Forum Discussion
Does granting a user Owner role on Office 365 group have any impact on sharepoint site's permission
john john The Office 365 Group has two behind the scenes domain-type security groups attached to it. One called "GroupName Owners" and one called "GroupName Members". These two groups are used to grant the O365 Group's Owners and Members permissions to the SharePoint site.
Take a look in the Site Collection Administrators on your associated site, you should see a "GroupName Owners" domain-type group there, which is what gives Office 365 Group Owners permissions to the SharePoint site.
Then in the "Site Name Members" SharePoint Security group on your site, the default SP group that grants Edit access, you will see the "GroupName Members" domain-type group, which is what gives Office 365 Group Members their Edit permissions to the site. (I believe this is the one you moved to your site's Visitor SP Security group).
I would like to note that if you are in an old SharePoint site that was converted, or this Office 365 Group was created a while ago, then these two domain-type groups that I am referring to still exist and somehow separate Group Owners vs Members, but their display names are exactly the same without "Owners or Members" appended to the end.
To answer your original question, yes, granting a user the Owner role in an Office 365 Group will grant them Site Collection Administrator rights to the associated SharePoint site.
Have you ever used a Global Admin to go to a Group-connected SharePoint site and been told that you don't have access? I have. For some reason Group-connected sites do not include the Company Administrator or SharePoint Service Administrator roles by default in Site Collection Admins like old sites used to, so your Global Admins/SharePoint Service Admins by default do not have access to group-connected sites. One way around this is to add your admin accounts as Owners in the Office 365 Group.
In my example here, I have an Office 365 Group called "Kevin Test Team".
You can see in SharePoint there are two domain-like groups which are associated to this Office 365 Group.
Kevin Test Team Owners -- relates to users I add to the Owners in Office 365 Group
Kevin Test Team Members -- relates to users I add to the Members in Office 365 Group
kevinmckeown8 first of all thanks for the great reply, here are my comments
kevinmckeown8 wrote:john john The Office 365 Group has two behind the scenes domain-type security groups attached to it. One called "GroupName Owners" and one called "GroupName Members". These two groups are used to grant the O365 Group's Owners and Members permissions to the SharePoint site.
i already know that Office 365 member group exists, since when we create a new Office 365 group and access its sharepoint site we can see that sharepoint members group explicitly contain the office 365 members groups (and this group i have moved to be inside SP visitor group). but there is not any explicit office 365 owner group,, and most importantly if it is there why this office 365 owner group is not added to the sharepoint owner group? similar to how the SP member group contain an Office 365 members group ? did you get my point? this is really confusing by microsoft. any explanation?
Take a look in the Site Collection Administrators on your associated site, you should see a "GroupName Owners" domain-type group there, which is what gives Office 365 Group Owners permissions to the SharePoint site.
to be honest i thought this is the sharepoint owner group.. there is no indication that this is office 365 owner group!!
Then in the "Site Name Members" SharePoint Security group on your site, the default SP group that grants Edit access, you will see the "GroupName Members" domain-type group, which is what gives Office 365 Group Members their Edit permissions to the site. (I believe this is the one you moved to your site's Visitor SP Security group).100% correct.this what i did.
I would like to note that if you are in an old SharePoint site that was converted, or this Office 365 Group was created a while ago, then these two domain-type groups that I am referring to still exist and somehow separate Group Owners vs Members, but their display names are exactly the same without "Owners or Members" appended to the end.
now this is a new MS team i created 2 days ago.
Have you ever used a Global Admin to go to a Group-connected SharePoint site and been told that you don't have access? I have. For some reason Group-connected sites do not include the Company Administrator or SharePoint Service Administrator roles by default in Site Collection Admins like old sites used to, so your Global Admins/SharePoint Service Admins by default do not have access to group-connected sites. One way around this is to add your admin accounts as Owners in the Office 365 Group.
yes i always face this , and from sharepoint online admin center site>> i modify the site's site collections (the owner.)
- Thanks for a great explanation Kevin! So to build on that! Yes you can use the owner group in that sharepoint site to add people in there as well to change permissions for those! But as Kevin said, both group owners aren’t per default reflected in that owners group
I believe the initial question is about whether adding people to an Office 365 Group's set of Owners (but not its Members) will affect the associated SharePoint site's permissions. And yes, it will. The Owner will have Site Collection Administrator access.
When it comes to looking at group-connected SharePoint sites, the associated Office 365 Group technically has two separate domain-like security groups (one for Group Owners one for Group Members) and these domain-like groups are added into the site's Site Collection Administrators and Site Members (SharePoint Group) respectively.
john john The third part of your scenario is a little confusing based on what I have described and seen in my tenant. It is strange that when you reassigned Member, then Owner, the user still only had read-only permissions. I would expect them to have Site Collection Admin permissions in this scenario.
Did you happen to remove the Office 365 Group's domain-like group from the Site Collection Admins when you were switching things around? Or is it possible that the new permissions for your user had not propagated yet and it was maybe having read-only permissions due to cache? Sometimes I have to logout of Office 365 and back in for SharePoint Online permissions to take.
kevinmckeown8 wrote:I believe the initial question is about whether adding people to an Office 365 Group's set of Owners (but not its Members) will affect the associated SharePoint site's permissions. And yes, it will. The Owner will have Site Collection Administrator access.
When it comes to looking at group-connected SharePoint sites, the associated Office 365 Group technically has two separate domain-like security groups (one for Group Owners one for Group Members) and these domain-like groups are added into the site's Site Collection Administrators and Site Members (SharePoint Group) respectively.
kevinmckeown8 so the question now, if i want to prevent the office 365 owners from having full control on the SP site, then is there any harm if i remove the "GroupName Owner" from the SP site collection section ?
john john The third part of your scenario is a little confusing based on what I have described and seen in my tenant. It is strange that when you reassigned Member, then Owner, the user still only had read-only permissions. I would expect them to have Site Collection Admin permissions in this scenario.
i checked this after 10 minutes and the user is having full control on the SP site... so you point is valid but need sometime to sync to SP...
