Browse all topics
All guidesGlossary
SharePoint & OneDrive

SharePoint hub permissions and inheritance

How permissions work for hub sites and their associated sites — what's shared, what isn't, and what to watch out for.

SharePoint hub sites group associated sites under shared navigation, theme, and search scope. But permissions don't propagate between hub and associated sites — each site retains independent permissions, which catches a lot of admins out. Understanding the model prevents surprise access scenarios.

What hub association shares

When a site associates to a hub, it inherits:

  • Top navigation from the hub.
  • Theme and branding from the hub.
  • Search scope — searches from any associated site search across the hub.
  • News roll-up — the hub's news web part can show news from all associated sites.

What it does NOT inherit:

  • Permissions — each site retains its own membership and access controls.
  • Sensitivity label — each site has its own (if any).
  • External sharing settings — each site is independently configured.
  • Storage quota — each is independent.
  • Site collection admins — separate.

Why this matters

A common misconception: "the hub is private to a group, so the associated sites are private too." False — each site's access is determined by its own permissions.

Practical implications:

  • Sensitive site associated to public hub — the sensitive site stays private. The hub navigation may show its name, but content access requires explicit permission to that site.
  • Public site associated to internal hub — the public site stays publicly accessible. The hub's restrictions don't override.
  • Internal users see hub navigation — but clicking through to a restricted site still requires permission to that site.

Audience targeting in hubs

For navigation that should show different items to different audiences, audience targeting in hub navigation lets you scope individual nav links:

  • HR portal link visible to all employees.
  • Executive resources link visible only to executives group.
  • HR business partners link visible only to HRBP group.

Configure in hub navigation → Edit → toggle audience targeting. Pair with Entra ID groups for clean filtering.

Hub-level access governance

For hubs themselves:

  • Hub site owners can change hub settings, navigation, theme.
  • Anyone with site collection admin rights on associated sites can disassociate.
  • Hub designation requires SharePoint Admin role at the tenant level.

No "hub members" group — there's no concept of "members of the hub." Permissions are at the site level.

Common operational issues

"Why can users see this hub but not access the site?"

That's working as designed — the hub navigation shows the site exists, but access requires per-site permission. To prevent showing the site at all, use audience targeting on navigation.

"Permissions changed on the hub but not the sites"

Changing hub settings doesn't affect site permissions. Changing site settings affects only that site. Mass permission changes require iterating across all associated sites.

"Sensitivity label on the hub but sites still over-share"

A label on the hub site applies only to the hub. Each associated site's label is independent. For tenant-wide sensitivity-label governance on hubs and associated sites, use container labels applied at site creation, with appropriate site-creation policies.

Hub disassociation

Sites can disassociate from a hub — voluntarily by the site owner, or by the SharePoint Admin. On disassociation:

  • Site loses hub navigation, theme, search scope.
  • Site retains its own content, permissions, settings.
  • News articles from the site no longer roll up to the hub.

Disassociation is non-destructive — the site continues independently.

Best practices

  • Document hub permissions design — what the hub-associated-site relationship means in your tenant.
  • Audit periodically — what sites are associated to which hubs.
  • Use audience targeting for navigation rather than expecting permissions to filter.
  • Sensitivity-label sites independently rather than relying on hub inheritance.
  • Train site owners on the hub model — many think hub means hierarchy of permissions.

For organisations using hubs to organise SharePoint at scale, treating each site's permissions as independent — and using audience targeting where filtering is needed — produces cleaner governance. Trying to bend the hub model into a hierarchical permissions structure produces frustration; embracing the independence works.