Microsoft 365 management Microsoft 365 Groups vs. SharePoint permissions September 29, 2020 By: Matija Hanzic Last updated: May 22, 2023 7 min read Learn how Microsoft 365 Groups memberships translate to SharePoint permissions and what are the differences between them. Table of contents The history of Microsoft 365 GroupsMicrosoft 365 Groups permissions modelHow do Microsoft 365 Groups permissions translate to a SharePoint site?Adding new members to Microsoft 365 GroupsWhat about Microsoft 365 Group's privacy settings?What potential problems should I be aware of?Conclusion Since Microsoft 365 Groups are introduced as a cross-platform membership service, users have been wondering how does that connect to existing permissions in SharePoint? Since groups have their own permissions model, do they still need to use good old SharePoint permissions? We will try to explain this connection so you can better understand how to keep your documents secure. The history of Microsoft 365 Groups We have been using SharePoint Online and are familiar with SharePoint permissions for a very long time now. We are used to sharing sites, libraries, and documents either directly or by using SharePoint or Security groups, as we covered in our previous blog, Managing Permissions in SharePoint and Office 365 – Best Practices. SharePoint Online has been doing a good job keeping your documents secure but was very disconnected from other Microsoft 365 services you probably use, like Exchange Online and Planner. To overcome this gap, Microsoft introduced Microsoft 365 Groups (formerly Office 365 Groups) as a cross-platform membership service. Microsoft 365 Groups create a more unified modern workspace and provide a group of people easy access to shared documents, email, calendar, etc. Microsoft is moving towards connecting all their Microsoft 365 services with Microsoft 365 Groups as the future direction. Each group is associated with a collection of shared resources such as a SharePoint site, Exchange shared mailbox, shared calendar, and even chat through Microsoft Teams is an option. Microsoft 365 Groups permissions model Microsoft 365 Groups have their own permissions model. Group members can have two different roles: Owners – can manage group members, settings, privacy, etc. Members – collaborate using shared resources (SharePoint, Outlook, Teams) These two roles directly translate to all the connected services for the group and ensure the right permission level of access for each one. You don’t have to worry about manually assigning permissions to all those resources. Adding members to the group automatically gives them user permissions for the tools your group provides. Group owners can easily manage permissions and group members through almost any Microsoft app like Outlook, SharePoint Online, or Teams making their management more decentralized than traditional security groups. How do Microsoft 365 Groups permissions translate to a SharePoint site? Group owners have complete control over the SharePoint site. They are granted permissions in two ways: They are automatically set as the Primary owner of the site. Each site will have a Site owner’s SharePoint Group, which has Full Control on the site. Microsoft 365 Groups’ members are placed inside the Site members’ SharePoint group, which has edit permissions on the site. Each new group related site will follow the same permissions template, as shown in the table below. On the SharePoint site, the UI hides this complexity and only shows you the number of members inside the group in the top right corner: When you click on the number of group members, you are presented with a simple view of the Microsoft 365 Groups members and their role: Adding new members to Microsoft 365 Groups You can easily add new members to the connected Microsoft 365 Groups, and your only choice is should the new member be an Owner or Member. Adding new members is pretty straightforward, but it’s essential to understand that this action grants access to all the group’s resources like Exchange, Planner, and the SharePoint site. This option is also available at the document library screen, so users must be careful not to accidentally overshare the entire site. There are situations where you want to share either the entire SharePoint site or just a part of it and not grant access to other connected resources. If you wish to share a single document, folder, or library, all you have to do is click the Share button to get the standard experience: Things are more complicated when you want to share the entire site, you can do that, but the option is buried inside the menu Settings > Site permissions. Here you see a more advanced view of site permissions where you can use the Invite button, which offers the Share site only option. After that, you can pick between permission levels Full control, Edit and Read, which will put the users inside the corresponding SharePoint groups as we explained before: What about Microsoft 365 Group’s privacy settings? Each group has two privacy settings you can choose from: Public – anyone in the organization can join the group and access the site. Private – only members can access the site. This choice will affect the permissions on your SharePoint site. What we have shown so far was the site permissions setup for a Private group. The only significant difference for a Public group-related SharePoint site is that the particular member group “Everyone except external users” is part of the default Site members. You can see this on the advanced site permissions view: You can notice that this means anyone could have the Edit permission, which can significantly impact the site. It allows users to add, edit, and delete lists, so you need to consider this when using Public groups. What potential problems should I be aware of? As we explained so far, Microsoft 365 Groups permissions directly translate to SharePoint permissions. They also somewhat limit the out of the box functionality SharePoint had in exchange for making it easier and simpler for the end-users. Although this is not necessarily bad, if they are not aware of the possible issues it can confuse users. Challenge 1: There is no way to see the group members straight from the SharePoint UI on the Site Permissions screen. If you go to the Advanced permissions settings, it can get even more confusing. You can only see the permissions for SharePoint groups rather than the connected groups’ members, which is a trait of the old SharePoint 2010 user experience. Even if you click on the SharePoint groups, there is no way to see the actual group members. Challenge 2: By default, all group members will have the Edit permission. Depending on how much responsibility and trust you want to place on your users, you might need to change this to Contribute to limit the amount of harm they can do. There is no built-in solution for this. You will have to rely on custom provisioning code and/or other solutions to enforce this policy after group creation. Challenge 3: The Public privacy setting means anyone can freely join a group without any approval from the Owners, and they will have the same Edit permission as any other member, as we explained in Challenge 2. Be aware of that and define your policies on which groups should be Public. Conclusion Modern group connected sites are the future of SharePoint Online. SharePoint is no longer a loner standing in the corner but a fully integrated Microsoft 365 suite member. This comes with the obvious benefits of providing a unified modern workspace to your users, but something had to be sacrificed along the way. Be aware of the benefits and potential drawbacks of going modern that we mentioned in this and our previous post. And remember, when you need help sorting out all this permissions complexity, Syskit Point comes to the rescue. Regardless of how you share your content, by adding Microsoft 365 Groups members or directly sharing files, Syskit Point will see it all. You can generate reports to find answers to questions like “Who has access to what?” or “What is shared with external users?”. Discover, secure, and control M365 Manage your company’s Microsoft 365 ecosystem with Syskit Point, a scalable platform that will help you govern and secure your environment while giving you deep visibility into your entire inventory. Try for free Subscribe to our Newsletter Thank you for joining our community! Related Posts Microsoft 365 management Managing Microsoft PowerApps and Flow like a pro – Part 1 “There is a Flow which publishes on Twitter the name of every file that someone… July 22, 2019 7 min read Microsoft 365 management Stories from sales trenches: How Syskit Point helped with inactive Teams Cleanup Learn more about how Syskit Point helped a government agency whose mission is t… April 9, 2021 3 min read Microsoft 365 management Skeletons in the tenant: Real-life IT admin horror stories As Halloween approaches, we’re all eager for a good scare, but some IT ad… October 30, 2023 5 min read