Forum Discussion
Solved
Permission inheritance
I am confused on how permission inheritance works in the modern experience. I have created a couple of sites that will make up our intranet (will be adding more in the future). Do I need to go to eac...
- Site Collections are a permissions boundary. This means that they do not share the same permissions and/or membership. You must add members to each site individually.
You can use a solution such as Azure Access Packages to automatically provision users into multiple locations or Azure AD Dynamic security groups (these cannot be nested into Microsoft 365 Groups, though). Access Packages require Azure AD P2 licensing for all users.
Lastly, you can set your M365 Group for Teams/Team sites to dynamic and create rules for them but you'd need to do this with each Group.
Dynamic groups require Azure AD P1 licensing for all users.
Site Collections are a permissions boundary. This means that they do not share the same permissions and/or membership. You must add members to each site individually.
You can use a solution such as Azure Access Packages to automatically provision users into multiple locations or Azure AD Dynamic security groups (these cannot be nested into Microsoft 365 Groups, though). Access Packages require Azure AD P2 licensing for all users.
Lastly, you can set your M365 Group for Teams/Team sites to dynamic and create rules for them but you'd need to do this with each Group.
Dynamic groups require Azure AD P1 licensing for all users.
You can use a solution such as Azure Access Packages to automatically provision users into multiple locations or Azure AD Dynamic security groups (these cannot be nested into Microsoft 365 Groups, though). Access Packages require Azure AD P2 licensing for all users.
Lastly, you can set your M365 Group for Teams/Team sites to dynamic and create rules for them but you'd need to do this with each Group.
Dynamic groups require Azure AD P1 licensing for all users.
Thanks Trevor! What about hubs and associated sites? Do permissions get inherited there?
Cal
- By default, no. You can synchronize _Visitor_ permissions between the hub and spoke sites, though.
https://support.microsoft.com/en-us/office/associate-a-sharepoint-site-with-a-hub-site-ae0009fd-af04-4d3d-917d-88edb43efc05?ui=en-US&rs=en-US&ad=US
Note that the article is incorrect at this time. Pushing down Visitor permissions is under gear icon -> Site Permissions -> Hub (tab).