Forum Discussion
Permission inheritance
I am confused on how permission inheritance works in the modern experience. I have created a couple of sites that will make up our intranet (will be adding more in the future). Do I need to go to each site and add users? From what I understand, the sites are no longer a part of the same site collection (each is it's own collection), so there is no inheritance between sites. Is that true? I feel like I'm missing something because if you had a lot of sites, this could be a lot of work to add people as well as maintain all of that.
What I've started with is a site that will be the main page for the intranet. I then added 2 sites - HR and Operations. These are all communication sites.
Any help is greatly appreciated!!!!
Cal
- Site Collections are a permissions boundary. This means that they do not share the same permissions and/or membership. You must add members to each site individually.
You can use a solution such as Azure Access Packages to automatically provision users into multiple locations or Azure AD Dynamic security groups (these cannot be nested into Microsoft 365 Groups, though). Access Packages require Azure AD P2 licensing for all users.
Lastly, you can set your M365 Group for Teams/Team sites to dynamic and create rules for them but you'd need to do this with each Group.
Dynamic groups require Azure AD P1 licensing for all users.
4 Replies
- Hi cbolwerk, you are correct every new SharePoint site is a site collection in the modern experience, so sub-sites inheriting permissions is a thing of the past!
If you look in the advanced permissions settings, from there you are able to leverage any existing Microsoft 365 or security groups into the SharePoint groups that are created when the site is provisioned (Owners, Members, Visitors).
Here's some more information on sharing and permissions in the modern experience: https://docs.microsoft.com/en-us/sharepoint/modern-experience-sharing-permissions#hub-site-permissions
As part of your wider intranet build, have you looked at SharePoint home sites and hubs? If not, I'd suggest taking a look as they may shape your thinking:
Hub sites: https://docs.microsoft.com/en-us/sharepoint/planning-hub-sites
Home sites: https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/sharepoint-home-sites-a-landing-for-your-organization-on-the/ba-p/621933 - Site Collections are a permissions boundary. This means that they do not share the same permissions and/or membership. You must add members to each site individually.
You can use a solution such as Azure Access Packages to automatically provision users into multiple locations or Azure AD Dynamic security groups (these cannot be nested into Microsoft 365 Groups, though). Access Packages require Azure AD P2 licensing for all users.
Lastly, you can set your M365 Group for Teams/Team sites to dynamic and create rules for them but you'd need to do this with each Group.
Dynamic groups require Azure AD P1 licensing for all users.Thanks Trevor! What about hubs and associated sites? Do permissions get inherited there?
Cal
- By default, no. You can synchronize _Visitor_ permissions between the hub and spoke sites, though.
https://support.microsoft.com/en-us/office/associate-a-sharepoint-site-with-a-hub-site-ae0009fd-af04-4d3d-917d-88edb43efc05?ui=en-US&rs=en-US&ad=US
Note that the article is incorrect at this time. Pushing down Visitor permissions is under gear icon -> Site Permissions -> Hub (tab).
