SharePoint permissions explained

SharePoint permissions control who can view, edit, or manage content in a SharePoint site, library, folder, or file. They are managed through Microsoft Entra ID (formerly Azure Active Directory) and enforced at every layer of the SharePoint hierarchy — from site collection down to individual files. When users access SharePoint files from inside monday.com via the Microsoft 365 integration, those same permissions apply: users can only see and interact with files they are already authorised to access in SharePoint.

SharePoint permission levels

SharePoint uses named permission levels that bundle together specific capabilities. The standard levels from most to least access are:

Custom permission levels can be created by combining individual permissions from a list of 33 granular rights.

Where permissions are applied

Permissions can be set at four levels in the SharePoint hierarchy:

1. Site collection — top-level; applies to all sites, libraries, and content within
2. Site — a SharePoint site or Team site; permissions can differ from the collection
3. Library or list — a document library or list within a site
4. Folder or file — individual items within a library

By default, permissions inherit from the level above — a file inherits the library's permissions, which inherit the site's, which inherit the collection's. You can break inheritance at any level to set unique permissions for a specific library, folder, or file.

Inheritance and unique permissions

Inheritance is the default and should be preserved wherever possible — managing permissions on every individual item creates significant administrative overhead and makes auditing difficult. Break inheritance only when there is a genuine access control requirement: a folder of sensitive HR documents inside a wider project library, for example, or a client-specific folder that should be visible only to that client's account team.

How SharePoint permissions work in monday.com

The Microsoft 365 SharePoint integration for monday.com authenticates each user with their own Microsoft 365 credentials using OAuth 2.0. When a user opens a SharePoint file from inside a monday.com board, the integration requests access using that user's identity — not a service account. If the user does not have permission to access the file in SharePoint, they cannot access it from monday.com either.

This means your existing SharePoint permission structure — Entra ID groups, sensitivity labels, conditional access policies — applies automatically to all content accessed through the integration. No additional permission configuration is required within the integration itself, and the integration cannot grant access beyond what SharePoint already allows.

For enterprise teams with compliance requirements, this is a significant advantage over integration approaches that use a single shared service account to access SharePoint content on behalf of all users: those approaches bypass the per-user permission model entirely.

Common permission mistakes to avoid

• Granting Full Control too broadly — most users need Contribute or Read; Full Control should be limited to site owners
• Breaking inheritance excessively — unique permissions on hundreds of individual items are difficult to audit and maintain
• Using individual user accounts instead of groups — assign permissions to Entra ID security groups, not individual users; adding and removing people from groups is far easier than updating permissions on every library
• Forgetting external sharing settings — SharePoint external sharing settings at the tenant and site level control whether content can be shared outside the organisation; review these against your data governance requirements

→ Microsoft 365 SharePoint integration for monday.com
→ OneDrive for Business vs SharePoint
→ SharePoint permissions in healthcare environments