This chapter provides a comprehensive examination of SharePoint permission inheritance, a critical concept for the MS-102 exam. Permission inheritance determines how access rights propagate from a parent object (site, list, or folder) to its child objects. Understanding this mechanism is essential for designing secure, manageable SharePoint environments and is tested in approximately 5-8% of exam questions, particularly in the Manage SharePoint site permissions objective (1.5). We will cover the inheritance model, how to break and restore inheritance, the impact on permission management, and common exam pitfalls.
Jump to a section
Imagine a large corporate building with multiple floors, each floor having several offices and conference rooms. The building has a main entrance with a security guard who checks badges. Everyone who enters the building gets a badge that grants access to certain floors and rooms. Now, the building manager can set permissions at the building level: all employees can enter the ground floor lobby. But for a specific office on the 5th floor (e.g., the Finance office), only certain employees should have access. If the manager sets permissions directly on that office door (breaking inheritance), then even if someone has building-level access, they still need a separate key for that office. However, if the manager inherits permissions from the floor, then the office automatically grants access to everyone who has floor-level access. The key mechanic: if inheritance is broken, changes to the floor's access list do NOT affect the office—you must manage the office door separately. Also, if inheritance is later restored (re-inherit), the office loses all its custom permissions and adopts the floor's list, which could accidentally grant access to people who shouldn't be there. This is exactly how SharePoint permission inheritance works: sites, lists, libraries, folders, and items can inherit from their parent, or have unique permissions. Breaking inheritance creates a copy of the parent's permissions at the moment of break, and any subsequent changes to the parent do not propagate. Restoring inheritance discards all custom permissions and replaces them with the parent's current list.
What Is SharePoint Permission Inheritance?
SharePoint uses a hierarchical permission model where permissions can flow from a parent object to its children. By default, when you create a new site, list, library, folder, or item, it inherits permissions from its immediate parent. For example, a document library inherits from the site; a folder within that library inherits from the library; a document within that folder inherits from the folder. This inheritance chain allows administrators to grant access at a high level (e.g., the site) and have those permissions apply to all content underneath, simplifying management.
Why Inheritance Exists
Without inheritance, every new object would require manual permission assignment, leading to massive administrative overhead and inconsistency. Inheritance ensures that adding a user to a site group automatically grants them access to all lists, libraries, and items within that site (unless inheritance is broken). It also makes auditing and troubleshooting easier because you can trace permission grants up the hierarchy.
How Inheritance Works Internally
When inheritance is intact, child objects do not store their own permission entries. Instead, they reference the parent's permission set. When a user requests access to a resource, SharePoint walks up the hierarchy until it finds an object with unique permissions (or the root site collection). It then evaluates the permissions on that object. This means changes to a parent's permissions are immediately effective for all inheriting children.
When you break inheritance on a child object, SharePoint creates a copy of the parent's permission set at that moment and stores it on the child. From that point forward, the child has its own Access Control List (ACL) that is independent of the parent. Any changes to the parent's permissions do not affect the child, and vice versa. The child's ACL is a snapshot; it does not maintain a link to the parent. If you later restore inheritance (re-inherit), SharePoint discards the child's custom ACL and replaces it with the parent's current ACL. This action is irreversible—all custom permissions are lost.
Key Components and Defaults
Permission inheritance scope: Applies to site collections, sites, lists, libraries, folders, and items (list items and documents).
Inheritance state: Each securable object has a boolean property HasUniqueRoleAssignments. If false, it inherits; if true, it has unique permissions.
Breaking inheritance: In the UI, go to the object's settings -> Permissions -> Stop Inheriting Permissions. Programmatically, use SPWeb.BreakRoleInheritance() or the CSOM/REST API.
Restoring inheritance: In the UI, go to Permissions -> Delete Unique Permissions. Programmatically, use SPWeb.ResetRoleInheritance().
Permission levels: SharePoint uses role definitions (e.g., Full Control, Edit, Contribute, Read) that are assigned to principals (users or groups) via role assignments.
Default permission level inheritance: When inheritance is broken, the child initially gets a copy of the parent's role assignments. You can then modify them.
Unique permissions limit: A site collection can have up to 50,000 unique permission scopes (objects with broken inheritance). Exceeding this limit can cause performance degradation and is not recommended.
Configuration and Verification Commands
Using SharePoint Online Management Shell:
# Connect to SharePoint Online
Connect-SPOService -Url https://yourtenant-admin.sharepoint.com
# Get site collection
$site = Get-SPOSite -Identity https://yourtenant.sharepoint.com/sites/yoursite
# Check permission inheritance for a specific web
$web = Get-SPOWeb -Site $site.Url
$web.HasUniqueRoleAssignments # True or False
# Break inheritance on a list (using PnP PowerShell)
Connect-PnPOnline -Url https://yourtenant.sharepoint.com/sites/yoursite
Set-PnPList -Identity "Documents" -BreakRoleInheritance -CopyRoleAssignments:$true
# Restore inheritance
Set-PnPList -Identity "Documents" -ResetRoleInheritanceUsing REST API:
# Check inheritance
GET https://yourtenant.sharepoint.com/sites/yoursite/_api/web/lists/getbytitle('Documents')/HasUniqueRoleAssignments
# Break inheritance
POST https://yourtenant.sharepoint.com/sites/yoursite/_api/web/lists/getbytitle('Documents')/breakroleinheritance(copyRoleAssignments=true)
# Restore inheritance
POST https://yourtenant.sharepoint.com/sites/yoursite/_api/web/lists/getbytitle('Documents')/resetroleinheritance()Interaction with Related Technologies
SharePoint Groups: When you add a user to a SharePoint group that has permissions on a parent site, that user automatically gains access to all child objects that inherit permissions. If inheritance is broken on a child, the user may not have access unless explicitly added to the child's permissions.
Azure AD Groups: Using Azure AD groups (security groups) in SharePoint permissions is recommended for large-scale management. When an Azure AD group is granted access at the site level, its members inherit that access to all inheriting children. Breaking inheritance on a child does not affect the group's membership, but the child's ACL must include the group if you want its members to have access.
Sharing vs. Permission Inheritance: Sharing (via the Share button) creates a unique permission on the item or folder being shared, effectively breaking inheritance for that object. The shared link creates an anonymous or authenticated user link with specific permissions. This is a special case of breaking inheritance.
Information Protection: Sensitivity labels and retention policies are independent of permission inheritance. However, if a label restricts access (e.g., via encryption), that restriction overrides SharePoint permissions.
Performance Considerations
Unique permissions limit: As noted, 50,000 unique permission scopes per site collection. Exceeding this can cause slow page loads, timeouts, and issues with search indexing.
Inheritance depth: Deeply nested hierarchies with many broken inheritance points can degrade performance because SharePoint must evaluate permissions at each level.
Bulk operations: Breaking inheritance on many items at once (e.g., via script) should be done during off-peak hours to avoid throttling.
Best Practices
Use inheritance as much as possible. Only break inheritance when absolutely necessary.
Prefer using SharePoint groups and Azure AD groups over individual user permissions.
Limit the number of unique permission scopes to under 10,000 for optimal performance.
When breaking inheritance, consider copying the parent's role assignments to avoid accidentally locking out administrators.
Document custom permission assignments to ease troubleshooting.
Regularly review sites with unique permissions using reports or PowerShell scripts.
Navigate to object permissions
In SharePoint Online, go to the site, list, library, folder, or item for which you want to manage permissions. For a list or library, click the gear icon (Settings) and select 'Library settings' or 'List settings'. Then click 'Permissions for this document library' (or list). For a folder or item, select the item, click the ellipsis (...), choose 'Manage access', then click 'Advanced settings' (which opens the classic permissions page). This step is the entry point to view and modify inheritance.
Check current inheritance status
On the Permissions page, look for the message 'This library inherits permissions from its parent' or 'This library has unique permissions'. If it says inherits, you see a button 'Stop Inheriting Permissions'. If it says unique, you see a button 'Delete Unique Permissions'. The status is also reflected in the 'HasUniqueRoleAssignments' property. This step is crucial to confirm whether you are working with inherited or unique permissions before making changes.
Break inheritance (Stop Inheriting)
Click 'Stop Inheriting Permissions'. SharePoint immediately copies all existing permission entries from the parent to the child object. The child now has its own ACL. A confirmation dialog warns that changes to parent permissions will no longer affect this object. After confirmation, the page refreshes, and you can now add or remove users/groups directly. Note: If you do not copy role assignments (by unchecking the copy option in some interfaces), the child object will have no permissions, which could lock out everyone except site collection administrators. By default, the copy is enabled.
Modify unique permissions
Now you can grant permissions directly on the object. Use the 'Grant Permissions' button to add users or groups and assign a permission level (e.g., Read, Contribute). You can also remove existing permissions by selecting a user/group and clicking 'Remove User Permissions'. Changes take effect immediately. Remember that these permissions are independent of the parent; adding a user here does not affect the parent, and vice versa. This step is where you tailor access for the specific content.
Restore inheritance (Delete Unique Permissions)
To revert to inheriting permissions from the parent, click 'Delete Unique Permissions'. A confirmation dialog warns that all custom permissions will be removed and the object will inherit permissions from its parent. After confirmation, the object's ACL is replaced with the parent's current ACL. Any custom permissions you had set are lost. This action is irreversible; if you need to re-break inheritance later, you start fresh. This step is often used to simplify permission management when unique permissions are no longer needed.
Scenario 1: HR Department Document Library
A large enterprise has an HR site with a 'Confidential' document library that should only be accessible to HR managers. The rest of the HR team should have access to the site but not this library. The administrator breaks inheritance on the library, removes the default 'HR Members' group, and adds a new 'HR Managers' group with Contribute permissions. This solves the problem: HR team members can access the site but get an access denied error when trying to open the library. However, if later the administrator adds a new user to the 'HR Members' group (which has site-level permissions), that user will not gain access to the library because inheritance is broken. This is a common scenario where broken inheritance provides granular control.
Scenario 2: Project Site with Multiple Sub-sites
A project management site collection has a top-level site with general project information. Each project team has its own sub-site. To keep management simple, the administrator initially inherits permissions from the top-level site. But one project (Project X) requires external vendor access. The administrator breaks inheritance on the Project X sub-site and adds the vendor's Azure AD guest account with Read permissions. This works well until the vendor's contract ends; the administrator then restores inheritance on the sub-site, inadvertently granting the vendor access again if the top-level site still has the vendor guest account. To avoid this, the administrator should remove the vendor from the top-level site before restoring inheritance, or keep unique permissions and manually remove the vendor.
Performance and Scale Considerations
In a large tenant with thousands of sites, breaking inheritance on hundreds of thousands of items can lead to performance issues. For example, a document library with 10,000 documents where each document has unique permissions (e.g., via sharing) will exceed the 50,000 unique permission scopes limit if not managed carefully. The SharePoint search index may also become bloated. Administrators must monitor the number of unique permissions using the 'Site Collection Storage Metrics' or PowerShell scripts. A common misconfiguration is breaking inheritance on individual items instead of using folders; folders are more efficient because they require only one unique permission scope per folder, not per item.
Objective Codes and Exam Focus
This topic falls under Objective 1.5: Manage SharePoint site permissions. The MS-102 exam tests your understanding of permission inheritance concepts, how to break and restore inheritance, and the implications for permission management. You should be able to:
Identify whether an object has unique permissions.
Explain the effect of breaking inheritance.
Determine the impact of restoring inheritance.
Recommend when to break inheritance versus using folder-level permissions.
Understand the 50,000 unique permissions limit.
Common Wrong Answers and Traps
"Breaking inheritance creates a new permission set that remains linked to the parent" – This is false. The copy is independent; changes to the parent do not propagate. Candidates often think there is a dynamic link.
"Restoring inheritance merges the custom permissions with the parent's permissions" – False. Restoring inheritance discards all custom permissions and replaces them with the parent's current set. There is no merge.
"You can break inheritance on a site collection" – False. The root site collection inherits from the tenant admin; you cannot break inheritance at the site collection level. You can only break inheritance on sites (webs), lists, libraries, folders, and items.
"Breaking inheritance without copying role assignments is a best practice" – False. This often results in no permissions for anyone except site collection admins, causing lockouts. The default copy is recommended.
Specific Numbers and Terms on the Exam
50,000 unique permission scopes per site collection – this limit appears frequently.
HasUniqueRoleAssignments – the property name used in PowerShell and REST.
BreakRoleInheritance and ResetRoleInheritance – method names.
Stop Inheriting Permissions and Delete Unique Permissions – UI button labels.
Edge Cases
Inheritance and sharing: When you share a file or folder with someone via a link, SharePoint automatically breaks inheritance on that item. The exam may ask about the effect of sharing on inheritance.
Inheritance and site collection admin: Site collection administrators always have full access regardless of inheritance. The exam may test that breaking inheritance does not affect site collection admins.
Inheritance and navigation: Navigation permissions are separate; breaking inheritance on a site does not affect navigation settings.
How to Eliminate Wrong Answers
Focus on the independence of unique permissions. If a question describes a scenario where changes to a parent affect a child, the child must be inheriting. If the child has unique permissions, changes to the parent have no effect. Also, remember that restoring inheritance is destructive—it wipes custom permissions. Use the mechanism: when inheritance is broken, a snapshot copy is taken; when restored, the snapshot is deleted and replaced with the parent's current ACL.
Permission inheritance is enabled by default for all securable objects (sites, lists, libraries, folders, items).
Breaking inheritance creates a static copy of the parent's permissions; subsequent parent changes do not propagate.
Restoring inheritance deletes all custom permissions and replaces them with the parent's current ACL.
The maximum number of unique permission scopes per site collection is 50,000.
Use the `HasUniqueRoleAssignments` property to check inheritance status via PowerShell or REST.
When breaking inheritance, always copy role assignments to avoid locking out users.
Site collection administrators always have full access regardless of inheritance.
Sharing a file or folder automatically breaks inheritance on that item.
Prefer folder-level unique permissions over item-level to reduce unique scope count.
Use Azure AD groups and SharePoint groups to simplify permission management.
These come up on the exam all the time. Here's how to tell them apart.
Inherited Permissions
Permissions flow from parent to child automatically.
Changes to parent permissions immediately affect child.
No separate ACL stored on child; child references parent.
Easier to manage – single point of control.
Lower performance overhead; fewer unique scopes.
Unique Permissions (Broken Inheritance)
Child has its own independent ACL.
Changes to parent permissions do not affect child.
Child stores a copy of permissions at time of break.
More granular control but higher management overhead.
Increases unique permission scope count; limit of 50,000 per site collection.
Mistake
Breaking inheritance creates a dynamic link that syncs permissions with the parent.
Correct
Breaking inheritance takes a static snapshot of the parent's permissions at that moment. No further changes from the parent are reflected on the child.
Mistake
Restoring inheritance merges custom permissions with the parent's permissions.
Correct
Restoring inheritance discards all custom permissions on the child and replaces them entirely with the parent's current permission set.
Mistake
You can break inheritance on a site collection (root).
Correct
The root site collection always inherits from the tenant admin. You cannot break inheritance at the site collection level; you can only break inheritance on webs (sites), lists, libraries, folders, and items.
Mistake
Breaking inheritance without copying role assignments is a best practice to start fresh.
Correct
This often results in an empty ACL, locking out all users except site collection administrators. Always copy role assignments unless you have a specific reason not to.
Mistake
Permission inheritance applies to all objects including site collection features like navigation.
Correct
Permission inheritance only affects securable objects (sites, lists, libraries, folders, items). Navigation settings, web part configurations, and site features are not controlled by permission inheritance.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
When you break inheritance, SharePoint copies the current permission entries from the parent (site) to the list. The list then has its own ACL. Any users or groups that had permissions on the site now have the same permissions on the list, but you can modify them independently. Changes to the site's permissions afterwards do not affect the list. This is a one-time copy.
No. Restoring inheritance (deleting unique permissions) removes all custom permissions on the object and replaces them with the parent's current permissions. This action is irreversible. If you need to keep custom permissions, you must not restore inheritance. Instead, consider backing up the permission assignments before restoring.
Breaking inheritance on a folder affects all items within that folder (unless those items also have unique permissions). It uses one unique permission scope for the folder. Breaking inheritance on individual items uses one scope per item. To reduce the number of unique permission scopes, it is better to break inheritance at the folder level rather than on each item. For example, if you have 100 documents that need unique permissions, create 10 folders and break inheritance on each folder instead of on each document.
When you share a file or folder using the Share button (e.g., sending a link), SharePoint automatically breaks inheritance on that item. The shared link creates a unique permission entry (e.g., an anonymous link or specific user access). The item now has its own ACL, and changes to parent permissions do not affect the shared item. If you later delete the shared link, you may need to restore inheritance manually if you want to revert to inheriting permissions.
The maximum is 50,000 unique permission scopes per site collection. A unique permission scope is created each time you break inheritance on an object (site, list, library, folder, or item). Exceeding this limit can cause performance issues, such as slow page loads and timeouts. It is a best practice to keep the number well below this limit, ideally under 10,000.
No. The root site (top-level site) of a site collection inherits permissions from the tenant admin. You cannot break inheritance on the root site. You can only break inheritance on child sites (webs), lists, libraries, folders, and items. For the root site, you manage permissions directly via the site permissions page, but it always has unique permissions relative to the tenant.
You can use the `HasUniqueRoleAssignments` property. For example, with PnP PowerShell: `Connect-PnPOnline -Url https://tenant.sharepoint.com/sites/site; $list = Get-PnPList -Identity 'Documents'; $list.HasUniqueRoleAssignments`. This returns True if the list has unique permissions, False if it inherits.
You've just covered SharePoint Permission Inheritance — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?