Simply SharePoint
P-03 In Sharing & Permissions

How to See Who Has Access to a SharePoint File

You can’t manage what you can’t see. Knowing exactly who has access to a file — and how — is the foundation of safe sharing.

Reading time: 5 minutes Last updated: June 2026 Card code: P-03

What it is

Most people share files without ever checking who already has access. They click Share, add a name, and move on. The result is files that have accumulated dozens of people, multiple links, and inherited group permissions over time — and nobody knows the full picture.

The Manage access panel in SharePoint and OneDrive shows you exactly what’s happening: every person, every group, every active link, with their permission level (view, edit, full control). It’s the single most important tool for sharing hygiene, and it takes 30 seconds to review.

If you find yourself surprised by who has access, that’s the signal to act. Surprise means the access wasn’t deliberate — and unintended access is the most common cause of data exposure.

Why it matters

Unseen access is unmanaged risk. If you don’t know who has it, you can’t control it.

  • Inherited permissions are invisible. A file might be shared with 50 people via a group you forgot existed.
  • Links accumulate. Three different links to the same file is normal in messy environments. Manage access surfaces them all.

When to use this

  • Before sharing something sensitive, to confirm who already has access.
  • When a colleague says ‘I can’t open the file’ — check if they should have access.
  • During quarterly access reviews.
  • When auditing high-sensitivity libraries.

How to do it

  1. Select the file in SharePoint or OneDrive.
  2. Click the file menu (three dots) and select Manage access.
  3. Review the Direct access list — these are people and groups added by name.
  4. Review the Links list — these are sharing links currently active.
  5. Note each permission level (view, edit, full control).
  6. Identify anything you didn’t expect to see.
  7. Take action: remove people, disable links, or tighten permissions as needed.

Best practices

  • Check before you share. 30 seconds of review prevents oversharing.
  • Look for surprises. Names you don’t recognise, links you don’t remember — these are red flags.
  • Use group-based access for teams. One group entry is easier to manage than 30 individual entries.
  • Document why exceptions exist. If someone has unusual access, note why so you don’t ‘fix’ something that should stay.

Common mistakes

  • Trusting the file name to tell you who can see it. ‘Confidential’ in the name does nothing. The permissions do.
  • Sharing without reviewing existing access. You might be granting access to someone who already has it via a group, doubling your audit complexity.
  • Ignoring ‘Anyone with the link’ that’s been live for two years. Disable it. Replace with specific people.
Recommended resource Copilot is reading everything. Are you ready?

The Copilot Readiness Guide gives you the 25-question scorecard, the 4-category risk audit, and the 30-day plan to fix permissions, content quality, and sensitive content before go-live.

Get the Copilot Readiness Guide — $39 →

FAQ

How do I check who has access to a SharePoint file?

Select the file, click Manage access. The pane shows every person and sharing link with access, grouped by permission level (Edit, View, Read-only). For each, you see the access path — direct share, group membership, inherited from a parent folder — so you can trace where the access actually comes from.

Why can my colleague see a file I didn’t share with them?

Three usual causes: they have access via group membership (they’re in a Microsoft 365 group that has site access); they inherited access from the parent library or site; or there’s an ‘Anyone with the link’ or ‘People in your organisation’ link somewhere granting it. Manage Access shows all three so you can confirm which.

Can I see when someone accessed a SharePoint file?

Yes — in the file’s audit log via the Microsoft 365 admin center (Purview → Audit). Standard users can’t see audit logs by default; you’ll need a SharePoint admin or compliance admin to run the search. For security-sensitive files, set up alerts so you’re notified of unusual access in real time.

Why is Copilot showing files my user shouldn’t see?

Because Copilot honours SharePoint permissions exactly — if a file appears in Copilot results unexpectedly, the user genuinely has access at the SharePoint layer. Copilot is exposing access that was already there but invisible in day-to-day work. This is the #1 reason organisations need to audit permissions before turning Copilot on.

↑ All 30 Sharing & Permissions cards
Free Weekly Newsletter

Plain-English SharePoint advice. Every week.

One useful email a week. New blog posts, what's changing in Microsoft 365, and the one fix that will make your SharePoint less of a mess this Friday. No spam, no fluff — unsubscribe any time.

Join the Simply SharePoint newsletter

    Free forever  ·  Unsubscribe any time  ·  No spam, ever