If you've ever managed a large SharePoint document library, you've probably run into the dreaded permission creep problem. Users share individual files or folders with “specific people,” someone accidentally breaks inheritance on a folder, migrations bring over messy permissions, or years of organic sharing leave you with thousands of items that have unique role assignments. Read on for more details and explanation for why you might want to move forward resetting item-level permissions in SharePoint!
Microsoft's guidance (and mine) is clear: keep unique permissions to an absolute minimum. The supported limit is 50,000 unique permission assignments per list/library, but performance starts degrading long before that—often around 5,000–10,000 unique items in practice.
Manually fixing this through the SharePoint UI? Forget it. You can't bulk-select thousands of files and “Manage Access → Reset to inherit” doesn't exist in the modern interface for multiple items.
Resetting Item-Level Permissions in SharePoint
This is exactly why I created the ResetPerms.ps1 script — a clean, focused PowerShell tool that resets every file and folder in a document library to inherit permissions from the library itself.
Repository: PowerShell-for-Microsoft-365/ResetSharePointLibraryPerms
Why You Actually Need This Script (Real-World Scenarios)
- Post-Migration Cleanup
After migrating from file shares, Box, Google Drive, or on-prem SharePoint using tools like ShareGate or Migration Manager, item-level permissions often come along for the ride. This script is the fastest way to nuke them all and start clean. Granted, sometimes you want those unique permissions after a migration, but if you are wanting to “start over” with a clean architecture and governance, this script will help.
- Enforcing “Share at the Library Level” Policy
Your organization decides that sharing individual documents is forbidden — everything must be shared at the library or site level. This script enforces that policy in one shot.
- Performance Rescue Missions
Library loading like molasses? Users complaining about timeouts? Run this script (after verifying the library itself has the correct permissions) and watch performance return to normal.
- Preparing for Governance Changes
Before turning on sensitivity labels at the container level, applying a retention policy, or enabling guest access reviews — you need a clean permission slate.
- Undoing “Sharing Gone Wild”
That one department that shared every single file with external partners individually? Yeah… this fixes that.
What the Script Actually Does
- Connects to your SharePoint site using app-only certificate authentication (perfect for automation, no interactive login needed)
- Targets a specific document library (e.g., “Documents”, “Shared Documents”, or your custom library)
- Iterates through every file and folder in the library
- Calls ResetRoleInheritance() on each item that has unique permissions
- Removes all unique role assignments on items, forcing them to inherit from the parent folder/library
Result: Every item in the library now inherits permissions directly from the library itself. Clean, consistent, performant.
Prerequisites (Do These First!)
PowerShell 7.4 or higher
PnP.PowerShell modulePowerShell: Install-Module -Name PnP.PowerShell -Force
Entra ID App Registration with Sites.Manage.All (or broader) SharePoint permissions
Certificate-based authentication: upload the cert to the app and install the thumbprint in your local CurrentUser\My store
Check out the Github repository for more information on how to use the script.
Final Thoughts
Always test in a non-production library first! Also, make sure the library has hte correct permissions you want before running the script.
Backup unique permissions if you think you might need them later — use Get-PnPListItem -List $library -Fields “FileLeafRef”,”FileRef” -PageSize 1000 | Where {$_.HasUniqueRoleAssignments} | Get-PnPProperty -Property RoleAssignments or a full permission report script
Running this revokes all direct shares on individual files — those links will break. That's usually the entire point, but communicate it!
The script only resets items to inherit — it does not change the library's own permissions. Make sure the library has the correct groups/permissions before running.
For very large libraries (100k+ items), it may take hours. Consider running it overnight or adding your own batching/paging logic if needed.
Link again for the lazy: PowerShell-for-Microsoft-365/ResetSharePointLibraryPerms
