SharePoint user management is deeply integrated with Microsoft 365 and Azure Active Directory (Entra ID). Users are not created "in SharePoint" directly -- they exist in Azure AD and are granted access to SharePoint sites through permissions, groups, and sharing. This guide covers both SharePoint Online (Microsoft 365) and SharePoint Server on-premises.
How SharePoint User Management Works
SharePoint uses a layered permission model:
- Azure AD / Entra ID -- Source of truth for user identities
- Microsoft 365 Groups -- Team-based access that creates a connected SharePoint site
- SharePoint Groups -- Site-level permission groups (Owners, Members, Visitors)
- Sharing Links -- Granular item/folder-level access for internal and external users
Every SharePoint site has three default groups:
- Site Owners -- Full control (manage structure, permissions, settings)
- Site Members -- Edit access (create, edit, delete content)
- Site Visitors -- Read-only access
Adding Users to a SharePoint Site
Via SharePoint Site Settings
- Navigate to the SharePoint site
- Click the gear icon (Settings) in the top-right corner
- Click Site permissions
- Click Invite people or Share site
- Enter the user's email address or name (searches Azure AD)
- Select a permission level:
- Full control (adds to Owners group)
- Edit (adds to Members group)
- Read (adds to Visitors group)
- Optionally add a message
- Click Share
Via SharePoint Admin Center
For site collection administrators:
- Go to
https://admin.microsoft.comorhttps://yourtenant-admin.sharepoint.com - Navigate to Sites > Active sites
- Select the target site
- Click Membership tab
- Under the appropriate role (Owners, Members), click Add members
- Search for and select users
- Click Save
Adding Users via PowerShell
PowerShell with the PnP module provides the most flexible user management:
# Install PnP PowerShell module (one-time)
Install-Module -Name PnP.PowerShell -Scope CurrentUser
# Connect to SharePoint Online
Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/marketing" -Interactive
# Add a user to a SharePoint group
Add-PnPGroupMember -LoginName "jane@contoso.com" -Group "Marketing Site Members"
# Add a user with a specific permission level directly (no group)
Set-PnPWebPermission -User "jane@contoso.com" -AddRole "Contribute"
# Add an external user (requires external sharing enabled)
Add-PnPGroupMember -LoginName "contractor@agency.com" -Group "Marketing Site Members"
Bulk add users from a CSV:
# bulk-add-users.ps1
Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/marketing" -Interactive
$users = Import-Csv -Path ".\new-users.csv"
# CSV format: Email,Group
# jane@contoso.com,Marketing Site Members
# john@contoso.com,Marketing Site Owners
foreach ($user in $users) {
try {
Add-PnPGroupMember -LoginName $user.Email -Group $user.Group
Write-Host "Added $($user.Email) to $($user.Group)" -ForegroundColor Green
} catch {
Write-Host "Failed: $($user.Email) - $($_.Exception.Message)" -ForegroundColor Red
}
}
Disconnect-PnPOnline
Microsoft Graph API
# Add a member to a Microsoft 365 Group (which grants SharePoint access)
curl -X POST "https://graph.microsoft.com/v1.0/groups/{group-id}/members/\$ref" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{user-id}"
}'
# Using Microsoft Graph PowerShell
Connect-MgGraph -Scopes "Group.ReadWrite.All"
# Get the group ID for the SharePoint site's M365 Group
$group = Get-MgGroup -Filter "displayName eq 'Marketing Team'"
# Add a member
New-MgGroupMember -GroupId $group.Id -DirectoryObjectId (Get-MgUser -UserId "jane@contoso.com").Id
Bulk User Management
Bulk Permission Assignment via PnP
# Assign permissions to multiple users across multiple sites
$sites = @(
"https://contoso.sharepoint.com/sites/marketing",
"https://contoso.sharepoint.com/sites/sales",
"https://contoso.sharepoint.com/sites/engineering"
)
$newUsers = @("user1@contoso.com", "user2@contoso.com", "user3@contoso.com")
foreach ($site in $sites) {
Connect-PnPOnline -Url $site -Interactive
foreach ($user in $newUsers) {
Add-PnPGroupMember -LoginName $user -Group "$((Get-PnPWeb).Title) Members"
Write-Host "Added $user to $site Members"
}
Disconnect-PnPOnline
}
Bulk External User Cleanup
# Find and remove all external users from a site
Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/marketing" -Interactive
$externalUsers = Get-PnPUser | Where-Object { $_.LoginName -like "*#ext#*" }
foreach ($ext in $externalUsers) {
Write-Host "External user: $($ext.Email) - $($ext.LoginName)"
# Remove-PnPGroupMember -LoginName $ext.LoginName -Group "Marketing Site Members"
}
Removing and Deactivating Users
Removing Site Access
Via SharePoint UI:
- Navigate to Site settings > Site permissions
- Find the user in the appropriate group
- Click the X next to their name
- Confirm removal
Via PowerShell:
Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/marketing" -Interactive
# Remove from a specific group
Remove-PnPGroupMember -LoginName "jane@contoso.com" -Group "Marketing Site Members"
# Remove all permissions (including direct permissions)
Remove-PnPUser -LoginName "jane@contoso.com"
Disabling at Azure AD Level
When an employee leaves the organization, disable their Azure AD account:
# Disable the user account in Azure AD (blocks all M365 access including SharePoint)
Connect-MgGraph -Scopes "User.ReadWrite.All"
Update-MgUser -UserId "jane@contoso.com" -AccountEnabled:$false
This immediately blocks access to all SharePoint sites, OneDrive, Teams, and other Microsoft 365 services.
What Happens to Their Content
- Documents they uploaded remain in document libraries with their name as the author
- Pages they created retain the
AuthorandEditormetadata fields - OneDrive files enter a 30-day retention period, then transfer to their manager (configurable)
- Checked-out documents become locked -- an admin must check them in:
Set-PnPFileCheckedIn -Url "/sites/marketing/Shared Documents/locked-file.docx" - Workflow instances they started continue running but approvals assigned to them stall
- List items they created or modified retain their identity in the
Created ByandModified Bycolumns - SharePoint site ownership -- if they were the only owner, promote another member before removal
Removing External Users
# Remove an external user from SharePoint Online tenant
Connect-SPOService -Url "https://contoso-admin.sharepoint.com"
Remove-SPOExternalUser -UniqueIDs (Get-SPOExternalUser -Filter "contractor@agency.com").UniqueId
SSO and Azure AD Integration
SharePoint Online uses Azure AD (Entra ID) natively for all authentication. No additional SSO configuration is needed for internal users.
Conditional Access Policies
Control SharePoint access conditions in Azure AD:
- Go to Azure Portal > Azure Active Directory > Security > Conditional Access
- Create a new policy:
- Users: All users or specific groups
- Cloud apps: Office 365 SharePoint Online
- Conditions: Device state, location, client apps
- Grant: Require MFA, compliant device, or approved app
- Enable the policy
SharePoint Server On-Premises (LDAP/AD)
For SharePoint Server, users come from Active Directory:
# Add an AD user to a SharePoint Server site
$web = Get-SPWeb "https://sharepoint.company.com/sites/intranet"
$group = $web.SiteGroups["Intranet Members"]
$group.AddUser("DOMAIN\jdeveloper", "jane@company.com", "Jane Developer", "Content Editor")
$web.Dispose()
Access Audit Checklist
- Run
Get-PnPUser | Export-Csv users.csvquarterly on each site to export all users with permissions - Check Azure AD Sign-in logs for SharePoint access from unexpected locations
- Review external sharing settings in the SharePoint Admin Center
- Audit site collection administrators:
Get-SPOSite | Get-SPOUser -Limit All | Where-Object { $_.IsSiteAdmin } - Verify Conditional Access policies are enforced for SharePoint
- Check for orphaned permissions using
Get-PnPSiteCollectionAdmin - Review sharing links: Site settings > Site usage > Shared with external users
- Document all permission changes in your IT service management tool