Forum Discussion
Does granting a user Owner role on Office 365 group have any impact on sharepoint site's permission
I believe the initial question is about whether adding people to an Office 365 Group's set of Owners (but not its Members) will affect the associated SharePoint site's permissions. And yes, it will. The Owner will have Site Collection Administrator access.
When it comes to looking at group-connected SharePoint sites, the associated Office 365 Group technically has two separate domain-like security groups (one for Group Owners one for Group Members) and these domain-like groups are added into the site's Site Collection Administrators and Site Members (SharePoint Group) respectively.
john john The third part of your scenario is a little confusing based on what I have described and seen in my tenant. It is strange that when you reassigned Member, then Owner, the user still only had read-only permissions. I would expect them to have Site Collection Admin permissions in this scenario.
Did you happen to remove the Office 365 Group's domain-like group from the Site Collection Admins when you were switching things around? Or is it possible that the new permissions for your user had not propagated yet and it was maybe having read-only permissions due to cache? Sometimes I have to logout of Office 365 and back in for SharePoint Online permissions to take.
kevinmckeown8 wrote:I believe the initial question is about whether adding people to an Office 365 Group's set of Owners (but not its Members) will affect the associated SharePoint site's permissions. And yes, it will. The Owner will have Site Collection Administrator access.
When it comes to looking at group-connected SharePoint sites, the associated Office 365 Group technically has two separate domain-like security groups (one for Group Owners one for Group Members) and these domain-like groups are added into the site's Site Collection Administrators and Site Members (SharePoint Group) respectively.
kevinmckeown8 so the question now, if i want to prevent the office 365 owners from having full control on the SP site, then is there any harm if i remove the "GroupName Owner" from the SP site collection section ?
john john The third part of your scenario is a little confusing based on what I have described and seen in my tenant. It is strange that when you reassigned Member, then Owner, the user still only had read-only permissions. I would expect them to have Site Collection Admin permissions in this scenario.
i checked this after 10 minutes and the user is having full control on the SP site... so you point is valid but need sometime to sync to SP...
In regards to your question: "is there any harm if i remove the "GroupName Owner" from the SP site collection section ?"
As long as you understand the implications to your site and user permissions, I think it is up to you how much extra administrative overhead you want to put on yourself or your admins. Anytime you start modifying out-of-the-box functionality, you are potentially creating a lot of extra work for yourself.
Some questions to maybe ask yourself:
If you do this for one Team/Office 365 Group are you going to do it for all of them to maintain consistency?
Would you be giving the Office 365 Owners a different level of access to the site?
Do you currently limit who is allowed to create Teams/Office 365 Groups? If it is not limited, how much harder will this custom permission setup be to maintain if users are allowed to create their own Teams/Office 365 Groups?
I think moving the "GroupName Members" users from SP Members to SP Visitors has more implications and may create more issues than removing Owners from the site collection admins. By giving team members read-only access instead of Edit, then who from the team is left to actually contribute content to the site or the team?
By changing the out-of-the-box security integration between an Office 365 Group and its SharePoint site for its Members, you could also be affecting how certain interactions work within Teams/Planner/OneNote/Outlook. In my opinion, there is at least some risk in causing weird issues.
kevinmckeown8 wrote:In regards to your question: "is there any harm if i remove the "GroupName Owner" from the SP site collection section ?"
As long as you understand the implications to your site and user permissions, I think it is up to you how much extra administrative overhead you want to put on yourself or your admins. Anytime you start modifying out-of-the-box functionality, you are potentially creating a lot of extra work for yourself.
Some questions to maybe ask yourself:
If you do this for one Team/Office 365 Group are you going to do it for all of them to maintain consistency?
Would you be giving the Office 365 Owners a different level of access to the site?
Do you currently limit who is allowed to create Teams/Office 365 Groups? If it is not limited, how much harder will this custom permission setup be to maintain if users are allowed to create their own Teams/Office 365 Groups?
I think moving the "GroupName Members" users from SP Members to SP Visitors has more implications and may create more issues than removing Owners from the site collection admins. By giving team members read-only access instead of Edit, then who from the team is left to actually contribute content to the site or the team?
By changing the out-of-the-box security integration between an Office 365 Group and its SharePoint site for its Members, you could also be affecting how certain interactions work within Teams/Planner/OneNote/Outlook. In my opinion, there is at least some risk in causing weird issues.
kevinmckeown8 My question was a technical question rather than been based on real scenario...i agree with your point.. but there is not any technical issue of moving the Office 365 member group from SP member group to visitor group? also there is not any technical issue of removing the Office 365 owner group from the SP Site collection section?
second point, now i removed the "Groupname owner" group from the Site Collection Admins section, but still the office 365's users who have Owner role, have Full control on the SP site, so seems this will be the case even if we remove the "Groupname owner" group from the Site Collection Admins section???
third point , did u have the chance to read my above reply to your first reply? thanks
- I might be unclear, but that’s exactly what I mean as well! Although I thought he was talking about adding people to the owner group In SharePoint ( sharepoint group ) as I also said the domain-like owners group aren’t reflected in the sharepoint owners group, but it can be used if wanted by manually adding people there! That’s where I was mistaken because I though it was this group that the question was about! Although as I said, your explanation was great and answered the question about the owners (domain-like sec) group in the Office 365 group!
I hope I made it clearer :)
