SharePoint Online: How to Stop Inheriting Permission and Setup Unique Access to a Subsite?

Requirement: Break permission inheritance of a Subsite in SharePoint Online.

When we create a new subsite in SharePoint Online, we have the option to set its permissions: whether the subsite should inherit permissions from its parent site or have unique permissions. If you need to change the subsite permission inheritance after the site has been created, we can change its permission settings. In this comprehensive guide, I’ll walk you through the process of breaking subsite permission inheritance in SharePoint, both in the SharePoint web user interface and in PowerShell.

Understanding Permission Inheritance in SharePoint

Before we dive into breaking permission inheritance, let’s take a moment to understand What is Permission Inheritance in SharePoint? In SharePoint, permission inheritance is a mechanism where subsites inherit permissions from their parent site. This means that by default, when you create a new subsite, it will have the same permissions as its parent site. Any changes made to the permissions of the parent site will automatically apply to the subsite.

Permission inheritance simplifies permission management by allowing you to set permissions at a higher level and have them propagate down to subsites. This reduces the need to manage permissions individually for each subsite.

Why would I need to break the inheritance of a subsite?

While permission inheritance is convenient, there are situations where you may need to break inheritance and manage permissions separately for a subsite. Here are a few reasons why you might want to break permission inheritance:

  • When you need to grant specific users or groups access to the subsite without affecting the permissions of the parent site.
  • When you want to have more granular control over the permissions of the subsite, independent of the parent site’s permissions.
  • When the subsite contains sensitive or confidential information that requires restricted access.

Now that we understand the concept of permission inheritance and the reasons for breaking it, let’s explore how to break subsite permission inheritance in SharePoint.

How to Break Subsite Permission Inheritance in SharePoint Online?

Let’s consider a real-world example where you have a project-specific subsite that contains sensitive information. You want to grant access to the project team members while restricting access for other users.

Giving permission to a subsite in SharePoint Online is quick and easy. In just a few steps, you can grant someone access to your subsite so that they can collaborate with you on documents and projects.

  1. Navigate to the subsite in which you need to change permission inheritance.
  2. Click on the Settings gear and then select “Site Settings” from the settings menu.
  3. On the Site Settings page, click on the “Site Permissions” link under the “Users and Permissions” section.
  4. On the site permissions page, you’ll see a message saying, “This web site inherits permissions from its parent. (Parent Site Title)” if the site inherits permissions from its parent.
    sharepoint online powershell break subsite permission inheritance
  5. To configure unique permissions for the subsite, click on the “Stop inheriting permissions” button from the ribbon and confirm the prompt.
  6. This takes us to the “Set Up Groups for this Site” page, where you need to set up groups for this subsite, such as default owners, members, and visitors of the subsite. You can either select an existing SharePoint group or create a new group.
    set subsite permissions sharepoint online
  7. Click the OK button to save.

You will now see a message indicating that the subsite has unique permissions. The permissions of the subsite are no longer linked to its parent site. When you break a subsite’s inheritance, the existing permissions from the parent site are copied to the subsite. This means that initially, the subsite will have the same permissions as the parent site. However, from this point forward, any changes made to the subsite’s permissions will be independent of the parent site.

How to give permission to a subsite in SharePoint Online?

After breaking permission inheritance, you can grant permissions to users or groups specifically for the subsite. Here’s how you can give permissions to a subsite in SharePoint:

  1. Click on Settings gear >> Site settings >> Site permissions. You’ll find the site is using unique permissions. how to give permission to subsite in sharepoint online
  2. Now, You can add new users to the site by clicking the Grant Permissions button.sharepoint online subsite permissions
  3. Or remove the existing users and groups that you don’t want to have access to the subsite by selecting them and clicking on the “Remove User Permissions” button in the ribbon.

Restoring Permission Inheritance

If you no longer need unique permissions for a subsite and want to revert back to inheriting permissions from its parent site, you can restore permission inheritance. Here’s how:

  1. Navigate to the subsite and go to the “Site Permissions” page.
  2. In the “Permissions” tab, click on the “Delete unique permissions” button.
  3. A confirmation dialog will appear. Click “OK” to proceed with restoring permission inheritance.
  4. The subsite will now inherit permissions from its parent site, and any unique permissions previously set for the subsite will be removed.

Note that restoring permission inheritance will override any custom permissions you had set for the subsite, so be cautious when using this option. More information here: How to Restore Permission Inheritance of a Subsite in SharePoint Online?

SharePoint Online: PowerShell to break permission inheritance of a Subsite

By default, SharePoint Online uses inheritance to manage permissions, meaning that a subsite automatically inherits the permissions of its parent site. While this can be convenient in some cases, there may be instances where you need to set up unique access to a subsite.

Here is how to set up unique permissions in a subsite by breaking permission inheritance:

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Variables
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/2018"
 
Try {
    #Get Credentials to connect
    $Cred= Get-Credential
 
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
   
    #Get the web from URL
    $Web = $Ctx.web
    $Ctx.Load($Web)
    $Ctx.executeQuery()
 
    #Break Permission inheritance of the Web - use existing groups from parent
    $Web.BreakRoleInheritance($True, $False)
    $Ctx.executeQuery()
    Write-host -f Green "Permission Inheritance Broken for the Subsite!"
}
Catch {
    write-host -f Red "Error Breaking Subsite Permissions!" $_.Exception.Message
}

What If you want to create new groups and associate default Owner/Member/Visitor groups with the subsite?

#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Function to Ensure a SharePoint Online Group
Function Ensure-SPOGroup([Microsoft.SharePoint.Client.Web]$Web, $GroupName, $PermissionLevel)
{
    Try {
        $Ctx = $Web.Context
        #Get Existing Groups
        $Groups = $Web.SiteGroups
        $Ctx.Load($Groups)
        $Ctx.ExecuteQuery()
 
        #Check if the Group Exists already
        $Group = $Groups | Where { $_.Title -eq $GroupName}
        If(-Not $Group)
        {
            $GroupInfo = New-Object Microsoft.SharePoint.Client.GroupCreationInformation
            $GroupInfo.Title = $GroupName
            $Group = $Web.SiteGroups.Add($GroupInfo)
            $Ctx.ExecuteQuery()
 
            #Assign permission to the group
            $RoleDefinition = $web.RoleDefinitions.GetByName($PermissionLevel)
            $RoleDefBinding = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
            $RoleDefBinding.Add($RoleDefinition)
            $Ctx.Load($Web.RoleAssignments.Add($Group,$RoleDefBinding))
            $Ctx.ExecuteQuery()
            Write-host -f Green "`tCreated Group $GroupName and Assigned Permissions $PermissionLevel"
        }
        Return $Group
    }
    catch {
        write-host -f Red "Error:" $_.Exception.Message
    }
}
 
#Setup Credentials to connect
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/2018"
$Cred = Get-Credential
 
Try {
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
 
    #Get the Web
    $Web=$Ctx.Web
    $Ctx.Load($Web)
    $Ctx.ExecuteQuery()
 
    #Break Permission inheritance of the Web
    $Web.BreakRoleInheritance($False, $False)
    $Ctx.executeQuery()
    Write-host -f Green "Permission Inheritance Broken for the Subsite!"

    #Set Group Names
    $OwnersGroupName = $Web.Title + " Owners"
    $MembersGroupName = $Web.Title + " Members"
    $VisitorsGroupName = $Web.Title + " Visitors"
 
    #Get Default Groups
    $OwnersGroup = Ensure-SPOGroup -Web $Web -GroupName $OwnersGroupName -PermissionLevel "Full Control"
    $MembersGroup = Ensure-SPOGroup -Web $Web -GroupName $MembersGroupName -PermissionLevel "Edit"
    $VisitorsGroup = Ensure-SPOGroup -Web $Web -GroupName $VisitorsGroupName -PermissionLevel "Read"
 
    #Associate Default Groups
    $web.AssociatedOwnerGroup  = $OwnersGroup
    $web.AssociatedOwnerGroup.Update()
    $web.AssociatedMemberGroup = $MembersGroup
    $web.AssociatedMemberGroup.Update()
    $web.AssociatedVisitorGroup = $VisitorsGroup
    $web.AssociatedVisitorGroup.Update()
    $web.Update()
    $Ctx.ExecuteQuery()
    Write-host -f Green "Default Groups Set for the Subsite!"
}
catch {
    write-host -f Red "Error:" $_.Exception.Message
}

Set Unique Permissions in a subsite using PnP PowerShell

To create a subsite with unique permissions in SharePoint Online using PnP PowerShell, you can follow this script:

#Parameter
$SiteURL= "https://crescent.sharepoint.com/sites/marketing/2018/"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Interactive

#Get the Web
$Web = Get-PnPWeb

#Stop Inheriting Permissions of the subsite
$Web.BreakRoleInheritance($True, $False)
Invoke-PnPQuery

This script stops the permission inheritance of a subsite and uses the SharePoint groups from the parent site. You can add/remove groups from site permissions and customize it further. Here is another post on setting up unique permissions on a subsite using PnP PowerShell: SharePoint Online: Create Subsite with Unique Permissions using PowerShell

Considerations when breaking inheritance of subsites

When breaking the inheritance of subsites, keep the following considerations in mind:

  • Breaking inheritance can increase the complexity of permission management, especially if done excessively.
  • Minimize the number of subsites with broken inheritance to keep the permissions model manageable.
  • Consider using SharePoint groups to manage permissions efficiently.
  • It’s important to have a clear understanding of your permission structure and access requirements before breaking inheritance.
  • Be cautious when modifying permissions, as incorrect changes can lead to unintended access or security risks.
  • Regularly review and audit the permissions to ensure they align with your organization’s security policies.

    Remember, breaking the inheritance of subsites is a powerful feature in SharePoint that allows for granular permission management. However, it should be used judiciously and with careful planning to maintain a secure and manageable permission structure.

    Summary

    In conclusion, stopping the permission inheritance and setting up unique access to a subsite in SharePoint Online is a straightforward process that anyone with basic knowledge of the platform can perform. Setting unique access permissions for a SharePoint Online subsite can be easily achieved through PowerShell as well. By using this feature, you can fine-tune access to your SharePoint data and ensure that only the right people have access to sensitive information. The process involves breaking the inheritance of permissions from the parent site and assigning them the desired level of access.

    By following the steps outlined in this article, you can break inheritance, grant specific permissions to users or groups, and manage permissions independently for subsites. Understanding how to break the inheritance of subsite in SharePoint, change permissions on a SharePoint subsite, and give permission to a subsite in SharePoint will empower you to manage your site collections more effectively.

    How do I give unique permissions to a SharePoint Online List?

    Navigate to the list >> Click on Settings >> Select list settings. On the List Settings page, click on “Permissions for this list”. On the permissions page, if the list inherits permissions from the parent, click on the “Stop inheriting Permissions” button to break the permission inheritance. Now, from the ribbon, click the “Grant Permissions” >> In the Share dialogue box, enter names or email addresses in the designated text box.
    More info: How do I give permissions to a SharePoint Online list?

    How do I Set folder level permissions in SharePoint Online?

    Folder-specific permissions in SharePoint Online can be granted by breaking folder’s permission inheritance and adding users and groups to it.
    More info: SharePoint Online Set Permissions on Folder

    What does breaking inheritance of a subsite mean in SharePoint?

    Breaking inheritance of a subsite in SharePoint means that the subsite will no longer inherit permissions from its parent site. Instead, it will have its own unique set of permissions, allowing you to manage access and control specifically for that subsite.

    Can I break inheritance for specific lists or libraries within a subsite?

    Yes, you can break inheritance for specific lists, libraries, or even individual items within a subsite. The process is similar to breaking inheritance for a subsite: Navigate to the list, library, or item. Go to the “Permissions” settings for that specific object > Click on the “Stop Inheriting Permissions” button > Customize the permissions as needed.

    Can I restore inheritance after breaking it for a subsite?

    Yes, you can restore inheritance on a subsite by navigating to the “Site Permissions” under “Site Settings” and selecting “Inherit Permissions.” This action will remove all unique permissions set on the subsite and revert back to inheriting permissions from its parent site.

    Salaudeen Rajack

    Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

    2 thoughts on “SharePoint Online: How to Stop Inheriting Permission and Setup Unique Access to a Subsite?

    • How to create a group, add user, assign edit permissions, and add the newly created group to the broken inheritance sub web only.

      Reply
      • Groups are scoped at site collection level in SharePoint. So, If you create a new group in a subsite, It will create an entry to the Root Web!

        Reply

    Leave a Reply

    Your email address will not be published. Required fields are marked *