Read-Only permission is able to create new list item using the list forms shared with them

johnjohn-Peter  This is how Microsoft have designed the new SharePoint Forms - it allow users without any permissions (even without read) to submit items to the list - but they can't see any items.

So, you can have a list where a user has no permissions whatsoever, and the first time they use the SharePoint Form (via the link you provided) it automatically adds two roles to the user on the list - Limited Access and Submit Files. This allows the user to add items to the list but that's it.

One caveat - initially the user wouldn't have any permissions to the list - so they get access denied when they try to navigate directly to the list. But after they submit an item via the Form and are granted Limited Access on the list and are now able to navigate to the list - they just don't see any items. And if they try to export to Excel it won't show any records - even the ones they submitted.

So, this is by design - but yes, something that many users across businesses don't realise when they are creating these new Microsoft List or SharePoint Forms.

If you don't want ANYONE to be able to submit items to your list, then you shouldn't be using SharePoint Forms.

Greetings John, as far I understand your query :

You gave a user (Test User) Read-Only access to a SharePoint list. As expected, when they open the list directly, they cannot add, edit, or delete items.

However, after you (Admin) created a custom list form and shared the form link with the Test User, they were able to submit a new list item—even though they only have read permission. This behavior can affect your business rules and security expectations.

Why is This Happening?

This issue occurs because of how SharePoint and Power Apps handle permissions on shared forms.

If you share a custom form (like one built in Power Apps or customized via SharePoint), it can sometimes run with elevated permissions—specifically, the permissions of the person who created or shared the form. This means:

Even if the user only has Read access to the list,
The form might still allow them to add new items,
Because it is running under the permissions of the Admin or whoever created the form.

Possible Fix that could help:

Here are several ways to lock down the list and prevent Read-Only users from submitting data through shared forms.

1. Restrict Access to the Form

If your form was built using Power Apps:

Go to Power Apps
Open the app or form you shared
Click on "Share"
Make sure only users who should be able to submit items are granted access
Remove any users (like Test User) who should not have editing rights
In the app settings, check whether the app is set to run as the "Creator" or as the "User"
Set it to run as the User so that their actual permissions apply

2. Adjust Item-Level Permissions in the SharePoint List

To prevent anyone from adding items unless explicitly allowed:

Open your list
Go to Settings > List Settings > Advanced Settings
Under Item-level Permissions, configure:
Read access: "Read items that were created by the user"
Create access: "None"

This setting enforces stricter control and ensures that users cannot add new items through any form or method unless they have specific permissions.

3. Break Permissions on the Form Page

If the form is shared on a SharePoint page or embedded in a modern list form:

Go to the page where the form is hosted
Click Settings > Site Contents, find the page or form
Select Manage Permissions
Break inheritance
Remove users like Test User or ensure they only have view-only access to the form page

This ensures that they cannot use the form unless they have proper list permissions as well.

Kindly check and let us know if this could fix your issue.

Kind Regards,

Manik :)