Share via

External Guest Access to SharePoint Online sub folder with restricted permissions

Gary Scrivner 40 Reputation points
2026-05-06T16:39:19.51+00:00

In SharePoint Online, when sharing access to a folder in a document library with an external user, if the folder shared has a sub folder that does not inherit permissions and has restricted permissions that include only 2 groups that do not include the external user, the external user is able to view the contents of the restricted access sub folder. Is there a way to secure access to the restricted sub folder so the external guests cannot view?

Microsoft 365 and Office | SharePoint | For business | Windows
0 comments

Answer accepted by question author

  1. Ian-Ng 12,280 Reputation points Microsoft External Staff Moderator
    2026-05-06T21:32:40.2266667+00:00

    Hi @Gary Scrivner,

    Thank you for taking the time to reply to me.

    According to your question, yes

    If the parent folder is shared with an external guest, that sharing can also provide access to content within that folder structure, including child folders, because folder sharing in the modern experience can automatically share folder contents and sharing adds permissions rather than removing or restricting existing access. 

    Therefore, in your example, when you want the guest to access only the 6 permitted subfolders and not the 2 restricted subfolders, the recommended approach is to: 

    • remove the guest’s access and any active sharing links from the parent folder 
    • keep the 2 restricted subfolders on their own unique permissions 
    • share only the 6 intended subfolders directly with the guest, preferably by using Specific people links 
    • verify the result by reviewing Manage access and Check permissions afterward. 

    So yes, for future guest sharing, if some subfolders must remain hidden or restricted, it is safer to share only the specific subfolders that the guest should access rather than sharing the higher-level parent folder.  

    For the best practice, if this layout will be used usually, you can place guest-facing content in a separate dedicated library or structure for external sharing. That can make permission management easier and helps reduce the risk of unintended showing. 

    I hope this helps clarify the safe design for your case.  

    If this reply helped address your concerns, please consider marking the answer as accepted so other members can find the confirmed guidance more easily. 

    Thank you for your cooperation and please reach out to me since you have further concerns. 

    1 person found this answer helpful.

Answer accepted by question author

  1. Ian-Ng 12,280 Reputation points Microsoft External Staff Moderator
    2026-05-06T18:04:55.65+00:00

    Hi @Gary Scrivner,

    Thanks for the detailed explanation. 

    From the behavior you described, it is actually expected behavior. When a folder is shared, SharePoint adds permissions rather than removing or restricting existing ones, and in the modern experience it can include access to items or subfolders that already have unique permissions. 

    Because of that, even if a subfolder has broken inheritance and does not explicitly include the external user, the user may still be able to access it through the parent folder sharing. 

    To properly secure the restricted subfolder, you can try the following approach: 

    Phase 1: Stop parent folder sharing:  

    • Start by revoking access at the top level. Go to the parent folder’s Manage Access pane.  
    • You must delete active Sharing Links (Anyone, People in Organization, or Specific People) and remove the user from Direct Access.  
    • In SharePoint, a parent-level sharing link often acts as a "master key" that can bypass subfolder restrictions. 
    • Kindly refer to have detailed instructions: Manage sharing and permissions in OneDrive and SharePoint - Microsoft Support 

    Phase 2: Break subfolder inheritance: 

    • Ensure the restricted subfolder is logically isolated. Navigate to the subfolder’s Advanced Permissions settings and click Stop Inheriting Permissions. User's image
    • Manually remove the external user from the list. User's image
    • Use the Check Permissions tool to verify their access is "None." This prevents the subfolder from following to parent-level changes. User's image

    Phase 3: Share granularly:  

    • Re-share only the necessary items using "Specific People" links. This prevents a top-level link from accidentally exposing restricted sub-content. 
    • Sharing links often bypass subfolder restrictions. Removing the parent link is essential for unique permissions to be respected. 

    You can find step-by-step instructions and essential notes in Customize permissions for a SharePoint list or library - Microsoft Support.

    This aligns with how SharePoint handles unique permissions changes at the subfolder level do not reduce access that was already granted through a parent share. 

    Note: as an additional consideration, when sharing folders externally, it’s recommended to use specific people links and carefully scope what level (site, library, folder) is being shared to avoid unintended exposure.  

    If you continue to see unexpected access after removing the parent sharing, it may be worth reviewing all sharing links and permissions on the parent container, as access can sometimes persist through those links. 

    Hope this helps clarify the behavior and gives you a path to secure the content.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-05-06T16:39:36.4033333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Yes. The behavior occurs because SharePoint does not remove or restrict existing permissions when sharing a parent folder; it only adds/grants permissions. If a subfolder or item already has unique permissions that allow broader access, those permissions remain effective even after sharing the parent folder with more restrictive rights.

    To secure the restricted subfolder so external guests cannot view it, use one of these approaches:

    1. Change permissions directly on the restricted subfolder
      • Break or confirm unique permissions on the subfolder.
      • Remove any groups or users that should not have access (including any group that indirectly includes the external guest).
      • Grant access only to the specific groups or users that should see the subfolder.
    2. Remove and re-create sharing on the parent folder
      • Stop sharing the parent folder with the external guest. This removes their permissions from all subfolders and items.
      • Verify that the restricted subfolder has unique permissions that do not include the external guest or any group they belong to.
      • Re-share the parent folder with the external guest with the desired (e.g., view) permissions.

    The key is to manage permissions at the item/subfolder level where unique permissions exist, because sharing a higher-level folder will not override or reduce those existing unique permissions.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.