Forum Discussion

roddenshaw's avatar
roddenshaw
Copper Contributor
Jul 23, 2019

Restricting some users from accessing 'public' SharePoint sites

My company is in the middle of migrating from Dropbox to SharePoint, with most new SharePoint sites having a corresponding Team for the sake of collaboration. We have made most of our teams 'public' ...
admin
Permissions
SharePoint Online
Norman Young's avatar
Norman Young
MVP
Jul 24, 2019

Hi roddenshaw,

 

With no deny access option in SharePoint, I would agree with ChrisWebbTech's recommendation to use or create an all employees security group that does not include the contractors.

 

I hope this helps.

 

Norm

  • kevinmckeown8's avatar
    kevinmckeown8
    Iron Contributor
    Jul 24, 2019

    Norman Young ChrisWebbTech We are talking about Public Office 365 Groups/Teams here right? Which means anyone, including the contractors who are Office 365 licensed, will be able to join the group anytime they want. How does using a security group in the connected SharePoint site help you keep these users from joining the Office 365 Group/Team itself (which in-turn will give them access to the connected site)? Just using a new All Users (minus contractors) security group doesn't seem like it would solve the entire issue described here. I think you would at the very least need to remove the Office 365 Group's associated domain group from the connected site and then replace it with your suggested All User(except contractors) security group. But if you did that, it essentially makes adding people to the Office 365 Group irrelevant, since you would now be controlling access through your SharePoint site the old-fashioned way with the security group instead of through the Office 365 Group.

    • Norman Young's avatar
      Norman Young
      MVP
      Jul 24, 2019

      kevinmckeown8 changing the Groups privacy settings to "Private" would also be required.

       

      I hope this helps.

       

      Norm

      • kevinmckeown8's avatar
        kevinmckeown8
        Iron Contributor
        Jul 24, 2019

        Norman Young I'm not sure your point helps, as he has already stated that he doesn't want to set the groups to Private and if you are suggesting that setting groups to Private in addition to Chris Webb's security group suggestion would be helpful, then I don't think you fully understand how Office 365 Groups, Microsoft Teams, and their connected SharePoint site are actually working together from a security standpoint. I was trying to get elaboration of Chris's point as I think it is incomplete. Your post does not help to elaborate.

         

        Also, I already mentioned changing the group to Private in my first post. The point of the original request is that Groups/Teams need to be available for users (except contractors) to join and just setting them to Private doesn't solve the issue described. And setting the group to Private in addition to Chris Webb's suggestion really really really doesn't solve the problem. 

         

        Personally, I'm not seeing another good option here except for my first suggestion of setting all relevant Groups to Private, then using a PowerShell script to add all users (except contractors) to each Group. An update to Microsoft Teams is supposed to be coming out that will allow Private Teams to be viewable and let users request to join the team. 

         

        Unfortunately the integration between Office 365 Groups, Teams, SharePoint, Planner, etc. make security scenarios like this very difficult, if not impossible, to manage. 

         

         

         

         

Resources