Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreicqacepg4dz6i6jdbpic52ocyarm42s3maiba225qy4cdkvef7oti",
    "uri": "at://did:plc:vd5cwlrxa4prr35ajkonul4s/app.bsky.feed.post/3mcpff2hepcn2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreiajdqetbjaso4dtkaifxdj5gilsv7p3lezbsihkqfwfcm36o5p4n4"
    },
    "mimeType": "image/jpeg",
    "size": 98455
  },
  "description": "After 25 years, SharePoint finally offers native user-centric permission reports. Here's what they can do, what they can't, and when third-party tools remain the better choice.",
  "path": "/en/sharepoint-user-permission-reports-are-finally-here/",
  "publishedAt": "2026-01-18T15:00:30.000Z",
  "site": "https://www.docupoint.eu",
  "tags": [
    "**Syskit Point**",
    "**DeliverPoint**",
    "**ShareGate**",
    "**Cognillo SharePoint Essentials Toolkit**",
    "**SolarWinds Access Rights Manager**",
    "**ManageEngine SharePoint Manager Plus**",
    "Microsoft Learn: Site permissions for users report",
    "Microsoft Learn: Data access governance reports",
    "Microsoft Learn: SAM Licensing"
  ],
  "textContent": "For 25 years, answering \"What can this user access?\" in SharePoint required PowerShell scripts or third-party tools. That changed in late 2025 when Microsoft added user-centric permission snapshot reports to the SharePoint Admin Center.\n\nThe feature is genuinely useful, and has clear limitations. Here's what administrators need to know.\n\n## What Microsoft now offers\n\nThe Data Access Governance reports in SharePoint Admin Center include three snapshot report types:\n\n**Site permissions for your organization** provides a tenant-wide view of permission structures, total users per site, guest access, \"Everyone except external users\" exposure, and sharing link counts.\n\n**Site permissions for users** answers the user-centric question: given a specific person, which sites can they access? The report distinguishes between site-level and item-level access, showing whether permissions were granted directly or through groups.\n\n**Sensitivity labels for files** identifies sites containing files with specific sensitivity labels.\n\n## Licensing requirements\n\nThese reports require SharePoint Advanced Management (SAM) licensing at $3 per user per month, licensed for every user in the tenant. For a 150-person organization, that's $5,400/year.\n\nOrganizations with at least one Microsoft 365 Copilot license ($30/user/month) automatically receive SAM features for all administrators—Microsoft positioned these tools as Copilot readiness features for auditing permissions before AI can surface sensitive content.\n\n## Key limitations\n\nEven with SAM licensed, these reports have constraints:\n\n  * **30-day refresh cycle** — reports can only be regenerated monthly\n  * **48-hour data latency** — reports capture data from up to 48 hours before generation\n  * **Maximum 5 concurrent reports** — you cannot generate unlimited user reports\n  * **No change tracking** — snapshot reports show current state, not who changed permissions or when\n  * **CSV export only** — no native Power BI integration, alerting, or automated workflows\n\n\n\n## Third-party alternatives\n\nFor organizations needing more than monthly snapshots, several established tools fill the gaps:\n\n  * **Syskit Point** offers comprehensive permission management with automated access reviews, lifecycle management, and detailed audit trails. Strong integration with Microsoft 365 governance workflows.\n  * **DeliverPoint** runs as an SPFx solution entirely within your tenant, no data export required. Provides real-time reporting, permission snapshots with point-in-time recovery, and site owner self-service.\n  * **ShareGate** combines migration capabilities with permission reporting. The Permissions Matrix Report provides cross-site visibility without PowerShell.\n  * **Cognillo SharePoint Essentials Toolkit** offers a free community edition with permission reports at site, list, and item level—accessible for smaller organizations evaluating their needs.\n  * **SolarWinds Access Rights Manager** provides enterprise-grade access governance across multiple platforms, with automated compliance reporting and scheduled audit delivery.\n  * **ManageEngine SharePoint Manager Plus** supports hybrid environments (SharePoint Online plus on-premises 2013-SE), with scheduled reporting and secure delegation to technicians.\n\n\n\n## Quick comparison\n\nCapability | Microsoft Native | Third-Party Tools\n---|---|---\nUser-centric reports | ✓ | ✓\nReal-time reporting | ✗ (48h delay) | ✓\nDaily snapshots | ✗ (30-day minimum) | ✓\nPermission change tracking | Limited | ✓\nAutomated alerts | ✗ | ✓\nSite owner self-service | ✗ | ✓ (some tools)\nHybrid environment support | ✗ | ✓ (some tools)\n\n## When to use what\n\n**Microsoft's native reports are sufficient when you:**\n\n  * Already have Copilot licenses (SAM included)\n  * Need quarterly or monthly permission audits\n  * Focus primarily on Copilot readiness assessments\n  * Have straightforward permission structures without frequent changes\n\n\n\n**Third-party tools are essential when you:**\n\n  * Require daily or real-time permission visibility\n  * Need permission change auditing with historical tracking\n  * Want site owners to self-manage permission hygiene\n  * Operate hybrid SharePoint environments\n  * Have compliance requirements demanding continuous monitoring\n  * Need automated alerting on permission changes\n\n\n\n## Practical recommendation\n\nMicrosoft's native reports fill a 25-year gap and provide genuine value for periodic organizational assessments and Copilot preparation. For basic quarterly audits, they're now sufficient.\n\nOrganizations with mature governance requirements, daily auditing, change tracking, automated compliance workflows, or hybrid environments—will find the native capabilities too constrained.\n\nThe most practical approach may be hybrid: use Microsoft's native reports for periodic tenant-wide assessments while deploying a specialized tool for continuous governance in high-sensitivity areas.\n\nAfter 25 years, we finally have native user permission reports. They won't solve everything, but they're a solid foundation.\n\n* * *\n\n**Sources:**\n\n  * Microsoft Learn: Site permissions for users report\n  * Microsoft Learn: Data access governance reports\n  * Microsoft Learn: SAM Licensing\n\n",
  "title": "SharePoint User Permission Reports are finally here",
  "updatedAt": "2026-03-11T21:06:53.241Z"
}