Grant a User Access to a SharePoint Site

Why this matters

When employees change roles, join new projects, or report missing access to departmental content (e.g., a Sales or HR SharePoint site), IT admins must grant them access quickly and correctly. Granting too much access creates compliance and data leakage risk; granting too little blocks productivity.

SharePoint sites use three default permission groups:

• Owners — Full control. Typically reserved for site admins.
• Members — Edit access. Appropriate for most collaborators.
• Visitors — Read-only access. Appropriate for consumers of content.

Run this recipe when a user reports they cannot open a SharePoint site or document library they should have access to.

After completing this recipe, you will have:

• Verified the user's identity and the target SharePoint site
• Chosen an appropriate permission level (Owner, Member, or Visitor)
• Added the user to the site's permission group
• Confirmed access by checking the site's membership
• Notified the user (optional) that access has been granted

Warnings & considerations

• Principle of least privilege: Default to Visitor (read-only) or Member (edit). Avoid granting Owner rights unless the user genuinely administers the site.
• Group vs. direct access: If the site is tied to a Microsoft 365 Group or Team, prefer adding the user to the underlying M365 Group — permissions flow through automatically and stay in sync with Teams membership.
• Sharing policies: Some tenants restrict external sharing. Adding a guest user may require additional approval.
• Auditing: Permission changes are logged in the Microsoft Purview audit log. Document the business justification for future review.
• Do not edit the root tenant SharePoint permissions or add users to the "Everyone except external users" group as a workaround.