Managing permissions in modern SharePoint

Introduction to Microsoft 365 Groups

When discussing Microsoft 365 Groups, we like to tailor our explanations to suit the audience. For example, these groups resemble familiar concepts like Active Directory security groups for IT professionals. In contrast, when addressing end-users, we liken them to distribution lists in Exchange - a unified permission entity providing access across Microsoft 365 apps. In either description, creating a Group not only grants you a SharePoint site but also sets the stage for various integrated services, such as Teams and Planner. Groups gives you a one-stop management for all the integrated apps. Keep in mind however, if you make a permission change at the group level, or at the app level, it goes to all the other apps as well. Groups encompass two permission levels: ‘owner’ which grants full management capabilities including adjusting permissions, while ‘member’ bestows only content control, such as adding, deleting, creating, etc.

Work Process and Content Management

Image shows the create, iterate, review, and publish stages of content creation and validation. It shows which portions are done in a Team site versus a Communication site. In the Content Management Competency of the Maturity Model, we explore how various apps and services collaboratively support productive content development. Content creation often occurs in one place, while sharing that content with others takes place in a different place. The typical lifecycle consists of content initially crafted in Teams, a SharePoint Team Site, or OneDrive. Team environments, such as Team sites, facilitate iterative work, and the final product is shared via an intranet, typically on a Communication site. When we discuss different ways to set up permissions in these environments, it’s to help facilitate this process.

Communication Sites

Communication sites prioritize tight permission control and do not involve Microsoft 365 Groups. Microsoft 365 Groups don’t have a “read only” permission. The primary purpose of a Communication site is to allow many people to “read” the content. We recommend that you always have 2-3 site owners. Having one means that the site could be orphaned if that person leaves the company. Having too many could lead to not knowing who makes specific changes and a very open permission structure. With few owners and occasional site members, Communication sites function as content showcases rather than collaborative spaces and therefore should be very light and cleaned out often regarding permissions.

Team Sites

Team sites, often linked with a Microsoft Team, are Microsoft 365 Group backed. Like Communication sites, 2-3 site owners manage the structure and permissions but the site members typically constitute the broader workgroup, their size contingent on the team’s needs. Site visitors are rarely used and primarily involve external users. The purpose of these sites is for collaboration and therefore the members category tends to be much broader.

Permissions Best Practices

1. For content intended for many consumers and few creators, Communication sites are ideal. For group collaboration, Team sites excel. We suggest you try not to intermix these as much as possible.
2. Keeping permissions at the site level simplifies administration. Reducing permissions is more manageable than expanding them.
3. Public and private teams behave differently, with public teams automatically adding everyone except external users as site members.
4. In a Teams site, you have two options when you click the “add members” button. You can add a member to the group with the role of either owner or member, meaning they will inherit all the permissions of that group. Or, you can share the site only. This gives them access to see the front of the site with the ability to add, delete, create, etc. but they do not inherit the other group permissions.

Microsoft 365 Group Considerations

As with any product, we have come across a few unique aspects to Microsoft 365 Groups that you should be aware of. For example, owners are sometimes overlooked within groups. Audience targeting is unavailable for owners, and navigation is limited to 10 groups. The sites web part also doesn’t show you which sites you are an owner. Managing external users in Microsoft 365 Groups requires accessing Outlook via SharePoint. There’s a 500,000 group limit per tenant, with each user capable of creating up to 250 groups and participating in up to 7,000 groups as a member or owner. Concurrent access to calendar and conversations is permitted for 1,000 members. Another option is to build dynamic groups, which can be created based on different criteria, such as location. However, to create these groups you need Azure ID access so they can only be created by individuals with admin access in your tenant.

At first glance, managing permissions in Microsoft 365 Groups may appear daunting, but armed with this deeper understanding of various site types, their purposes, and best practices, you can approach permission management with increased assurance. However, if you ever feel uncertain or have questions, please reach out to our team for assistance and guidance.

All Resources

• Overview of Microsoft 365 Groups for administrators - Microsoft 365 admin | Microsoft Learn
• Maturity Model for Microsoft 365 - Management of Content Competency | Microsoft Learn
• Permission management tools: Permissions management for SharePoint and Teams | ShareGate
• Create Dynamic Groups, by Todd Klindt

Do you have any questions for us? Continue the conversation on Twitter with the hashtag #AskSympraxis and mention @SympraxisC.