Forum Discussion
Restricting some users from accessing 'public' SharePoint sites
Norman Young ChrisWebbTech We are talking about Public Office 365 Groups/Teams here right? Which means anyone, including the contractors who are Office 365 licensed, will be able to join the group anytime they want. How does using a security group in the connected SharePoint site help you keep these users from joining the Office 365 Group/Team itself (which in-turn will give them access to the connected site)? Just using a new All Users (minus contractors) security group doesn't seem like it would solve the entire issue described here. I think you would at the very least need to remove the Office 365 Group's associated domain group from the connected site and then replace it with your suggested All User(except contractors) security group. But if you did that, it essentially makes adding people to the Office 365 Group irrelevant, since you would now be controlling access through your SharePoint site the old-fashioned way with the security group instead of through the Office 365 Group.
kevinmckeown8 changing the Groups privacy settings to "Private" would also be required.
I hope this helps.
Norm
Norman Young I'm not sure your point helps, as he has already stated that he doesn't want to set the groups to Private and if you are suggesting that setting groups to Private in addition to Chris Webb's security group suggestion would be helpful, then I don't think you fully understand how Office 365 Groups, Microsoft Teams, and their connected SharePoint site are actually working together from a security standpoint. I was trying to get elaboration of Chris's point as I think it is incomplete. Your post does not help to elaborate.
Also, I already mentioned changing the group to Private in my first post. The point of the original request is that Groups/Teams need to be available for users (except contractors) to join and just setting them to Private doesn't solve the issue described. And setting the group to Private in addition to Chris Webb's suggestion really really really doesn't solve the problem.
Personally, I'm not seeing another good option here except for my first suggestion of setting all relevant Groups to Private, then using a PowerShell script to add all users (except contractors) to each Group. An update to Microsoft Teams is supposed to be coming out that will allow Private Teams to be viewable and let users request to join the team.
Unfortunately the integration between Office 365 Groups, Teams, SharePoint, Planner, etc. make security scenarios like this very difficult, if not impossible, to manage.
kevinmckeown8 I was simply clarifying the point that Private groups would be required to limit the Group security. It was not my intention to elaborate of Chris' point.
Norm
- You you are pretty much spot on with your assessment. Groups do hold back individual products other than SharePoint really since it has its own security model. My idea was geared towards SharePoint only and I read it as public to the org everyone settings. Didn’t put two and two together that you meant Microsoft Teams groups when I first read it.
I think you can still tweak SharePoint by removing the public group from the SharePoint group to not allow everyone into it but they will still be able to access the other group resources.
