Forum Discussion
Restricting some users from accessing 'public' SharePoint sites
My company is in the middle of migrating from Dropbox to SharePoint, with most new SharePoint sites having a corresponding Team for the sake of collaboration. We have made most of our teams 'public' so that our employees can easily access them, however a number of contractors have O365 accounts on our domain, and we would like to restrict them from accessing the SharePoint sites connected to the public Teams. Does anybody know of a way of restricting a specific group of users from accessing a 'public' SharePoint site?
Hi roddenshaw,
With no deny access option in SharePoint, I would agree with ChrisWebbTech's recommendation to use or create an all employees security group that does not include the contractors.
I hope this helps.
Norm
Norman Young ChrisWebbTech We are talking about Public Office 365 Groups/Teams here right? Which means anyone, including the contractors who are Office 365 licensed, will be able to join the group anytime they want. How does using a security group in the connected SharePoint site help you keep these users from joining the Office 365 Group/Team itself (which in-turn will give them access to the connected site)? Just using a new All Users (minus contractors) security group doesn't seem like it would solve the entire issue described here. I think you would at the very least need to remove the Office 365 Group's associated domain group from the connected site and then replace it with your suggested All User(except contractors) security group. But if you did that, it essentially makes adding people to the Office 365 Group irrelevant, since you would now be controlling access through your SharePoint site the old-fashioned way with the security group instead of through the Office 365 Group.
kevinmckeown8 changing the Groups privacy settings to "Private" would also be required.
I hope this helps.
Norm
You can still use security groups in SharePoint, so I would suggest if you don't have an "All Employee's" Distro list, you can convert that usually to a security group in addition to it being a dist list. Then you can just utilize this Security group for your access instead of using the Everyone Except External option.
Or if you can't get the Distro list figured out just create a universal security group called All employee's and use that once it syncs up.
How many Teams/Sites are you dealing with? Depending on the number, you might be better off making all of the Teams Private and then just adding everyone except contractors to all of the Teams.
When you set a team as Public, I think it is technically giving the "Everyone except external users" access to the associated SharePoint site. I don't think it shows up in Site Permissions either and would have to be managed via PowerShell. Even if you did remove this from site permissions, then you would still have to specify SharePoint site permissions the old fashioned way which could break connected functionality in Teams.
Teams and its associated SharePoint site permissions are closely integrated. Once you start messing with permissions directly in the site, you can create a lot of unnecessary overhead for yourself as an admin.
In my opinion, for your situation, I would set the Teams to be private and add everyone as Members except for the contractors. If you have tons of users and teams, then I would look into using PowerShell to add the members to the teams.
kevinmckeown8 we have 340 teams. Unfortunately searching for 'private' teams doesn't work in our environment (apparently it's being worked on), so if I make the teams private it will make discovery effectively impossible, and I don't want to add every employee to 340 teams. Thanks for the replies.
