When we migrate SharePoint on-premise site to SharePoint Online version and we start validating the permission, sometimes permissions what we see are not correct! Let us look at the scenario.
How permission works for Modern team site?
There are the places from where permissions are managed:
- Direct User/ AD Security/Domain group permission to the Site/List/Item
- SharePoint Groups
- Office 365 group
When we create a Modern Team Site Collection, it comes with Associated Owners, Associated Members and Associated Visitors groups:
It also creates an Office 365 group. Members group of this group is added to SP Members whereas Owners group of this group is added in SP Owner group (Hidden in UI). That’s how Owners/Members of Office 365 group gets access to SharePoint site.
What are the issues?
When we migrate on premise site with different title to this site, associated groups of the source site would be mapped as associated groups of this site. Following are the scenario when permission differs from what it shows in UI:
- Many times, it happens that existing SP groups (initially mapped as associated groups) of the destination site would lose the access to the site.
- Associated groups in source don’t have access to the source site resulting no access to destination site as well. Please note, this happens only during migration. In general, if we set some group as associated group from UI, it gets the appropriate access to the site.
For Case 1, we see Office 365 group lose access from the site as soon as initial members group lose access from site. Office 365 group owners would still have access since they are also added as site collection administrators.
But we still see old members as the site members in portal when we look at the members list.
For Case 2, It shows the Site Owners, Members and Visitors (Settings>Site Permissions) even though users are not having access. Root cause of the issue is the that these users are shown from site’s associated SP groups which have no access after migration.
To solve these issues, we need to make sure that the groups which were created during SPO Modern site creation, remain the associated Owners/Members/Visitors groups of the site and these groups are having appropriate access. We can make these changes either from UI or we can write powershell/csom code.
To change the associated groups from portal, please visit <site url>/_layouts/15/permsetup.aspx page and set the groups accordingly.