How to Restrict Access to a Folder in SharePoint

Restricting access to a SharePoint folder requires breaking its permission inheritance from the parent library, then manually controlling who can view or edit its contents. By default, every folder in a document library inherits the same permissions as the library itself, so anyone with access to the library can open every folder inside it. To lock down a specific folder, you need to override that default behavior.

How Permission Inheritance Works

SharePoint uses a cascading permission model. A site has permissions, each document library within it inherits those permissions, and every folder and file inside the library inherits from the library. This means if 50 people have access to your “Marketing” document library, all 50 can open every folder inside it unless you explicitly change that.

Restricting a folder means breaking this chain for that specific folder, removing the people who shouldn’t have access, and keeping only the ones who should. Once you break inheritance, changes to the parent library’s permissions no longer flow down to that folder automatically. You manage its access list independently from that point forward.

One hard limit to know: if a folder contains more than 100,000 items, SharePoint won’t let you break permission inheritance on it. You’d need to restructure the content into smaller folders or use a separate library instead.

Restrict a Folder Through the SharePoint Interface

This is the most common method and doesn’t require admin tools or scripts. Here’s the process:

• Open the document library that contains the folder you want to restrict.
• Select the folder (click the circle or checkbox next to it, don’t open it).
• Open the details pane by clicking “Manage access” from the toolbar or right-click menu. This shows you everyone who currently has access, including people with direct permissions and anyone who received a sharing link.
• Stop inheriting permissions. Look for the option to stop inheriting from the parent. In classic SharePoint views, this appears as “Stop Inheriting Permissions” on the Permissions page. Once you click it, SharePoint copies the current permissions to the folder as a starting point, but now they’re independent.
• Remove users or groups who shouldn’t have access. Click each person or group and remove their permission level or delete their access entirely.
• Add specific users if needed. Grant access only to the people who should see the folder’s contents, choosing a permission level like “Can view” or “Can edit.”

After breaking inheritance, the folder’s permissions are entirely yours to manage. If you later add someone to the parent library, they won’t automatically get access to this restricted folder.

Remove Sharing Links and Direct Access

Breaking inheritance handles the structural permissions, but sharing links create a separate path into the folder. If someone previously shared the folder or its files using a link, that link may still work even after you change permissions.

Open the “Manage Access” panel for the folder and check two areas. Under “Direct access,” you’ll see individual users and their permission levels. Click any person’s name to change their role or remove them entirely. Under “Links,” you’ll see any sharing links that were generated. You can delete a link by clicking the trash icon next to it, or change what permission level the link grants.

If you want a clean slate, the “Stop sharing” option at the top of the Manage Access dialog disables all sharing links and removes all direct access permissions at once. This is the fastest way to lock a folder down completely before re-adding only the people you want.

Use a Separate Library Instead of Folder Permissions

Breaking inheritance on individual folders works, but it adds management overhead. Every time you onboard or offboard a team member, you need to remember to update permissions on each restricted folder separately. SharePoint also performs better when fewer items have unique permissions, since the system has to evaluate each one individually during searches and page loads.

For content that needs permanent, strict access control, creating a dedicated document library with its own permissions is often a cleaner approach. You set the library’s permissions once at the library level, and everything inside it follows those rules automatically. This avoids the fragility of managing dozens of folders with broken inheritance scattered across a single library.

Apply Sensitivity Labels for Policy-Based Restrictions

Organizations with Microsoft 365 E3 or E5 licensing can use sensitivity labels to enforce access restrictions based on data classification. Sensitivity labels let you encrypt content so that only designated users or groups can open it, regardless of where the file travels. You can set which users have permissions and for how long those permissions last.

When applied to a SharePoint site or container (rather than individual files), sensitivity labels control settings like whether external users can access the site, what sharing options are available, and whether unmanaged devices can reach the content. The label doesn’t automatically tag every file inside, but it governs access to the container itself.

You can also configure labels to apply automatically when files match certain patterns, like documents containing credit card numbers or health records. This approach is useful when the restriction isn’t about a specific folder but about a category of sensitive information that might appear anywhere.

Restrict Folders in Bulk With PowerShell

If you need to restrict access on many folders at once, or you manage SharePoint as part of a larger IT operation, PowerShell scripting with the PnP PowerShell module is far more efficient than clicking through the web interface.

The key cmdlet is Set-PnPFolderPermission. It lets you break inheritance, clear existing permissions, add roles, and remove roles for specific users or groups on any folder. A basic example of restricting a folder:

• Clear all existing permissions: Use the -ClearExisting parameter to wipe the folder’s current access list. This automatically breaks inheritance if it hasn’t been broken already.
• Add specific users: Use -User with -AddRole to grant access to only the people who need it. Role names like “Read” or “Contribute” correspond to SharePoint’s built-in permission levels. You can check available roles with Get-PnPRoleDefinition.
• Remove a specific role: Use -RemoveRole to strip a particular permission level from a user or group without removing all their access.
• Restore inheritance: If you need to undo the restriction later, -InheritPermissions reverts the folder to inheriting from its parent.

The -Identity parameter accepts a folder’s server-relative URL, so you can loop through a list of folder paths in a script to apply restrictions across an entire library in minutes. The -ClearSubScopes parameter is useful when restricting a parent folder and wanting all subfolders beneath it to inherit the new restricted permissions rather than keeping their own unique settings.

Why Restricted Folders May Still Appear

After restricting a folder, you might notice that users who lost access can still see the folder’s name in the library, even though they can’t open it. This happens because of a permission level called “Limited Access,” which SharePoint assigns automatically when a user has permission to something deeper in the hierarchy but not the folder itself. Limited Access lets users navigate to content they do have rights to without being blocked by parent containers along the path.

The folder name being visible doesn’t mean the restriction failed. Users with Limited Access can see that the folder exists, but they can’t open it or view its contents unless they have explicit permission. If even the folder’s existence should be hidden, you’ll need to move that content into a separate document library with its own permissions, since SharePoint doesn’t support hiding individual folders from users who have any level of site access.