SharePoint Online: How to Stop Inheriting Permission and Setup Unique Access to a Subsite?

Requirement: Break permission inheritance of a Subsite in SharePoint Online.

How to Break Subsite Permission Inheritance in SharePoint Online?

When we create a new subsite in SharePoint Online, we have an option to set its permission: whether the subsite should inherit permissions from its parent site or it should have unique permissions. In case you have a requirement to change the subsite permission inheritance after the site has been created, we can change its permission settings. Giving permission to a subsite in SharePoint Online is a quick and easy process. In just a few steps, you can grant someone access to your subsite, so they can collaborate with you on documents and projects:

  1. Navigate to the subsite in which you need to change permission inheritance.
  2. Click on the Settings gear and then select “Site Settings” from the settings menu.
  3. On the Site Settings page, click on the “Site Permissions” link under the “Users and Permissions” section.
  4. On the site permissions page, you’ll get a message saying: “This web site inherits permissions from its parent. (Parent Site Title)”, If the site inherits permissions from its parent.
    sharepoint online powershell break subsite permission inheritance
  5. To configure unique permissions for the subsite, click on the “Stop inheriting permissions” button from the ribbon and confirm the prompt.
  6. This takes us to the “Set Up Groups for this Site” page where you need to set up groups for this subsite, such as: default owners, members, and visitors of the subsite. You can either select an existing SharePoint group or create a new group.
    set subsite permissions sharepoint online
  7. Click the OK button to save.

How to give permission to a subsite in SharePoint Online?

Here is how you can grant access to subsites:

  1. Click on Settings gear >> Site settings >> Site permissions. You’ll find the site is using unique permissions. how to give permission to subsite in sharepoint online
  2. Now, You can add new users to the site by clicking the Grant Permissions button.sharepoint online subsite permissions
  3. Or remove the existing users and groups that you don’t want to have access to the subsite by selecting them and clicking on the “Remove User Permissions” button in the ribbon.

SharePoint Online: PowerShell to break permission inheritance of a Subsite

Here is how to set up unique permissions in a subsite by breaking permission inheritance:

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Variables
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/2018"
 
Try {
    #Get Credentials to connect
    $Cred= Get-Credential
 
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
   
    #Get the web from URL
    $Web = $Ctx.web
    $Ctx.Load($Web)
    $Ctx.executeQuery()
 
    #Break Permission inheritance of the Web - use existing groups from parent
    $Web.BreakRoleInheritance($True, $False)
    $Ctx.executeQuery()
    Write-host -f Green "Permission Inheritance Broken for the Subsite!"
}
Catch {
    write-host -f Red "Error Breaking Subsite Permissions!" $_.Exception.Message
}

What If you want to create new groups and associate default Owner/Member/Visitor groups with the subsite?

#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Function to Ensure a SharePoint Online Group
Function Ensure-SPOGroup([Microsoft.SharePoint.Client.Web]$Web, $GroupName, $PermissionLevel)
{
    Try {
        $Ctx = $Web.Context
        #Get Existing Groups
        $Groups = $Web.SiteGroups
        $Ctx.Load($Groups)
        $Ctx.ExecuteQuery()
 
        #Check if the Group Exists already
        $Group = $Groups | Where { $_.Title -eq $GroupName}
        If(-Not $Group)
        {
            $GroupInfo = New-Object Microsoft.SharePoint.Client.GroupCreationInformation
            $GroupInfo.Title = $GroupName
            $Group = $Web.SiteGroups.Add($GroupInfo)
            $Ctx.ExecuteQuery()
 
            #Assign permission to the group
            $RoleDefinition = $web.RoleDefinitions.GetByName($PermissionLevel)
            $RoleDefBinding = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
            $RoleDefBinding.Add($RoleDefinition)
            $Ctx.Load($Web.RoleAssignments.Add($Group,$RoleDefBinding))
            $Ctx.ExecuteQuery()
            Write-host -f Green "`tCreated Group $GroupName and Assigned Permissions $PermissionLevel"
        }
        Return $Group
    }
    catch {
        write-host -f Red "Error:" $_.Exception.Message
    }
}
 
#Setup Credentials to connect
$SiteURL = "https://crescent.sharepoint.com/sites/marketing/2018"
$Cred = Get-Credential
 
Try {
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
 
    #Get the Web
    $Web=$Ctx.Web
    $Ctx.Load($Web)
    $Ctx.ExecuteQuery()
 
    #Break Permission inheritance of the Web
    $Web.BreakRoleInheritance($False, $False)
    $Ctx.executeQuery()
    Write-host -f Green "Permission Inheritance Broken for the Subsite!"

    #Set Group Names
    $OwnersGroupName = $Web.Title + " Owners"
    $MembersGroupName = $Web.Title + " Members"
    $VisitorsGroupName = $Web.Title + " Visitors"
 
    #Get Default Groups
    $OwnersGroup = Ensure-SPOGroup -Web $Web -GroupName $OwnersGroupName -PermissionLevel "Full Control"
    $MembersGroup = Ensure-SPOGroup -Web $Web -GroupName $MembersGroupName -PermissionLevel "Edit"
    $VisitorsGroup = Ensure-SPOGroup -Web $Web -GroupName $VisitorsGroupName -PermissionLevel "Read"
 
    #Associate Default Groups
    $web.AssociatedOwnerGroup  = $OwnersGroup
    $web.AssociatedOwnerGroup.Update()
    $web.AssociatedMemberGroup = $MembersGroup
    $web.AssociatedMemberGroup.Update()
    $web.AssociatedVisitorGroup = $VisitorsGroup
    $web.AssociatedVisitorGroup.Update()
    $web.Update()
    $Ctx.ExecuteQuery()
    Write-host -f Green "Default Groups Set for the Subsite!"
}
catch {
    write-host -f Red "Error:" $_.Exception.Message
}

Set Unique Permissions in a subsite using PnP PowerShell

#Parameter
$SiteURL= "https://crescent.sharepoint.com/sites/marketing/2018/"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Interactive  #-Credentials (Get-Credential)

#Get the Web
$Web = Get-PnPWeb

#Stop Inheriting Permissions of the subsite
$Web.BreakRoleInheritance($True, $False)
Invoke-PnPQuery

This script stops the permission inheritance of a subsite. Here is another post on setting up unique permissions on a subsite using PnP PowerShell: SharePoint Online: Create Subsite with Unique Permissions using PowerShell

How do I give unique permissions to a SharePoint Online List?

Navigate to the list >> Click on Settings >> Select list settings. On the List Settings page, click on “Permissions for this list”. On the permissions page, if the list inherits permissions from the parent, click on the “Stop inheriting Permissions” button to break the permission inheritance. Now, from the ribbon, click the “Grant Permissions” >> In the Share dialogue box, enter names or email addresses in the designated text box.
More info: How do I give permissions to a SharePoint Online list?

How do I Set folder level permissions in SharePoint Online?

Folder specific permissions in SharePoint Online can be granted by breaking folder’s permission inheritance and adding users and groups to it.
More info: SharePoint Online Set Permissions on Folder

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

2 thoughts on “SharePoint Online: How to Stop Inheriting Permission and Setup Unique Access to a Subsite?

  • How to create a group, add user, assign edit permissions, and add the newly created group to the broken inheritance sub web only.

    Reply
    • Groups are scoped at site collection level in SharePoint. So, If you create a new group in a subsite, It will create an entry to the Root Web!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *