from URL
    $Web = $Ctx.web
    $Ctx.Load($Web)
    $Ctx.executeQuery()
 
    #Break Permission inheritance of the Web - use existing groups from parent
    $Web.BreakRoleInheritance($True, $False)
    $Ctx.executeQuery()
    Write-host -f Green "Permission Inheritance Broken for the Subsite!"
}
Catch {
    write-host -f Red "Error Breaking Subsite Permissions!" $_.Exception.Message
}

What If you want to create new groups and associate default Owner/Member/Visitor groups with the subsite?

#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Function to Ensure a SharePoint Online Group
Function Ensure-SPOGroup([Microsoft.SharePoint.Client.Web]$Web, $GroupName, $PermissionLevel)
{
    Try {
        $Ctx = $Web.Context
        #Get Existing Groups
        $Groups = $Web.SiteGroups
        $Ctx.Load($Groups)
        $Ctx.ExecuteQuery()
 
        #Check if the Group Exists already
        $Group = $Groups | Where { $_.Title -eq $GroupName}
        If(-Not $Group)
        {
            $GroupInfo = New-Object Microsoft.SharePoint.Client.GroupCreationInformation
            $GroupInfo.Title = $GroupName
            $Group = $Web.SiteGroups.Add($GroupInfo)
            $Ctx.ExecuteQuery()
 
            #Assign permission to the group
            $RoleDefinition = $web.RoleDefinitions.GetByName($PermissionLevel)
            $RoleDefBinding = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
            $RoleDefBinding.Add($RoleDefinition)
            $Ctx.Load($Web.RoleAssignments.Add($Group,$RoleDefBinding))
            $Ctx.ExecuteQuery()
            Write-host -f Green "`tCreated Group $GroupName and Assigned Permissions $PermissionLevel"
        }
        Return $Group
    }
    catch {
        write-host -f Red "Error:" $_.Exception.Message
    }
}
 
#Setup Credentials to connect
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/2018"
$Cred = Get-Credential
 
Try {
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
 
    #Get the Web
    $Web=$Ctx.Web
    $Ctx.Load($Web)
    $Ctx.ExecuteQuery()
 
    #Break Permission inheritance of the Web
    $Web.BreakRoleInheritance($False, $False)
    $Ctx.executeQuery()
    Write-host -f Green "Permission Inheritance Broken for the Subsite!"

    #Set Group Names
    $OwnersGroupName = $Web.Title + " Owners"
    $MembersGroupName = $Web.Title + " Members"
    $VisitorsGroupName = $Web.Title + " Visitors"
 
    #Get Default Groups
    $OwnersGroup = Ensure-SPOGroup -Web $Web -GroupName $OwnersGroupName -PermissionLevel "Full Control"
    $MembersGroup = Ensure-SPOGroup -Web $Web -GroupName $MembersGroupName -PermissionLevel "Edit"
    $VisitorsGroup = Ensure-SPOGroup -Web $Web -GroupName $VisitorsGroupName -PermissionLevel "Read"
 
    #Associate Default Groups
    $web.AssociatedOwnerGroup  = $OwnersGroup
    $web.AssociatedOwnerGroup.Update()
    $web.AssociatedMemberGroup = $MembersGroup
    $web.AssociatedMemberGroup.Update()
    $web.AssociatedVisitorGroup = $VisitorsGroup
    $web.AssociatedVisitorGroup.Update()
    $web.Update()
    $Ctx.ExecuteQuery()
    Write-host -f Green "Default Groups Set for the Subsite!"
}
catch {
    write-host -f Red "Error:" $_.Exception.Message
}

Set Unique Permissions in a subsite using PnP PowerShell

#Parameter
$SiteURL= "https://crescent.sharepoint.com/sites/marketing/2018/"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Interactive  #-Credentials (Get-Credential)

#Get the Web
$Web = Get-PnPWeb

#Stop Inheriting Permissions of the subsite
$Web.BreakRoleInheritance($True, $False)
Invoke-PnPQuery

This script stops the permission inheritance of a subsite. Here is another post on setting up unique permissions on a subsite using PnP PowerShell: SharePoint Online: Create Subsite with Unique Permissions using PowerShell

Summary

In conclusion, stopping the permission inheritance and setting up unique access to a subsite in SharePoint Online is a straightforward process that can be performed by anyone with basic knowledge of the platform. Setting unique access permissions for a SharePoint Online subsite can be easily achieved through PowerShell as well. By using this feature, you can fine-tune access to your SharePoint data and ensure that only the right people have access to sensitive information. The process involves breaking the inheritance of permissions from the parent site and assigning them the desired level of access. By following the steps outlined in the article, administrators can efficiently set up the desired access permissions for their SharePoint Online subsite.

How do I give unique permissions to a SharePoint Online List?

Navigate to the list >> Click on Settings >> Select list settings. On the List Settings page, click on “Permissions for this list”. On the permissions page, if the list inherits permissions from the parent, click on the “Stop inheriting Permissions” button to break the permission inheritance. Now, from the ribbon, click the “Grant Permissions” >> In the Share dialogue box, enter names or email addresses in the designated text box.
More info: How do I give permissions to a SharePoint Online list?

How do I Set folder level permissions in SharePoint Online?

Folder-specific permissions in SharePoint Online can be granted by breaking folder’s permission inheritance and adding users and groups to it.
More info: SharePoint Online Set Permissions on Folder

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

2 thoughts on “SharePoint Online: How to Stop Inheriting Permission and Setup Unique Access to a Subsite?”

Anonymous
January 15, 2021 at 2:43 AM
Permalink

How to create a group, add user, assign edit permissions, and add the newly created group to the broken inheritance sub web only.
Reply
- Salaudeen Rajack
  January 29, 2022 at 12:48 PM
  Permalink
  
  Groups are scoped at site collection level in SharePoint. So, If you create a new group in a subsite, It will create an entry to the Root Web!
  Reply

SharePoint Diary