There are many reasons why the customer is choosing modern SharePoint over classic SharePoint sites. Modern sites are faster, much cleaner, responsive with an enhanced feature set compared to conventional classic sites. However, it is a bit of a pain to understand how permission works for Office 365 group connected modern team site. It is neither fully managed in SharePoint, nor we get a full visualization of how is it integrated with the Office 365 group.
Everything is hunky-dory as long as one does not fiddle with the permissions available at many points. Here is a situation. When we add a set of users as part of office 365 as owners, where do you find those users as part of the SharePoint site. You may find a “ owners” user as part of site collection admin but did you check what happens if we remove that account from the “Site Collection Administrators” group? The user would still have owner access to the site! Now, if you try to add the user back to the site as a direct use or as part of any SP group, GOTCHA! you won’t be able to do that from the user interface. There are some more permission specific confusing behaviors like this when we deal with a group connected team site.
In this article, I would try to explain how the permission works overall for the group connected modern team site.
Where is permission managed for Group Connected Modern Team Site?
These are following places from where permissions are managed:
- Direct User/ AD Security/Domain group permission to the Site/List/Item
- SharePoint Groups
- Office 365 group
I am assuming that reader of the article has got a fair amount of idea about how permission with SP group and users work in general for any SharePoint site as I’m going to skip that part for the interest of time and would concentrate on Office 365 group related permission setup.
What happens when a Group Connected Modern Team site is created?
When we create a group connected modern team site, following permission changes takes places:
- It comes with Associated Owners, Associated Members, and Associated Visitors groups:
Associated group can be checked from following url:/_layouts/15/permsetup.aspx
- As soon as the site is created, an Office 365 group is also created. The group name comes up with a site title by default. There would be 2 new claim accounts created with a similar format as given below:
Account Name Comment c:0o.c|federateddirectoryclaimprovider|<group guid> <Site Name> Members All office 365 group members are part of this account c:0o.c|federateddirectoryclaimprovider|<group guid>_o <Site Name> Owners All office 365 group owners are part of this account
“<Site Name> Members” account is added to the associated member group and “<Site Name> Owners” account is added to the associated owner group. “<Site Name> Owners” account is hidden from UI below.
- <Site Name> Owners” account is added as site collection admin which provides site collection admin rights to all office 365 group owners.
Note: As explained at the beginning of the article, if we remove the “< Site Name> Owners” account from Site Collection admin list, you won’t be able to add it back from user interface since Microsoft does not give us the flexibility to use this account from UI.
You may also like: Learn how to proactively identify and protect your sensitive information
How can we manage users in Office 365 group?
The whole idea of driving permission through office 365 group is to manage the permission from single group and any change made in group membership is applied to different component of office 365 like SharePoint, MS Teams, Stream, Yammer etc. Similarly, same group can be managed from any of the following places
- Office 365 admin center>Groups
- Azure Active Directory>Group
- MS Teams > Select team> Manage Team
- Outlook> Groups
- Modern Team Site >Site Permission
- MS Stream>Groups>Membership
Possible areas where we can run into permission issues
A. Associated groups lose permission from site
Associated group members are shown as site users in site permission popup.
If for any reason, associated groups lose permission to the site, it would still show the same users in this popup which might create confusion for the admin who manages the permission of the site. I have a separate article on this. Please go through the same if you want more insight about the issue.
B.Office 365 group related accounts (“<Site Name> Members” & “<Site Name> Owners”) are removed from SP Members/Owners group and/or site collection admin list
In case office 365 group related accounts are removed from SP Site Members or SP Sites Owners group, members from office 365 group would immediately lose access. Thereafter, removing “<Site Name> Owners” account from the site collection admin list could possibly take away the permission of the group owner from the site as well.
So, be careful handling group connected Modern Team Site and enjoy the benefits of a seamless, centralized permission management system in office 365.
Possible Area of Improvement expected from Microsoft
Finally, there is one such area where I found it is not so convenient, are the scope of these “< Site Name> Members” or “< Site Name> Owners” accounts. These accounts are confined to the SharePoint space only. We cannot find these claims when we try to use it in some other place like setting us permission for the label as part of the Microsoft Information Protection module. In that case, we lose the flexibility of the features like adding office 365 group owners only as part of some other module. I am sure, Microsoft might have done it purposely and they might have a better plan for this to integrate. We need to watch out!
Download the Datasheet to learn more about Netwoven’s Information Protection and Compliance service.
Download the Solution Brief to learn how Netwoven’s solution proactively identifies and protects your sensitive data.
Hopefully this post could clarify some of the queries you might have on this permission space. In case of any further queries, please contact us.
2 replies on “Deep into the Permissions in Office 365 Group Connected Modern Team Site”
You can reference ” Members” in a different site, but you have to put in the full email address (not the alias!) into the people picker to work. This is so that you can allow one O365 group members to access a different site.
e.g. entering this in a people picker will not work:
[O365 group name]
[O365 group email]@company.onmicrosoft.com
This will work:
[O365 group name email]@company.com
To my knowledge, providing access to [O365 group name email]@company.com would provide permission to both owners and members of the O365 groups. Owners and members claim is confined to the SharePoint site.