Microsoft 365 Groups vs. SharePoint permissions

Since Microsoft 365 Groups are introduced as a cross-platform membership service, users have been wondering how does that connect to existing permissions in SharePoint? Since groups have their own permissions model, do they still need to use good old SharePoint permissions? We will try to explain this connection so you can better understand how to keep your documents secure.

The history of Microsoft 365 Groups

We have been using SharePoint Online and are familiar with SharePoint permissions for a very long time now. We are used to sharing sites, libraries, and documents either directly or by using SharePoint or Security groups, as we covered in our previous blog, Managing Permissions in SharePoint and Office 365 – Best Practices.

SharePoint Online has been doing a good job keeping your documents secure but was very disconnected from other Microsoft 365 services you probably use, like Exchange Online and Planner. To overcome this gap, Microsoft introduced Microsoft 365 Groups (formerly Office 365 Groups) as a cross-platform membership service. Microsoft 365 Groups create a more unified modern workspace and provide a group of people easy access to shared documents, email, calendar, etc.

Microsoft is moving towards connecting all their Microsoft 365 services with Microsoft 365 Groups as the future direction. Each group is associated with a collection of shared resources such as a SharePoint site, Exchange shared mailbox, shared calendar, and even chat through Microsoft Teams is an option.

Microsoft 365 Groups permissions model

Microsoft 365 Groups have their own permissions model. Group members can have two different roles:

• Owners – can manage group members, settings, privacy, etc.
• Members – collaborate using shared resources (SharePoint, Outlook, Teams)

These two roles directly translate to all the connected services for the group and ensure the right permission level of access for each one. You don’t have to worry about manually assigning permissions to all those resources. Adding members to the group automatically gives them user permissions for the tools your group provides.

Group owners can easily manage permissions and group members through almost any Microsoft app like Outlook, SharePoint Online, or Teams making their management more decentralized than traditional security groups.

How do Microsoft 365 Groups permissions translate to a SharePoint site?

Group owners have complete control over the SharePoint site. They are granted permissions in two ways:

• They are automatically set as the Primary owner of the site.
• Each site will have a Site owner’s SharePoint Group, which has Full Control on the site.

Microsoft 365 Groups’ members are placed inside the Site members’ SharePoint group, which has edit permissions on the site. Each new group related site will follow the same permissions template, as shown in the table below.

On the SharePoint site, the UI hides this complexity and only shows you the number of members inside the group in the top right corner:

When you click on the number of group members, you are presented with a simple view of the Microsoft 365 Groups members and their role:

Adding new members to Microsoft 365 Groups

You can easily add new members to the connected Microsoft 365 Groups, and your only choice is should the new member be an Owner or Member. Adding new members is pretty straightforward, but it’s essential to understand that this action grants access to all the group’s resources like Exchange, Planner, and the SharePoint site. This option is also available at the document library screen, so users must be careful not to accidentally overshare the entire site.

There are situations where you want to share either the entire SharePoint site or just a part of it and not grant access to other connected resources. If you wish to share a single document, folder, or library, all you have to do is click the Share button to get the standard experience:

Things are more complicated when you want to share the entire site, you can do that, but the option is buried inside the menu Settings > Site permissions. Here you see a more advanced view of site permissions where you can use the Invite button, which offers the Share site only option. After that, you can pick between permission levels Full control, Edit and Read, which will put the users inside the corresponding SharePoint groups as we explained before:

What about Microsoft 365 Group’s privacy settings?

Each group has two privacy settings you can choose from:

• Public – anyone in the organization can join the group and access the site.
• Private – only members can access the site.

This choice will affect the permissions on your SharePoint site. What we have shown so far was the site permissions setup for a Private group. The only significant difference for a Public group-related SharePoint site is that the particular member group “Everyone except external users” is part of the default Site members. You can see this on the advanced site permissions view:

You can notice that this means anyone could have the Edit permission, which can significantly impact the site. It allows users to add, edit, and delete lists, so you need to consider this when using Public groups.

What potential problems should I be aware of?

As we explained so far, Microsoft 365 Groups permissions directly translate to SharePoint permissions. They also somewhat limit the out of the box functionality SharePoint had in exchange for making it easier and simpler for the end-users. Although this is not necessarily bad, if they are not aware of the possible issues it can confuse users.

Challenge 1: There is no way to see the group members straight from the SharePoint UI on the Site Permissions screen. If you go to the Advanced permissions settings, it can get even more confusing. You can only see the permissions for SharePoint groups rather than the connected groups’ members, which is a trait of the old SharePoint 2010 user experience. Even if you click on the SharePoint groups, there is no way to see the actual group members.

Challenge 2: By default, all group members will have the Edit permission. Depending on how much responsibility and trust you want to place on your users, you might need to change this to Contribute to limit the amount of harm they can do. There is no built-in solution for this. You will have to rely on custom provisioning code and/or other solutions to enforce this policy after group creation.

Challenge 3: The Public privacy setting means anyone can freely join a group without any approval from the Owners, and they will have the same Edit permission as any other member, as we explained in Challenge 2. Be aware of that and define your policies on which groups should be Public.

Conclusion

Modern group connected sites are the future of SharePoint Online. SharePoint is no longer a loner standing in the corner but a fully integrated Microsoft 365 suite member. This comes with the obvious benefits of providing a unified modern workspace to your users, but something had to be sacrificed along the way.

Be aware of the benefits and potential drawbacks of going modern that we mentioned in this and our previous post. And remember, when you need help sorting out all this permissions complexity, Syskit Point comes to the rescue.

Regardless of how you share your content, by adding Microsoft 365 Groups members or directly sharing files, Syskit Point will see it all. You can generate reports to find answers to questions like “Who has access to what?” or “What is shared with external users?”.