Forum Discussion
Does granting a user Owner role on Office 365 group have any impact on sharepoint site's permission
I have created a new MS Teams using Office 365 admin center site, which created, the following:-
1. sharepoint modern site.
2. Office 365 group.. the Office 365 group will be added to the Member sharepoint group.
But my question is, will granting a user Owner role instead of Member inside MS-Teams/Office-365-Group grant the user additional permission on the SharePoint site's list and libraries? As today i got a weird scenario as follow:-
1. inside my sharepoint site, i moved the Office 365 group to be inside the sharepoint visitors group instead of the sharepoint members group. so members and owner inside office 365 group will only have read permission on the sharepoint site.
2. then i assign the user an Owner role on office 365, where this user got Full Control permission on
sharepoint!!
3. now i re-assign the user a Member role inside Office 365, and then re-assign him Owner again >> after that i checked his permission on the sharepoint site, where i got that the user only have Read. which sound more realistic.
but my question is, if granting a user Owner role instead of Members role inside Office-365-group can by any chance grant the user additional permission to the sharepoint site's lists/libraries such as the documents library and the pages library?
14 Replies
- Yeah, these guys got it right.
The TL:DR simple version =)
All 3 scenarios are because Office 365 Group owners = Site Collection Admins = Trump all permissions on that site and it's subsites.
Scenario 3 is due to lag time of the user not being added as site collection admin. After awhile they will have full access agian.
ChrisWebbTech wrote:
Yeah, these guys got it right.
The TL:DR simple version =)
All 3 scenarios are because Office 365 Group owners = Site Collection Admins = Trump all permissions on that site and it's subsites.
Scenario 3 is due to lag time of the user not being added as site collection admin. After awhile they will have full access agian.ChrisWebbTech so the important question now, can we prevent a user who is defined as owner inside office 365 group or hence insdie MS Teams from been a site collection admin? is there any harm if i modify the sharepoint site's site collection admin and remove the "Groupame owner" from it?
john john The Office 365 Group has two behind the scenes domain-type security groups attached to it. One called "GroupName Owners" and one called "GroupName Members". These two groups are used to grant the O365 Group's Owners and Members permissions to the SharePoint site.
Take a look in the Site Collection Administrators on your associated site, you should see a "GroupName Owners" domain-type group there, which is what gives Office 365 Group Owners permissions to the SharePoint site.
Then in the "Site Name Members" SharePoint Security group on your site, the default SP group that grants Edit access, you will see the "GroupName Members" domain-type group, which is what gives Office 365 Group Members their Edit permissions to the site. (I believe this is the one you moved to your site's Visitor SP Security group).
I would like to note that if you are in an old SharePoint site that was converted, or this Office 365 Group was created a while ago, then these two domain-type groups that I am referring to still exist and somehow separate Group Owners vs Members, but their display names are exactly the same without "Owners or Members" appended to the end.
To answer your original question, yes, granting a user the Owner role in an Office 365 Group will grant them Site Collection Administrator rights to the associated SharePoint site.
Have you ever used a Global Admin to go to a Group-connected SharePoint site and been told that you don't have access? I have. For some reason Group-connected sites do not include the Company Administrator or SharePoint Service Administrator roles by default in Site Collection Admins like old sites used to, so your Global Admins/SharePoint Service Admins by default do not have access to group-connected sites. One way around this is to add your admin accounts as Owners in the Office 365 Group.
In my example here, I have an Office 365 Group called "Kevin Test Team".
You can see in SharePoint there are two domain-like groups which are associated to this Office 365 Group.
Kevin Test Team Owners -- relates to users I add to the Owners in Office 365 Group
Kevin Test Team Members -- relates to users I add to the Members in Office 365 Group
kevinmckeown8 first of all thanks for the great reply, here are my comments
kevinmckeown8 wrote:john john The Office 365 Group has two behind the scenes domain-type security groups attached to it. One called "GroupName Owners" and one called "GroupName Members". These two groups are used to grant the O365 Group's Owners and Members permissions to the SharePoint site.
i already know that Office 365 member group exists, since when we create a new Office 365 group and access its sharepoint site we can see that sharepoint members group explicitly contain the office 365 members groups (and this group i have moved to be inside SP visitor group). but there is not any explicit office 365 owner group,, and most importantly if it is there why this office 365 owner group is not added to the sharepoint owner group? similar to how the SP member group contain an Office 365 members group ? did you get my point? this is really confusing by microsoft. any explanation?
Take a look in the Site Collection Administrators on your associated site, you should see a "GroupName Owners" domain-type group there, which is what gives Office 365 Group Owners permissions to the SharePoint site.
to be honest i thought this is the sharepoint owner group.. there is no indication that this is office 365 owner group!!
Then in the "Site Name Members" SharePoint Security group on your site, the default SP group that grants Edit access, you will see the "GroupName Members" domain-type group, which is what gives Office 365 Group Members their Edit permissions to the site. (I believe this is the one you moved to your site's Visitor SP Security group).100% correct.this what i did.
I would like to note that if you are in an old SharePoint site that was converted, or this Office 365 Group was created a while ago, then these two domain-type groups that I am referring to still exist and somehow separate Group Owners vs Members, but their display names are exactly the same without "Owners or Members" appended to the end.
now this is a new MS team i created 2 days ago.
Have you ever used a Global Admin to go to a Group-connected SharePoint site and been told that you don't have access? I have. For some reason Group-connected sites do not include the Company Administrator or SharePoint Service Administrator roles by default in Site Collection Admins like old sites used to, so your Global Admins/SharePoint Service Admins by default do not have access to group-connected sites. One way around this is to add your admin accounts as Owners in the Office 365 Group.
yes i always face this , and from sharepoint online admin center site>> i modify the site's site collections (the owner.)
- Thanks for a great explanation Kevin! So to build on that! Yes you can use the owner group in that sharepoint site to add people in there as well to change permissions for those! But as Kevin said, both group owners aren’t per default reflected in that owners group
I believe the initial question is about whether adding people to an Office 365 Group's set of Owners (but not its Members) will affect the associated SharePoint site's permissions. And yes, it will. The Owner will have Site Collection Administrator access.
When it comes to looking at group-connected SharePoint sites, the associated Office 365 Group technically has two separate domain-like security groups (one for Group Owners one for Group Members) and these domain-like groups are added into the site's Site Collection Administrators and Site Members (SharePoint Group) respectively.
john john The third part of your scenario is a little confusing based on what I have described and seen in my tenant. It is strange that when you reassigned Member, then Owner, the user still only had read-only permissions. I would expect them to have Site Collection Admin permissions in this scenario.
Did you happen to remove the Office 365 Group's domain-like group from the Site Collection Admins when you were switching things around? Or is it possible that the new permissions for your user had not propagated yet and it was maybe having read-only permissions due to cache? Sometimes I have to logout of Office 365 and back in for SharePoint Online permissions to take.
- You might break inherited permissions on folders and give read on member for example!
adam deltinger wrote:
You might break inherited permissions on folders and give read on member for example!adam deltinger but how this answers my question ""?
