The SharePoint permissions structure is very flexible. Even for a simple task of granting user access to a site, there are many ways you can accomplish this. Although the result is the same, if you don’t understand the subtle differences between them, it can cause a lot of pain.
SharePoint Permissions Terminology
First, a quick reminder of the three key aspects of SharePoint permissions:
- Securable Objects– where should the user get access (e.g. Site, List, Document)
- Users or Groups– who should get the access rights
- Permissions– what kind of access should the user have (e.g. Full control, Read)
Understanding the first aspect of permissions – securable objects and permissions inheritance is an important part, but we won’t be focusing on that in this post. You can read more about it in our recent blog covering topics of Office 365 inheritance and unique permissions.
In this blog, we will focus more on the second and third part of the equation – who should get access to a resource and which method to use. When it comes to a method part, it’s critical to decide whether to grant access to a user directly or use groups. If you choose groups, you still need to decide between different kinds of groups.
Directly assigned SharePoint Permissions vs Group memberships
Assigning permissions to users directly is the simplest solution. So, where is the problem? The problem is in the long-term management of permissions. If John were granted permissions to 50 documents and he’s leaving a company, you need to remove him from 50 different locations. It’s going to be a slow and cumbersome process.
In most cases, it is smarter to grant permissions to groups instead of directly to users. The groups are the ones that have permissions, and all you have to do is manage their members. If you need to remove access for a user, you can remove him from the group. You don’t need to find all the different locations with permissions and remove him manually.
How to decide which group to use?
So now you know that using groups is smarter. But you still might get confused about which kind of group you should use. In SharePoint Online, there are three main choices you should consider:
- SharePoint groups
- Azure AD Security groups
- Microsoft 365 Groups (formerly Office 365 Groups)
There are a lot of factors to consider when making a choice. Some of them are:
- What kind of environment are you running? Is it cloud-only or hybrid?
- What kind of collaboration do the groups’ members need to do? Is it just sharing files or also accessing other shared resources like calendar, mailbox, chat, etc?
- Are you using classic experience in SharePoint, or have you switched to the modern experience?
Let’s go over each kind of group and see in which scenario they make the most sense.
SharePoint groups are defined at the site level, and they only exist inside SharePoint; therefore cannot be used for other workloads. Each site, depending on its template, comes with a few default SharePoint groups that already have permissions assigned.
You can also create your own SharePoint groups and assign them permissions to any securable object. The advantage of a SharePoint group is that you can manage permissions on the current site, and you don’t have to go to AAD to change group memberships.
DO Use it:
- Always use SharePoint groups in classic SharePoint experiences
- It is ok to create your own SharePoint groups in classic SharePoint if the default ones do not meet your needs. Check out this list to identify if making a custom group makes sense.
- Even if you plan to use another kind of group, put them inside SharePoint groups
DON’T Use it:
- On modern SharePoint sites you should limit the use of SharePoint groups only to the default ones. Modern share experience discourages the use of SharePoint groups and does not offer an option to share files by adding people to SharePoint groups.
- Do not create custom SharePoint groups in modern SharePoint experiences. This option is hidden in the modern UI, so permissions given through these groups are very hard to track.
As you can see, SharePoint groups still have their place in classic SharePoint, and their use is encouraged in the old share experience. But, keep in mind that Microsoft is moving away from them in modern SharePoint.
Security groups live inside Azure AD, and they have a similar purpose as the groups from on-premises AD. You can even sync groups from on-premises to the cloud. They can be used across multiple workloads and for custom applications inside your tenant.
DO Use It:
- Use security groups when the same group of users needs permissions across multiple sites.
- Use security groups when you are using hybrid environments. You want to sync your group memberships from your on-premises AD to ensure centralized permissions management for your entire environment.
DON’T Use It:
- If users need more than just sharing files to accomplish their work, like a shared calendar, mailbox, chat, etc., think about using Microsoft 365 groups rather than Security groups.
- If you need a group to share a limited scope on just one site, for example, a single folder, consider using SharePoint groups.
As you can see, Security groups are the right choice if you need to ensure access just to SharePoint Online without worrying about other workloads. One of the potential downsides of plain old Security groups is that group management is usually reserved for the admins using the AAD portal or Office 365 admin center making them less flexible.
Microsoft 365 Groups
From an IT point of view, Microsoft 365 groups are Security groups but also much more. Microsoft 365 Groups are associated with a collection of shared resources such as a SharePoint site, Outlook inbox, shared calendar, and optionally a chat in Microsoft Teams. You don’t have to worry about manually assigning permissions to all those resources. Adding members to the group automatically gives them the permissions they need to the tools your group provides.
Group owners can easily manage group members through almost any Microsoft app like Outlook, SharePoint Online, or Teams application making their management more decentralized than traditional security groups.
DO Use It:
- Use Microsoft 365 Groups for project teams, departments or community of people that work on the same goal and share deliverables
- Use Microsoft 365 Groups when you need to use self-service options for group creation. Microsoft offers many ways in which users can create their workspace without any admin intervention through Outlook, SharePoint Online, Microsoft Teams, Planner, etc.
DON’T Use It:
- If you just need a group for security to share some limited scope on an existing site like a library or folder, there is no sense to use Microsoft 365 Groups. As soon as you create a Microsoft 365 Groups, this will also create a shared mailbox and a SharePoint online site that you do not need resulting in a lot of clutter on your tenant. In those cases, use Security groups or SharePoint groups instead.
- Since management and reporting options in Out-of-the-box Office 365 admin center are limited, you will need to use a custom solution or 3rd party governance product to have proper reporting. So, be aware that you’re going to invest some budget into the license for those tools.
It’s a good practice to use groups to manage permissions in SharePoint. In the long run, this will make your life easier with less administration and manual work. Based on the information from this article, try to figure out which group type works the best for you. If you need SharePoint groups but don’t want to miss out on all the benefits of modern SharePoint experience, this is still possible. Microsoft has not made it easy, but with the help of 3rd party products like SysKit Point and SPDocKit, this approach is much easier. SysKit’s tools provide all the management options and reporting needed to get the work done.
Remember that Microsoft 365 Groups already come with their own SharePoint site and predefined permissions structure, so you need to consider that when comparing them to other group types. Learn more about the differences between management and reporting of Microsoft 365 Groups and SharePoint permissions in our upcoming blog.