• Replies 0 replies
  • Subscribers 114 subscribers
  • Views 45 views
  • Users 0 members are here
Options
Related

Understanding SharePoint Migrations and Inherited / Unique Permissions

mark brumby
14 days ago

Scenario

Disclaimer: I`m no SharePoint Guru and this is solely based on my own research and understanding

We recently completed a migration of hundreds of SharePoint sites (M365 / Teams / Native). Upon which we received reports that after migration some users could not access data in certain folders / lists. All users / Groups were perfectly matched and no errors were reported in the migration logs.

Cause

Upon investigation, we found that these folders / files / lists had "unique" permissions set, But had also retained the parent permissions + the unique permissions. So the parent permissions still allowed other users outside of the unique permissions to have access. (not sure how or why?). So what happened upon migration is that the "unique" permissions came across perfectly fine, but it seemed as these folders had unique permission that "inheritance" had been broken and that this seems to have been honored upon migration, So what happened is that the default permission left on the source through the initial inheritance I guess and were not applied in target (just the unique permissions). This seems to tie in with the known behavior of setting unique permissions as per Microsoft. (I could not find anything on Quest to support this, so again,  this is based on my own understanding.)

https://support.microsoft.com/en-gb/office/customize-permissions-for-a-sharepoint-list-or-library-02d770f3-59eb-4910-a608-5f84cc297782#bkmk_break

  • When a user shares a document or other individual item, inheritance is automatically broken for that item. Inherited permissions are copied to the item, and permissions for the users with whom the item was shared are added. If changes in permissions are made to the parent item, those changes are not applied to the item.

Resolution

Essentially, as the permissions that were set were not really meant to be restrictive, (maybe historic poor admin / file migrations or just users oversharing) it was deemed to reset all the folders permissions and enable inheritance in the Target.

Below are a couple of great guides to help with this.

https://www.sharepointdiary.com/2016/01/sharepoint-online-delete-unique-permissions-using-powershell.html

https://techcommunity.microsoft.com/t5/sharepoint/sharepoint-how-to-reset-inheritance-permission-set-into-an-sp/m-p/1780387

In Summary, there is no issue with the migration tooling, but more of a known behavior that is worth knowing before hand. :).  (Back pocket material I guess)