Forum Discussion
Does granting a user Owner role on Office 365 group have any impact on sharepoint site's permission
john john The Office 365 Group has two behind the scenes domain-type security groups attached to it. One called "GroupName Owners" and one called "GroupName Members". These two groups are used to grant the O365 Group's Owners and Members permissions to the SharePoint site.
Take a look in the Site Collection Administrators on your associated site, you should see a "GroupName Owners" domain-type group there, which is what gives Office 365 Group Owners permissions to the SharePoint site.
Then in the "Site Name Members" SharePoint Security group on your site, the default SP group that grants Edit access, you will see the "GroupName Members" domain-type group, which is what gives Office 365 Group Members their Edit permissions to the site. (I believe this is the one you moved to your site's Visitor SP Security group).
I would like to note that if you are in an old SharePoint site that was converted, or this Office 365 Group was created a while ago, then these two domain-type groups that I am referring to still exist and somehow separate Group Owners vs Members, but their display names are exactly the same without "Owners or Members" appended to the end.
To answer your original question, yes, granting a user the Owner role in an Office 365 Group will grant them Site Collection Administrator rights to the associated SharePoint site.
Have you ever used a Global Admin to go to a Group-connected SharePoint site and been told that you don't have access? I have. For some reason Group-connected sites do not include the Company Administrator or SharePoint Service Administrator roles by default in Site Collection Admins like old sites used to, so your Global Admins/SharePoint Service Admins by default do not have access to group-connected sites. One way around this is to add your admin accounts as Owners in the Office 365 Group.
In my example here, I have an Office 365 Group called "Kevin Test Team".
You can see in SharePoint there are two domain-like groups which are associated to this Office 365 Group.
Kevin Test Team Owners -- relates to users I add to the Owners in Office 365 Group
Kevin Test Team Members -- relates to users I add to the Members in Office 365 Group
I believe the initial question is about whether adding people to an Office 365 Group's set of Owners (but not its Members) will affect the associated SharePoint site's permissions. And yes, it will. The Owner will have Site Collection Administrator access.
When it comes to looking at group-connected SharePoint sites, the associated Office 365 Group technically has two separate domain-like security groups (one for Group Owners one for Group Members) and these domain-like groups are added into the site's Site Collection Administrators and Site Members (SharePoint Group) respectively.
john john The third part of your scenario is a little confusing based on what I have described and seen in my tenant. It is strange that when you reassigned Member, then Owner, the user still only had read-only permissions. I would expect them to have Site Collection Admin permissions in this scenario.
Did you happen to remove the Office 365 Group's domain-like group from the Site Collection Admins when you were switching things around? Or is it possible that the new permissions for your user had not propagated yet and it was maybe having read-only permissions due to cache? Sometimes I have to logout of Office 365 and back in for SharePoint Online permissions to take.
kevinmckeown8 wrote:I believe the initial question is about whether adding people to an Office 365 Group's set of Owners (but not its Members) will affect the associated SharePoint site's permissions. And yes, it will. The Owner will have Site Collection Administrator access.
When it comes to looking at group-connected SharePoint sites, the associated Office 365 Group technically has two separate domain-like security groups (one for Group Owners one for Group Members) and these domain-like groups are added into the site's Site Collection Administrators and Site Members (SharePoint Group) respectively.
kevinmckeown8 so the question now, if i want to prevent the office 365 owners from having full control on the SP site, then is there any harm if i remove the "GroupName Owner" from the SP site collection section ?
john john The third part of your scenario is a little confusing based on what I have described and seen in my tenant. It is strange that when you reassigned Member, then Owner, the user still only had read-only permissions. I would expect them to have Site Collection Admin permissions in this scenario.
i checked this after 10 minutes and the user is having full control on the SP site... so you point is valid but need sometime to sync to SP...
In regards to your question: "is there any harm if i remove the "GroupName Owner" from the SP site collection section ?"
As long as you understand the implications to your site and user permissions, I think it is up to you how much extra administrative overhead you want to put on yourself or your admins. Anytime you start modifying out-of-the-box functionality, you are potentially creating a lot of extra work for yourself.
Some questions to maybe ask yourself:
If you do this for one Team/Office 365 Group are you going to do it for all of them to maintain consistency?
Would you be giving the Office 365 Owners a different level of access to the site?
Do you currently limit who is allowed to create Teams/Office 365 Groups? If it is not limited, how much harder will this custom permission setup be to maintain if users are allowed to create their own Teams/Office 365 Groups?
I think moving the "GroupName Members" users from SP Members to SP Visitors has more implications and may create more issues than removing Owners from the site collection admins. By giving team members read-only access instead of Edit, then who from the team is left to actually contribute content to the site or the team?
By changing the out-of-the-box security integration between an Office 365 Group and its SharePoint site for its Members, you could also be affecting how certain interactions work within Teams/Planner/OneNote/Outlook. In my opinion, there is at least some risk in causing weird issues.
- I might be unclear, but that’s exactly what I mean as well! Although I thought he was talking about adding people to the owner group In SharePoint ( sharepoint group ) as I also said the domain-like owners group aren’t reflected in the sharepoint owners group, but it can be used if wanted by manually adding people there! That’s where I was mistaken because I though it was this group that the question was about! Although as I said, your explanation was great and answered the question about the owners (domain-like sec) group in the Office 365 group!
I hope I made it clearer :)
