The SharePoint Permissions Struggles in Office 365 Groups


The permission structure within Office 365 Groups has always been very straightforward. On one hand we have the owners and on the other hand the members. The main difference? The owners were able to change minor details of the Group. For example, the name or the privacy status. To be honest, this wasn’t a big issue. We had an inbox for conversations (the rebranded name of email), a calendar, OneNote, and a document library for file storage.



The call for more permission control came when Groups finally integrated with a SharePoint Team Site, which was a huge step forward from simple file storage. We were now able to add new lists, pages, and libraries within a brand-new Team Site empowered by modern experiences. Last but not least, we were also able to invite guests (external users).

I remember one of my demos during SharePoint Saturday Oslo last October 2016. The attendees were already pretty shocked about the look and feel and options of the modern SharePoint experiences. Frightened faces started to appear when I had to tell them guests received member permissions, which results in guests being able to create new lists, libraries, and remove all content. Being honest, this doesn’t have to be an issue. You can educate and guide guests in working with SharePoint to prevent awkward situations. There is also something called the recycle bin. That said, I definitely understood the need for more permission control for guests.

Recently, Microsoft introduced a new mechanism for permission control for Groups and specifically the Modern SharePoint Team Site. Let’s take a look at it.

Modern SharePoint Team Site

We create a new Modern SharePoint Team Site, with a connected Group, through SharePoint Home:

GroupsPermissions 1
Next we add owners and members:

GroupsPermissions 2

I have to say, it’s really amazing and impressive to see how fast the SharePoint Site Collection and Group are created. Two thumbs up for Microsoft! The site permission controls for the Modern Team Site are available under the wheel icon, resulting in the following:

GroupsPermissions 3

What do we see here? Two obvious facts. First, the owners of the Group have SharePoint Full Control permissions and the Group members have SharePoint Edit permissions. Second, every internal user within your Office 365 tenant also has SharePoint Edit permissions. Be aware: This happens because the privacy setting is open and not private. A private group doesn’t give SharePoint Edit permissions to all your colleagues. I really like how easy it is to change the permissions:

GroupsPermissions 4

You are now able to reduce the permissions to Read or even Remove all your colleagues from the SharePoint Team Site. Let’s not be mean and change the permissions to Read. You probably noticed the red Invite people button. Let’s click on it:

GroupsPermissions 5

The first option allows you to add colleagues (not guests, more about that later) to the Group. This action impacts the whole Office 365 Group, resulting in access to conversations, calendar, OneNote, and Planner. The Share Site Only option is only applicable for the Modern SharePoint Team Site. Are you confused yet? Please, don’t give up and keep following me:

GroupsPermissions 6

We can assign the corresponding SharePoint site permissions to Alex. This results in the following:

GroupsPermissions 7

Alex is now owner of the SharePoint Team Site, not an owner of the Office 365 Group. You can also assign permissions for other Office 365 Groups. For example, you assign the Marketing Group read permissions so that all the members are able to read content within your Modern SharePoint Team Site. I really had to get used to this new way of working with SharePoint and Group permissions, but got into it relatively quickly. Unfortunately, things get very confusing once you click on the red advanced permissions settings link:

GroupsPermissions 8

What the heck is this? This menu differs a lot from the site permissions view in the Modern SharePoint Team Site. Don’t worry. The Groups and People you assigned in the previous site permissions are actually stored in the above visitors, members, and owners security groups. For example, the Digital Workplace Members group contains the following:

GroupsPermissions 9

How does the above impact other SharePoint components such as lists and libraries? Are we finally able to create a new document library and hide the library for another Group or selection of users? Until recently, the libraries didn’t have a permission option in the settings. This is now available as shown below:

GroupsPermissions 10

By clicking on Edit Permissions you are able to change the permissions for this library. This feature definitely opens more scenarios while working with the Modern SharePoint Team Site and multiple Groups and people. A couple pages ago I mentioned the fact that adding guests doesn’t work within the Modern SharePoint Team Site. We have to go the People section of the Group:

GroupsPermissions 11

The guest automatically receives SharePoint Edit permissions within the Modern SharePoint Team Site. You are only able to invite guests through the advanced permissions settings link if they have been invited before. Otherwise, you receive an error mentioning that you aren’t able to invite external users. Annoying? Definitely.

Oh boy, I really hope you are still with me. Don’t be ashamed if you are still a bit confused and have to read this article again. I probably have to! What are the takeaways? I really like the new menu for the SharePoint permission control. Unfortunately, not all actions are included, such as inviting external users. That’s the reason the classic menu is still available. However, that can result in confusion for the owners and members of the Group and Modern SharePoint Team Site. That said, we are definitely stepping in the right direction. I think Microsoft is working hard to integrate all the required options in the new look and feel. To be continued!