Permission Migration Watchpoints
Important Change — Effective Mid-February 2026
Google Drive has changed how permissions work. Folders that were previously hidden from certain users in SharePoint/OneDrive will now appear greyed out in Google Drive. Users still cannot access the content — only the visibility has changed.
What's Changing?
When migrating from Microsoft 365 (SharePoint, OneDrive, Teams) to Google Drive, you may notice that some folders appear differently than in the source.
Key Point: This is a Google platform change, not a CloudM limitation. Google has redesigned how restricted folders work based on user feedback that hidden folders caused confusion.
The Change Explained
| Scenario | Before (SharePoint) | After (Google Drive) |
|---|---|---|
| User removed from a subfolder | Folder is hidden — user cannot see it | Folder is greyed out — user can see it but cannot access |
| User removed from a file | File is hidden — user cannot see it | File is in a greyed-out wrapper folder |
| User has same or more access on child | Normal visibility | Normal visibility (No change) |
Example 1: Restricted Subfolder
This example shows what happens when a team has access to a parent folder, but one subfolder has been restricted.
Scenario
The Sales Team has Edit access to the /Sales/ folder in SharePoint. However, the /Sales/Forecasts/ subfolder has been restricted — only the Finance Team can access it.
Source (SharePoint)
📁 Sales (Sales Team: Edit) 📁 Public (Sales Team: Edit) 📁 Forecasts (Sales Team: Removed, Finance: Edit) Sales Team sees: Only "Sales" and "Public" folders. "Forecasts" folder is completely hidden.
Target (Google Drive)
📁 Sales (Sales Team: Editor) 📁 Public (Sales Team: Editor) 📁 Forecasts [GREYED OUT] (Sales Team: No Access) Sales Team sees: All three folders. "Forecasts" appears greyed out and cannot be opened.
What this means: Sales Team members will now see that a "Forecasts" folder exists, but they still cannot access it. The folder name is visible, but the contents remain private.
Example 2: Restricted File (Wrapper Folder)
When a specific file has different permissions than its parent folder, a wrapper folder is created to contain it.
Scenario
User B has Edit access to the /Reports/ folder, but has been removed from the salary-data.xlsx file.
Source (SharePoint)
📁 Reports (User B: Edit) 📄 Q1-summary.docx (User B: Edit) 📄 salary-data.xlsx (User B: Removed) User B sees: Reports folder and Q1-summary.docx only. salary-data.xlsx is hidden.
Target (Google Drive)
📁 Reports (User B: Editor)
📄 Q1-summary.docx (User B: Editor)
📁 _salary-data.xlsx/ [GREYED OUT] (User B: No Access)
📄 salary-data.xlsx
User B sees: Reports folder, Q1-summary.docx, and a greyed-out wrapper folder.
The wrapper folder name reveals the file name.
Why wrapper folders? Google Drive no longer allows files to have more restrictive permissions than their parent folder. The wrapper folder is created to enforce the restriction while keeping the file in its logical location.
Example 3: Scenarios With No Change
Many permission structures migrate without any visible change:
| Scenario | Result |
|---|---|
| All users have the same access to parent and child | No change — Permissions migrate directly |
| User has more access on child than parent (e.g., Viewer → Editor) | No change — Google supports permission upgrades |
| User is added to a child folder (but not on parent) | No change — Direct share applied |
Shared Drive Considerations
If your migration destination is a Shared Drive, there are additional considerations beyond the visibility changes described above.
Manager Visibility
Users with the Manager role (organizers) on a Shared Drive will always see Limited Access folders as greyed out. This is Google platform behaviour and cannot be changed. Regular members (Content Managers, Contributors, Viewers) will see restricted folders as greyed out and cannot access them.
Permission Placement Settings
When migrating to a Shared Drive, CloudM Migrate provides two settings that control where permissions are applied:
| Setting | Options | What It Controls |
|---|---|---|
| Shared Drive Folder Permissions | Folder, Root, None | Where folder-level SharePoint/OneDrive permissions are applied |
| Shared Drive File Permissions | File, Root, None | Where file-level SharePoint/OneDrive permissions are applied |
How Each Option Works
| Option | Behaviour |
|---|---|
| Folder / File | Permissions are applied to each individual folder or file. Each item's permissions match the source SharePoint permissions exactly. |
| Root | The top-level source folder's permissions are applied to the Shared Drive root. Due to Google Drive's expansive access model, these permissions cascade to all content in the drive, establishing each user's minimum access level. Subfolder permissions can grant additional access above this baseline but cannot restrict below it. |
| None | Permissions are not applied for that item type. |
Recommended Configuration
For most SharePoint/OneDrive migrations to Shared Drives, we recommend Folder for folder permissions and File for file permissions. This produces the most accurate permission mapping — each item's access matches the source.
Use Root only when the top-level folder's permissions represent the access level you want users to have across the entire Shared Drive. Be aware that root-level permissions cascade to all content — a user with Viewer access at the root will have Viewer access to every folder and file in the drive.
Note: The examples in this document show permissions applied to individual folders and files, which reflects the Folder / File setting. With the Root setting, top-level permissions cascade to the entire drive, so users will have at minimum the access level of the top-level folder on all items.
Pre-Migration Recommendations
To minimise unexpected visibility changes, consider these steps before migration:
1. Review Sensitive Folder Names
Folders with restricted access will be visible (greyed out) after migration. If any folder names contain sensitive information, consider renaming them before migration.
Examples of potentially sensitive folder names:
Redundancy Plans 2026— Consider renaming toHR-Confidential-001Salary Reviews - Marketing— Consider renaming toFinance-RestrictedLegal - Acquisition Target— Consider renaming toLegal-Confidential
2. Simplify Permission Structures (Optional)
If possible, restructure content so that restricted items are in separate top-level folders rather than nested within shared folders.
3. Communicate with End Users
Inform users that they may see greyed-out folders after migration. Emphasise that:
- They still cannot access the content
- This is Google's intended design
- The folder structure is preserved for easier navigation
Frequently Asked Questions
Q: Can users access the greyed-out folders?
A: No. Greyed-out folders indicate "Limited Access" — users can see the folder exists but cannot open it, view its contents, or access any files within it. The access restriction is fully enforced.
Q: Why can users now see folder names they couldn't see before?
A: This is a Google design decision based on user research. Google found that completely hidden folders caused confusion — users didn't understand why some colleagues could see items they couldn't. Making restricted folders visible (but greyed out) provides clarity about the folder structure while maintaining security.
Q: Can we hide the greyed-out folders?
A: No. Google's new permission model does not support hiding folders from users who have access to the parent. This is a platform-level change that affects all Google Drive usage, not just migrations.
Q: What is a "wrapper folder" for files?
A: Google Drive now requires files to have the same or more permissive access than their parent folder. When a file has more restrictive permissions, we create a wrapper folder (named after the file) to contain it. This wrapper folder is set to "Limited Access" and appears greyed out to excluded users.
Q: Will this affect my migration timeline?
A: Migrations with complex permission structures may take slightly longer due to the additional processing required. However, this approach (Limited Access) has the lowest performance impact compared to alternative methods.
Q: What about Teams files?
A: Microsoft Teams files are stored in SharePoint document libraries. The same rules apply — if a folder within a Team's files has restricted access, it will appear greyed out in Google Drive after migration.
Summary
| What's Happening | Why | User Impact |
|---|---|---|
| Restricted folders appear greyed out | Google's new permission model | Folder names visible, content still protected |
| Restricted files get wrapper folders | Files must inherit from parent folder | File names visible via wrapper, content protected |
| Folder hierarchy preserved | Maintains navigation context | Users see familiar structure |