Control what Teams members can do in SharePoint

Leave a comment

As you probably know when a Microsoft Team (or an Office 365 group) is created, an associated SharePoint Site automatically gets created.

At the site creation, the Office 365 members group is added to the associated SharePoint site Members group…(I know a lot of group…)

In many scenarios I have customers that want to control what Office 365 group members or Team members can do in SharePoint.

The SharePoint Members group has the Edit permission level. This permission level allows users to Manage List. This means allowed to create lists, column, views etc. Some administrator find that this permission is a bit much.

To control what Teams member can do in SharePoint, you can simply:

  1. Create a new group called “YourSiteName Contributors” in the associated SharePoint Site.
  2. Assign the Contribute permission level to your new SharePoint Group
  3. Remove the Office 365 members group from the SharePoint members groups (the two groups have the same name….)
  4. Add the Office 365 members group to “YourSiteName Contributors” SharePoint group

Note: You could change the permission level assigned to your SharePoint Members group or change the permissions granted to the Edit permission level. But I don’t like to change the Out of the box settings to permissions levels and existing groups.

For those who don’t know how to create SharePoint Groups and how to manage permissions to SharePoint Groups here are the steps:

  • To access your associated SharePoint Site Open Microsoft Team
    • Goto your Team
    • Click on a channel
    • Click on the ellipsis (…) next to your channel name
    • Click on Open in SharePoint

Once on the SharePoint Site

  • Click on the gear on the top right
  • Click on Site permissions

  • Click on Advanced permission settings

The 3 Out of the box SharePoint Groups will be displayed

On the ribbon

  • Click on Create Group

 

Name your new group with the same naming convention as the out of the box groups. YourSiteName – YourPermissionLevel. In our case Demo SharePoint Permissions – Contributors

  • Add the Contribute Permission Level to your new group
    • Click Create

In your new group

  • Click New
  • Click Add Users

Type the name of the Office 365 group in the section where it says Enter Names or Email Addresses.

 

 

 

Just start typing the name and it will find your Office 365 group

  • Click on the full name to select it

 

  • Click Share

Next you need to remove the Office 365 members group from the SharePoint Members group

 

On the Quick Launch bar (left bar) of the People and Groups page,

Click on your SharePoint Members Group

 

Select the Office 365 Members group (yes it has the same name as the SharePoint Group)

  • Click on Actions
    • Click on Remove Users from Group

 

That’s it your Office 365 members will now have the Contribute permission to your SharePoint Site.

Here is a list of what the contribute permission level is allowed to do:

Office 365 Allow only specific users to share externally

Leave a comment

Many companies want to control which users can share content with external/guest users with good or bad reasons…

Some administrators seem to think that they have done their job by allowing only trained and trusted people to be able to share content with external users from SharePoint and OneDrive, but users can still send files by email, use dropbox, copy files to USB keys etc…Securing content in Office 365 could part of another article.

If you really want to allow only certain users to share content externally, you will first need to create an Azure Active Directory Security Group.

Once your security group is created, open the SharePoint Online Administration center:https://YourOrgName-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/home

  • In the SharePoint Online Admin Center, click on Sharing
  • On the sharing page, under Other settings, click on Limit external sharing to specific security groups

On the External sharing page (https://YourOrgName-admin.sharepoint.com/_layouts/15/online/ExternalSharing.aspx),

In the section Who can share outside your organization:

  • Select Let only users in selected security groups share with authenticated external users
  • Add your security group

 

Note: There is also an option to Let only users in selected security groups share with authenticated external users and using anonymous links that includes sharing anonymous links

 

Note: At the moment of writing this article, this does not prevent the member of the security groups to add external/guest users to a Microsoft Teams (if external sharing is allowed for Teams in your organization).