Key Points
How to Monitor and Respond to Permission Changes in Shared Microsoft 365 Resources
- Continuous monitoring of Microsoft 365 permissions: Regularly tracking permission changes in SharePoint, OneDrive, and Teams helps IT administrators and MSPs detect privacy risks or data exposure before they escalate into security breaches.
- Automate permission tracking using PowerShell scripts: Integrating PowerShell automation with Microsoft 365 audit logs enables daily visibility into access changes, allowing for faster detection and response.
- Implement alerting and remediation workflows: Automated notifications, reports, and helpdesk tickets ensure prompt action when suspicious permission changes occur. MSP automation platforms can revoke access or trigger security reviews.
- Leverage NinjaOne for unified monitoring and automated remediation: NinjaOne centralizes permission tracking, integrates with PowerShell scripts, and provides customizable alerts and reports.
You need to monitor permission changes in shared Microsoft 365 resources, including SharePoint, OneDrive, and Teams as part of your proactive approach to security. IT administrators and managed service providers (MSPs) must have full oversight over the Microsoft 365 infrastructure they are responsible for, so that security vulnerabilities and compliance risks can be identified and remediated before they have an impact.
This guide explains how PowerShell scripting and automation can be used to maintain visibility over and track permission changes in SharePoint. This can then be integrated with your MSP tools for report generation and sending notifications to make sure stakeholders are notified and can respond as soon as a potential problem is detected.
Why you need to monitor permission changes in SharePoint, Teams, and OneDrive
Microsoft 365 is a dynamic enterprise IT environment in which changes occur frequently and rapidly: new users are added, roles change, files are created, and users assign each other access during the course of collaboration. This requires oversight as part of your data protection plan. The misapplication of permissions in SharePoint, either intentionally or accidentally, could lead to a privacy breach, the disclosure of business-sensitive proprietary information, or the insertion of malicious files. This can also affect data from Teams and OneDrive, which store data in SharePoint.
If you store important data in Microsoft 365, either in SharePoint, OneDrive, or in your Exchange mailboxes, it is also critical that you back it up. Backing up Microsoft 365 and Google Workspace data presents challenges compared to data you host yourself, which is why specific SaaS backup solutions exist for the task.
Core components and steps required to monitor permissions changes in SharePoint
The processes below can be followed to implement permission tracking in SharePoint, either for your organization or for your MSP’s clients. You’ll require access to PowerShell for Microsoft 365 and Microsoft Graph, as well as the automation, reporting, and notification functionality of your MSP platform.
By factoring the information in this guide in your plan to monitor permission changes in Microsoft 365, you’ll recognize the following best practices and benefits:
| Permission changes monitoring component | Purpose/value |
| Defined high-risk permission types | Reduces noise and improves detection accuracy |
| Microsoft 365 audit log integration | Leverages native tooling for low-friction insights |
| PnP scripting for SharePoint | Automates the discovery of broken inheritance |
| Per-client alert thresholds | Matches workflows to different client sensitivities |
| Notification and remediation loops | Closes gaps and improves trust with stakeholders |
Step 1: Define what to monitor
You should identify sensitive information that should be protected (a key part of the data protection process is maintaining an up-to-date catalog of what data you hold, and where it is stored), and target high-risk change scenarios when deciding what to monitor.
In SharePoint, you should focus on newly granted access to sensitive data, when SharePoint groups are modified and deleted, and watch for broken permission inheritance, as well as the granting of admin or other high privileges. Guest access and sharing in OneDrive should also be monitored. In Microsoft Teams, you should track ownership and membership changes in channels that may give access to sensitive communications or shared files.
Step 2: Use audit logs and the Graph API to track permissions changes in SharePoint
Audit logging can be enabled in Microsoft Purview to track permissions changes across Microsoft 365. This data can then be queried using the Microsoft Graph API.
For example, the below script gives a daily snapshot of permission changes at the user or group level by searching the audit log:
Search-UnifiedAuditLog -Operations “AddMemberToGroup”,”UpdatePermission” -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date)
This data can then be used to trigger notifications or summary emails, collected in a centralized location for reporting.
Step 3: Detect broken inheritance and elevated access with PowerShell scripts
The PnP PowerShell module includes cmdlets for interacting with Microsoft 365. It can be used to monitor for broken inheritance (ie, unique permissions), as shown in the following example:
$lists = Get-PnPList
$lists | Where-Object { $_.HasUniqueRoleAssignments } | Select Title, RootFolder
Get-PnPList can also be used to read and monitor elevated permissions, such as full control or site collection admin grants.
Step 4: Automate notification workflows for key clients
Timing is critical when responding to potential data breaches that could be indicated by a permissions change. The right person needs to be notified so that they can respond accordingly: this may depend on their position or preference, but may be done by raising a support ticket, sending an email, or sending a push notification to their device.
If an unexpected or suspicious permissions change is detected, the automation features of your MSP platform can also be used to immediately close off access until an investigation has been performed.
Quick-Start Guide
NinjaOne SaaS Backup offers several features related to monitoring permissions and changes:
1. Backup Admin Account Tracking:
– When setting up Microsoft 365 backup, NinjaOne creates a backup admin account that can help track and monitor changes.
– The system uses Service Principal Authentication (SPA) to minimize potential security breaches by restricting data access rights.
2. Audit Log Capabilities:
– The platform provides an Audit Log feature that tracks various activities, including:
– User management changes
– Permission modifications
– Account status updates
3. User Management Monitoring:
– Offers different user roles with varying permission levels:
– Full Admin: Can view, manage, and set user permissions
– IT Admin: Can view info, delete, and manage user settings
– Group Supervisor: Can manage users within specific departments
4. Additional Monitoring Features:
– AD Sync: Automatically updates user details like name changes
– User Login Status Tracking: Can enable/disable user logins
– Azure AD Single Sign-On monitoring
5. Notification Systems:
– Can set up email notifications for various events, including:
– Backup errors
– Authentication issues
– Account status changes
While NinjaOne provides robust monitoring capabilities, for the most comprehensive tracking of permission changes, we recommend:
– Enabling detailed audit logging
– Setting up email notifications
– Regularly reviewing user access and permissions
– Utilizing the built-in Audit Log and User Management features
