Key Points
- Continuous monitoring of Microsoft 365 permissions: Regularly tracking permission changes in SharePoint, OneDrive, and Teams helps IT administrators and MSPs detect privacy risks or data exposure before they escalate into security breaches.
- Automate permission tracking using PowerShell scripts: Integrating PowerShell automation with Microsoft 365 audit logs enables daily visibility into access changes, allowing for faster detection and response.
- Implement alerting and remediation workflows: Automated notifications, reports, and helpdesk tickets ensure prompt action when suspicious permission changes occur. MSP automation platforms can revoke access or trigger security reviews.
- Through 3rd party integrations, technicians can securely monitor Microsoft 365 tenants, track Intune device compliance, and consolidate M365 user data directly within the NinjaOne console.
You need to monitor permission changes in shared Microsoft 365 resources, including SharePoint, OneDrive, and Teams as part of your proactive approach to security. IT administrators and managed service providers (MSPs) must have full oversight over the Microsoft 365 infrastructure they are responsible for, so that security vulnerabilities and compliance risks can be identified and remediated before they have an impact.
This guide explains how PowerShell scripting and automation can be used to maintain visibility over and track permission changes in SharePoint. This can then be integrated with your MSP tools for report generation and sending notifications to make sure stakeholders are notified and can respond as soon as a potential problem is detected.
Why you need to monitor permission changes in SharePoint, Teams, and OneDrive
Microsoft 365 is a dynamic enterprise IT environment in which changes occur frequently and rapidly: new users are added, roles change, files are created, and users assign each other access during the course of collaboration. This requires oversight as part of your data protection plan. The misapplication of permissions in SharePoint, either intentionally or accidentally, could lead to a privacy breach, the disclosure of business-sensitive proprietary information, or the insertion of malicious files. This can also affect data from Teams and OneDrive, which store data in SharePoint.
If you store important data in Microsoft 365, either in SharePoint, OneDrive, or in your Exchange mailboxes, it is also critical that you back it up. Backing up Microsoft 365 and Google Workspace data presents challenges compared to data you host yourself, which is why specific SaaS backup solutions exist for the task.
Core components and steps required to monitor permissions changes in SharePoint
The processes below can be followed to implement permission tracking in SharePoint, either for your organization or for your MSP’s clients. You’ll require access to PowerShell for Microsoft 365 and Microsoft Graph, as well as the automation, reporting, and notification functionality of your MSP platform.
By factoring the information in this guide in your plan to monitor permission changes in Microsoft 365, you’ll recognize the following best practices and benefits:
| Permission changes monitoring component | Purpose/value |
| Defined high-risk permission types | Reduces noise and improves detection accuracy |
| Microsoft 365 audit log integration | Leverages native tooling for low-friction insights |
| PnP scripting for SharePoint | Automates the discovery of broken inheritance |
| Per-client alert thresholds | Matches workflows to different client sensitivities |
| Notification and remediation loops | Closes gaps and improves trust with stakeholders |
Step 1: Define what to monitor
You should identify sensitive information that should be protected (a key part of the data protection process is maintaining an up-to-date catalog of what data you hold, and where it is stored), and target high-risk change scenarios when deciding what to monitor.
In SharePoint, you should focus on newly granted access to sensitive data, when SharePoint groups are modified and deleted, and watch for broken permission inheritance, as well as the granting of admin or other high privileges. Guest access and sharing in OneDrive should also be monitored. In Microsoft Teams, you should track ownership and membership changes in channels that may give access to sensitive communications or shared files.
Step 2: Use audit logs (with optional Graph API integration) to track permissions changes in SharePoint
Audit logging can be enabled in Microsoft Purview to track permissions changes across Microsoft 365. This data can then be queried using the Microsoft Purview audit log tools, including the Search-UnifiedAuditLog PowerShell cmdlet or the Purview portal. The Microsoft Graph API can supplement this by providing additional directory and activity data, but it does not yet expose the full range of audit log events.
For example, the below script gives a daily snapshot of permission changes at the user or group level by searching the audit log:
$startDate = (Get-Date).AddDays(-1)
$endDate = Get-Date
Search-UnifiedAuditLog `
-StartDate $startDate `
-EndDate $endDate `
-Operations “AddMemberToGroup“,”PermissionModified“ `
-ResultSize 5000Search-UnifiedAuditLog -Operations “AddMemberToGroup”,”UpdatePermission” -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date)
In production environments, scripts should also handle pagination, parse the AuditData field, and filter by workload (e.g., SharePoint, Azure AD) to ensure complete and accurate reporting.
Step 3: Detect broken inheritance and elevated access with PowerShell scripts
The PnP PowerShell module includes cmdlets for interacting with Microsoft 365. It can be used to monitor for broken inheritance (ie, unique permissions), as shown in the following example:
$lists = Get-PnPList
$lists | Where-Object { $_.HasUniqueRoleAssignments } | Select-Object Title, RootFolder
Get-PnPList can also be used to read and monitor elevated permissions, such as full control or site collection admin grants.
Step 4: Automate notification workflows for key clients
Timing is critical when responding to potential data breaches that could be indicated by a permissions change. The right person needs to be notified so that they can respond accordingly: this may depend on their position or preference, but may be done by raising a support ticket, sending an email, or sending a push notification to their device.
If an unexpected or suspicious permissions change is detected, the automation features of your MSP platform can also be used to immediately close off access until an investigation has been performed.
Quick-Start Guide
NinjaOne SaaS Backup offers visibility into account activity and configuration changes, which can support auditing efforts. However, it should be used alongside Microsoft 365 audit logging for comprehensive permission change monitoringseveral features related to monitoring permissions and changes:
1. Secure Backup Authentication:
NinjaOne Backup utilizes Service Principal Authentication (SPA) to interface securely with Microsoft 365, limiting access scopes strictly to data protection tasks.
2. Internal Platform Auditing:
NinjaOne provides a robust internal audit log to track technician activity within the platform and backup console, ensuring accountability for configuration changes.
3. User Management Monitoring:
– Offers different user roles with varying permission levels:
– Full Admin: Can view, manage, and set user permissions
– IT Admin: Can view info, delete, and manage user settings
– Group Supervisor: Can manage users within specific departments
4. Additional Monitoring Features:
– AD Sync: Automatically updates user details like name changes
– User Login Status Tracking: Can enable/disable user logins
– Azure AD Single Sign-On monitoring
5. Notification Systems:
– Can set up email notifications for various events, including:
– Backup errors
– Authentication issues
– Account status changes
While NinjaOne provides automation and monitoring capabilities, for the most comprehensive tracking of permission changes, we recommend:
– Enabling detailed audit logging
– Setting up email notifications
– Regularly reviewing user access and permissions
– Utilizing the built-in Audit Log and User Management features
