SharePoint Permissions Guide for Small Business
SharePoint is one of the most useful tools in Microsoft 365 — and one of the easiest to get wrong. Most small business owners and managers we meet in Townsville have inherited a SharePoint setup that "kind of works" but has gradually drifted into chaos: files shared with the wrong people, external guests forgotten months ago, and nobody confident who can see what. This guide explains how SharePoint permissions actually work and how to clean them up without breaking your team.
The Three Layers of Sharing in Microsoft 365
To understand SharePoint, it helps to see Microsoft 365 sharing as three layers — each with its own permissions model:
1. OneDrive (Personal)
OneDrive is your personal Microsoft 365 file storage. By default, only you can access your files. You can share specific files or folders with others, but the contents stay attached to your account. If you leave the business, that data goes with you unless someone moves it first.
Rule of thumb: Business data shouldn't live in OneDrive long-term. Use OneDrive for your in-progress work, but anything the business should own goes in SharePoint or Teams.
2. SharePoint Sites
SharePoint sites are owned by the business, not by individuals. Each site has its own permission model — you grant access to specific people or groups, and they get the files in that site. A site might be created for a department (Accounts, Operations), a project (2026 Tender), or a client.
Behind every Microsoft Team is a SharePoint site — adding someone to a Team automatically adds them to the underlying SharePoint site too.
3. Teams (Sharing UI Layer)
Teams is the chat-and-collaboration front end. Permissions in Teams ripple through to the underlying SharePoint site. Adding a guest user to a Team automatically grants them access to every file in that Team's SharePoint library.
This is where most small businesses get caught out: someone adds an external person to a Team for one job, and 18 months later that person still has access to every file in the team — including documents added long after their job finished.
The Three Most Common Permission Mistakes
Mistake 1: Sharing with "Everyone"
"Everyone" or "Everyone except external users" means every internal Microsoft 365 user in your tenant. For a small Townsville business, that often includes:
- Every current staff member
- Every contractor with a paid M365 licence
- Any inactive accounts you forgot to disable
- Service accounts created by software vendors
Used for genuinely company-wide content (a policy library, the staff handbook) it's fine. Used for sensitive HR documents, client data, or financial files — it's a problem.
Mistake 2: Forgetting External Guests
Adding an external person to a Team or sharing a folder with them is fast and useful — but external guest access doesn't expire by default. We regularly audit Townsville SharePoint environments and find external guests with active access from 12, 18, or 24 months ago. None of them remember they have it. None of the staff who added them are still at the business.
This is one of the highest-impact cleanup tasks. Microsoft 365 lets you set expiry on guest access — and quarterly reviews catch the ones that slip through.
Mistake 3: Breaking Inheritance Without Records
By default, sub-folders inherit permissions from their parent. That's good — it means changes flow down predictably. But you can "break inheritance" on any folder to give it custom permissions. Once you've done that, it no longer follows the parent.
The problem: most people break inheritance once, then forget. Months later they wonder why a new staff member can see Folder A but not Folder B, even though they're in the same library. Custom permissions on individual folders should be rare and documented.
The Right Way to Structure SharePoint for a Small Business
For a Townsville business with 5-50 staff, we typically structure SharePoint around three or four sites — not one giant document library that everyone shares:
- Company Files — handbook, policies, general resources. Everyone has read access. Limited write access.
- Operations / Client Files — the day-to-day working files. Access by team or department.
- Finance / HR — sensitive data. Tight access list. Often a separate site.
- External / Project Sites — short-lived sites for specific external collaborations. Easy to retire when the job finishes.
Within each site, use Microsoft 365 Groups (which power Teams and SharePoint permissions together) to manage access. When someone joins a department, you add them to one group — they get all the right access. When they leave, you remove them from one place.
How to Clean Up Permission Sprawl
If your current SharePoint is already a mess, here's the order to fix it:
Step 1: Find the Damage
Use the SharePoint Admin Centre's reports and the Microsoft 365 Compliance Centre to identify:
- All external users with active access
- All anonymous "Anyone with the link" shares
- Sites with "Everyone" or "Everyone except external users" permissions
- Inactive sites with no recent activity
Step 2: Remove Stale Access
Revoke external guests who don't need access anymore. Disable "Anyone with the link" shares from old projects. Remove ex-staff accounts that somehow still exist. This step alone usually closes 80% of the risk.
Step 3: Restructure Around Groups
If individuals are listed directly on sites or libraries, replace those with Microsoft 365 Groups. This makes future changes much easier — and gives you an audit trail of who joined or left each group and when.
Step 4: Apply Sensitivity Labels
Sensitivity labels (part of Microsoft Purview) let you tag files as Confidential, Internal, Public, etc. The label can enforce rules — Confidential files can't be shared externally, for example. This is particularly valuable for medical, NDIS, accounting, and legal businesses handling sensitive client data.
Step 5: Set Up Quarterly Reviews
SharePoint sprawl always returns. The only sustainable fix is a recurring review — quarterly is enough for most businesses. Check guest users, check stale shares, retire dead sites. 30 minutes per quarter.
Want Us to Clean Up Your SharePoint?
We help Townsville businesses audit and restructure SharePoint so the right people see the right files — without breaking day-to-day operations. Free initial review for businesses considering managed IT.
Frequently Asked Questions
What's the difference between SharePoint and OneDrive?
OneDrive is your personal Microsoft 365 file storage — only you can access it unless you explicitly share. SharePoint is shared business storage — files there are owned by the business and accessible to teams or sites you've been granted permissions to. As a rule, business data belongs in SharePoint, not personal OneDrive.
What does "Everyone" or "Everyone except external users" really mean?
It means every internal Microsoft 365 user in your tenant. For a small business, that often means every staff member and every contractor with a paid M365 licence. It is rarely what you actually want for sensitive files. Use specific groups or teams instead.
How do I find files that have been shared externally?
In SharePoint Admin Centre go to Reports > External users and shared files, or use the M365 Compliance Centre's content search. For a quick check, the OneDrive admin centre also shows files shared externally per user. Reviewing this list quarterly is a good habit.
Can I undo a "Share with Everyone" link?
Yes. Go to the file or folder, choose Manage Access, find the company-wide link, and either revoke it or restrict it to specific people. For broader cleanup, an admin can run a Microsoft 365 audit to find all shared links and pull them in bulk.
What's the right number of SharePoint sites for a small business?
For 5-50 staff, three to six sites is usually enough — Company Files, Operations, Finance/HR, plus one or two project or client sites. More than ten sites typically means you've created sites for the wrong reasons (one per project becomes unmanageable). Fewer than three usually means everything's in one giant library that's hard to secure properly.
Do I need Microsoft Purview / sensitivity labels?
For most small Townsville businesses, basic Microsoft 365 Business Premium includes everything you need — labels, conditional access, MFA. You don't need an enterprise licence. We can configure labels appropriate to your data without upselling you to E3 or E5.