Microsoft 365 and SharePoint permissions management
Table of contents
The SharePoint permissions structure is very flexible. There are many ways you can accomplish simple tasks, such as granting user access to a site. Although the result is the same, if you don’t understand the subtle differences between them, it can cause a lot of pain. So, let’s get into how you can have effective SharePoint permissions management.
SharePoint permissions management terminology
First, a quick reminder of the three key aspects of SharePoint permissions management:
- Securable Objects– where should the user get access (e.g. Site, List, Document)
- Users or Groups– who should get the access rights
- Permissions– what kind of access should the user have (e.g. Full control, Read)
Understanding the first aspect of SharePoint permissions management – securable objects and permissions inheritance is an important part, but we won’t be focusing on that in this post. You can read more about it in our recent blog, which covers the topics of Microsoft 365 inheritance and unique permissions. And we also have an in-depth blog that tells you everything you need to know about SharePoint permission levels.
In this blog, we will focus more on the second and third part of the equation – who should get access to a resource and which method to use. When it comes to a method part, it’s critical to decide whether to grant access to a user directly or use groups. If you choose groups, you still need to decide between different kinds of groups.
Directly assigned SharePoint Permissions vs Group memberships
Assigning permissions to users directly is the simplest solution. So, where is the problem? The problem comes into play when it comes to long-term SharePoint permissions management. If John were granted permissions to 50 documents and he’s leaving a company, you need to remove him from 50 different locations. It’s going to be a slow and cumbersome process.
In most cases, it is smarter to grant permissions to groups instead of directly to users. The groups are the ones that have permissions, and all you have to do is manage their members. If you need to remove access for a user, you can remove him from the group. You don’t need to find all the different locations with permissions and remove him manually.
How do you decide which group to use?
So now you know that using groups is smarter. But you still might get confused about which kind of group you should use. In SharePoint Online, there are four main choices you should consider:
- SharePoint groups
- Microsoft Entra Security groups
- Microsoft 365 Groups (formerly Office 365 Groups)
- MS Teams member
There are a lot of factors to consider when making a choice. Some of them are:
- What kind of environment are you running? Is it cloud-only or hybrid?
- What kind of collaboration do the groups’ members need to do? Is it just sharing files or also accessing other shared resources like calendars, mailboxes, chats, etc?
- Are you using the classic experience in SharePoint, or have you switched to the modern experience?
Let’s go over each kind of group and see which scenario makes the most sense to use them in.
SharePoint Groups Management
SharePoint groups are defined at the site level, and they only exist inside SharePoint; therefore they cannot be used for other workloads. Each site, depending on its template, comes with a few default SharePoint groups that already have permissions assigned.
You can also create your own SharePoint groups and assign them permissions to any securable object. The advantage of a SharePoint group is that you can manage permissions on the current site, and you don’t have to go to Microsoft Entra to change group memberships.
Here’s a detailed overview of SharePoint groups and their permissions:
|
Group name |
Default permission level |
Explanation |
|---|---|---|
|
Owners
|
Full Control |
Use this group to grant people Full Control permissions to the SharePoint site. |
|
Members
|
Edit |
Use this group to grant people Edit permissions to the SharePoint site. |
|
Visitors
|
Read |
Use this group to grant people Read permissions to the SharePoint site. |
|
Viewers
|
View Onlys |
Use this group to grant people View Only permissions to the SharePoint site. |
DO Use it:
- Always use SharePoint groups in classic SharePoint experiences.
- It is ok to create your own SharePoint groups in classic SharePoint if the default ones do not meet your needs. Check out this list to identify if making a custom group makes sense.
- Even if you plan to use another kind of group, put them inside SharePoint groups.
DON’T Use it:
- On modern SharePoint sites, you should limit the use of SharePoint groups to the default ones only. Modern share experience discourages the use of SharePoint groups and does not offer an option to share files by adding people to SharePoint groups.
- Do not create custom SharePoint groups in modern SharePoint experiences. This option is hidden in the modern UI, so permissions given through these groups are very hard to track.
As you can see, SharePoint groups still have their place in classic SharePoint, and their use is encouraged in the old share experience. But keep in mind that Microsoft is moving away from them in modern SharePoint.
Security Groups
Security groups live inside Microsoft Entra, and they have a similar purpose as the groups from on-premises AD. You can even sync groups from on-premises to the cloud. They can be used across multiple workloads and for custom applications inside your tenant.
DO Use It:
- Use security groups when the same group of users needs permissions across multiple sites.
- Use security groups when you are using hybrid environments. You want to sync your group memberships from your on-premises AD to ensure centralized SharePoint permissions management for your entire environment.
DON’T Use It:
- If users need more than just sharing files to accomplish their work, like a shared calendar, mailbox, chat, etc., think about using Microsoft 365 groups rather than Security groups.
- If you need a group to share a limited scope on just one site, for example, a single folder, consider using SharePoint groups.
As you can see, Security groups are the right choice if you need to ensure access just to SharePoint Online without worrying about other workloads. One of the potential downsides of plain old Security groups is that group management is usually reserved for the admins using the Microsoft Entra portal or Microsoft 365 admin center making them less flexible.
Microsoft 365 Groups
From an IT point of view, Microsoft 365 groups are Security groups but also much more. Microsoft 365 Groups are associated with a collection of shared resources such as a SharePoint site, Outlook inbox, shared calendar, and optionally a chat in Microsoft Teams. You don’t have to worry about manually assigning permissions to all those resources. Adding members to the group automatically gives them the permissions they need to access the tools your group provides.
Group owners can easily manage group members through almost any Microsoft app like Outlook, SharePoint Online, or Teams application, making their management more decentralized than traditional security groups.
DO Use It:
- Use Microsoft 365 Groups for project teams, departments, or a community of people who work on the same goal and share deliverables
- Use Microsoft 365 Groups when you need to use self-service options for group creation. Microsoft offers many ways in which users can create their workspace without any admin intervention through Outlook, SharePoint Online, Microsoft Teams, Planner, etc.
DON’T Use It:
- If you just need a group for security to share some limited scope on an existing site like a library or folder, there is no sense in using Microsoft 365 Groups. As soon as you create a Microsoft 365 Group, this will also create a shared mailbox and a SharePoint online site that you do not need, resulting in a lot of clutter on your tenant. In those cases, use Security groups or SharePoint groups instead.
- Since SharePoint management and reporting options in the out-of-the-box Office 365 admin center are limited, you will need to use a custom solution or 3rd party governance product to have proper reporting. So, be aware that you’re going to invest some budget into the license for those tools.
How to have effective SharePoint permissions management?
It’s a good practice to use groups to do SharePoint permissions management. In the long run, this will make your life easier with less administration and manual work. Based on the information from this article, try to figure out which group type works best for you. If you need SharePoint groups but don’t want to miss out on all the benefits of modern SharePoint experience, this is still possible. Microsoft has not made it easy, but with the help of 3rd party products like Syskit Point and SPDockit, this approach is much easier. Syskit’s SharePoint permissions management tools provide all the options and reporting needed to get the work done.
Remember that Microsoft 365 Groups already come with their own SharePoint site and predefined permissions structure, so you need to consider that when comparing them to other group types. Learn more about the differences between management and reporting of Microsoft 365 Groups and SharePoint permissions management by exploring our blog and subscribing to it.
