Does granting a user Owner role on Office 365 group have any impact on sharepoint site's permission

Steel Contributor

I have created a new MS Teams using Office 365 admin center site, which created, the following:-

1. sharepoint modern site.

2. Office 365 group.. the Office 365 group will be added to the Member sharepoint group.

 

But my question is, will granting a user Owner role instead of Member inside MS-Teams/Office-365-Group grant the user additional permission on the SharePoint site's list and libraries? As today i got a weird scenario as follow:-

 

1. inside my sharepoint site, i moved the Office 365 group to be inside the sharepoint visitors group instead of the sharepoint members group. so members and owner inside office 365 group will only have read permission on the sharepoint  site.

2. then i assign the user an Owner role on office 365, where this user got Full Control permission on

sharepoint!!

3. now i re-assign the user a Member role inside Office 365, and then re-assign him Owner again >> after that i checked his permission on the sharepoint site, where i got that the user only have Read. which sound more realistic.

but my question is, if granting a user Owner role instead of Members role inside Office-365-group can by any chance grant the user additional permission to the sharepoint site's lists/libraries such as the documents library and the pages library?

14 Replies
You might break inherited permissions on folders and give read on member for example!

 


@adam deltinger wrote:
You might break inherited permissions on folders and give read on member for example!

@adam deltinger  but how this answers my question "Does granting a user Owner role on Office 365 group have any impact on sharepoint site's permission "?

@john john The Office 365 Group has two behind the scenes domain-type security groups attached to it. One called "GroupName Owners" and one called "GroupName Members". These two groups are used to grant the O365 Group's Owners and Members permissions to the SharePoint site. 

 

Take a look in the Site Collection Administrators on your associated site, you should see a "GroupName Owners" domain-type group there, which is what gives Office 365 Group Owners permissions to the SharePoint site.

 

Then in the "Site Name Members" SharePoint Security group on your site, the default SP group that grants Edit access, you will see the "GroupName Members" domain-type group, which is what gives Office 365 Group Members their Edit permissions to the site. (I believe this is the one you moved to your site's Visitor SP Security group).

 

I would like to note that if you are in an old SharePoint site that was converted, or this Office 365 Group was created a while ago, then these two domain-type groups that I am referring to still exist and somehow separate Group Owners vs Members, but their display names are exactly the same without "Owners or Members" appended to the end. 

 

To answer your original question, yes, granting a user the Owner role in an Office 365 Group will grant them Site Collection Administrator rights to the associated SharePoint site. 

 

Have you ever used a Global Admin to go to a Group-connected SharePoint site and been told that you don't have access? I have. For some reason Group-connected sites do not include the Company Administrator or  SharePoint Service Administrator roles by default in Site Collection Admins like old sites used to, so your Global Admins/SharePoint Service Admins by default do not have access to group-connected sites. One way around this is to add your admin accounts as Owners in the Office 365 Group.

 

In my example here, I have an Office 365 Group called "Kevin Test Team". 

You can see in SharePoint there are two domain-like groups which are associated to this Office 365 Group.

Kevin Test Team Owners -- relates to users I add to the Owners in Office 365 Group

Kevin Test Team Members -- relates to users I add to the Members in Office 365 Group

Capture.PNG

Thanks for a great explanation Kevin! So to build on that! Yes you can use the owner group in that sharepoint site to add people in there as well to change permissions for those! But as Kevin said, both group owners aren’t per default reflected in that owners group

I believe the initial question is about whether adding people to an Office 365 Group's set of Owners (but not its Members) will affect the associated SharePoint site's permissions. And yes, it will. The Owner will have Site Collection Administrator access.

 

When it comes to looking at group-connected SharePoint sites, the associated Office 365 Group technically has two separate domain-like security groups (one for Group Owners one for Group Members) and these domain-like groups are added into the site's Site Collection Administrators and Site Members (SharePoint Group) respectively.

 

@john john The third part of your scenario is a little confusing based on what I have described and seen in my tenant. It is strange that when you reassigned Member, then Owner, the user still only had read-only permissions. I would expect them to have Site Collection Admin permissions in this scenario. 

 

Did you happen to remove the Office 365 Group's domain-like group from the Site Collection Admins when you were switching things around? Or is it possible that the new permissions for your user had not propagated yet and it was maybe having read-only permissions due to cache? Sometimes I have to logout of Office 365 and back in for SharePoint Online permissions to take.

 

 

 

I might be unclear, but that’s exactly what I mean as well! Although I thought he was talking about adding people to the owner group In SharePoint ( sharepoint group ) as I also said the domain-like owners group aren’t reflected in the sharepoint owners group, but it can be used if wanted by manually adding people there! That’s where I was mistaken because I though it was this group that the question was about! Although as I said, your explanation was great and answered the question about the owners (domain-like sec) group in the Office 365 group!
I hope I made it clearer :)
Yeah, these guys got it right.

The TL:DR simple version =)
All 3 scenarios are because Office 365 Group owners = Site Collection Admins = Trump all permissions on that site and it's subsites.

Scenario 3 is due to lag time of the user not being added as site collection admin. After awhile they will have full access agian.

@Kevin McKeown  first of all thanks for the great reply, here are my comments

 


@Kevin McKeown wrote:

@john john The Office 365 Group has two behind the scenes domain-type security groups attached to it. One called "GroupName Owners" and one called "GroupName Members". These two groups are used to grant the O365 Group's Owners and Members permissions to the SharePoint site. 


i already know that Office 365 member group exists, since when we create a new Office 365 group and access its sharepoint site we can see that sharepoint members group explicitly contain the office 365 members groups (and this group i have moved to be inside SP visitor group). but there is not any explicit office 365 owner group,, and most importantly if it is there why this office 365 owner group is not added to the sharepoint owner group? similar to how the SP member group contain an Office 365 members group ? did you get my point? this is really confusing by microsoft. any explanation?


Take a look in the Site Collection Administrators on your associated site, you should see a "GroupName Owners" domain-type group there, which is what gives Office 365 Group Owners permissions to the SharePoint site.

 

to be honest i thought this is the sharepoint owner group.. there is no indication that this is office 365 owner group!!

 


Then in the "Site Name Members" SharePoint Security group on your site, the default SP group that grants Edit access, you will see the "GroupName Members" domain-type group, which is what gives Office 365 Group Members their Edit permissions to the site. (I believe this is the one you moved to your site's Visitor SP Security group).

100% correct.this what i did.

 


I would like to note that if you are in an old SharePoint site that was converted, or this Office 365 Group was created a while ago, then these two domain-type groups that I am referring to still exist and somehow separate Group Owners vs Members, but their display names are exactly the same without "Owners or Members" appended to the end. 

 

now this is a new MS team i created 2 days ago.

 


Have you ever used a Global Admin to go to a Group-connected SharePoint site and been told that you don't have access? I have. For some reason Group-connected sites do not include the Company Administrator or  SharePoint Service Administrator roles by default in Site Collection Admins like old sites used to, so your Global Admins/SharePoint Service Admins by default do not have access to group-connected sites. One way around this is to add your admin accounts as Owners in the Office 365 Group.

 

yes i always face this , and from sharepoint online admin center site>>  i modify the site's site collections (the owner.)

 


@Chris Webb wrote:
Yeah, these guys got it right.

The TL:DR simple version =)
All 3 scenarios are because Office 365 Group owners = Site Collection Admins = Trump all permissions on that site and it's subsites.

Scenario 3 is due to lag time of the user not being added as site collection admin. After awhile they will have full access agian.

@Chris Webb  so the important question now, can we prevent a user who is defined as owner inside office 365 group or hence insdie MS Teams from been a site collection admin? is there any harm if i modify the sharepoint site's site collection admin and remove the "Groupame owner" from it?

 


@Kevin McKeown wrote:

I believe the initial question is about whether adding people to an Office 365 Group's set of Owners (but not its Members) will affect the associated SharePoint site's permissions. And yes, it will. The Owner will have Site Collection Administrator access.

 

When it comes to looking at group-connected SharePoint sites, the associated Office 365 Group technically has two separate domain-like security groups (one for Group Owners one for Group Members) and these domain-like groups are added into the site's Site Collection Administrators and Site Members (SharePoint Group) respectively.


@Kevin McKeown  so the question now, if i want to prevent the office 365 owners from having full control on the SP site, then is there any harm if i remove the "GroupName Owner" from the SP site collection section ?

 


 

@john john The third part of your scenario is a little confusing based on what I have described and seen in my tenant. It is strange that when you reassigned Member, then Owner, the user still only had read-only permissions. I would expect them to have Site Collection Admin permissions in this scenario. 

 


i checked this after 10 minutes and the user is having full control on the SP site... so you point is valid but need sometime to sync to SP...

In regards to your question: "is there any harm if i remove the "GroupName Owner" from the SP site collection section ?"

 

As long as you understand the implications to your site and user permissions, I think it is up to you how much extra administrative overhead you want to put on yourself or your admins. Anytime you start modifying out-of-the-box functionality, you are potentially creating a lot of extra work for yourself. 

 

Some questions to maybe ask yourself:

If you do this for one Team/Office 365 Group are you going to do it for all of them to maintain consistency?

 

Would you be giving the Office 365 Owners a different level of access to the site?

 

Do you currently limit who is allowed to create Teams/Office 365 Groups? If it is not limited, how much harder will this custom permission setup be to maintain if users are allowed to create their own Teams/Office 365 Groups?

 

I think moving the "GroupName Members" users from SP Members to SP Visitors has more implications and may create more issues than removing Owners from the site collection admins. By giving team members read-only access instead of Edit, then who from the team is left to actually contribute content to the site or the team?

 

By changing the out-of-the-box security integration between an Office 365 Group and its SharePoint site for its Members, you could also be affecting how certain interactions work within Teams/Planner/OneNote/Outlook. In my opinion, there is at least some risk in causing weird issues.

 

 

 

 

 


@Kevin McKeown wrote:

In regards to your question: "is there any harm if i remove the "GroupName Owner" from the SP site collection section ?"

 

As long as you understand the implications to your site and user permissions, I think it is up to you how much extra administrative overhead you want to put on yourself or your admins. Anytime you start modifying out-of-the-box functionality, you are potentially creating a lot of extra work for yourself. 

 

Some questions to maybe ask yourself:

If you do this for one Team/Office 365 Group are you going to do it for all of them to maintain consistency?

 

Would you be giving the Office 365 Owners a different level of access to the site?

 

Do you currently limit who is allowed to create Teams/Office 365 Groups? If it is not limited, how much harder will this custom permission setup be to maintain if users are allowed to create their own Teams/Office 365 Groups?

 

I think moving the "GroupName Members" users from SP Members to SP Visitors has more implications and may create more issues than removing Owners from the site collection admins. By giving team members read-only access instead of Edit, then who from the team is left to actually contribute content to the site or the team?

 

By changing the out-of-the-box security integration between an Office 365 Group and its SharePoint site for its Members, you could also be affecting how certain interactions work within Teams/Planner/OneNote/Outlook. In my opinion, there is at least some risk in causing weird issues.

 

 

 

 


@Kevin McKeown  My question was a technical question rather than been based on real scenario...i agree with your point.. but there is not any technical issue of moving the Office 365 member group from SP member group to visitor group? also there is not any technical issue of removing the Office 365 owner group from the SP Site collection section?

second point, now i removed the "Groupname owner" group from the Site Collection Admins section, but still the office 365's users who have Owner role, have Full control on the SP site, so seems this will be the case even if we remove the "Groupname owner" group from the Site Collection Admins section???

third point , did u have the chance to read my above reply to your first reply? thanks

@john john 

I think the "technical" issues you may encounter would be due to you changing permissions for people as you move these groups around within your SharePoint security groups. 

 

OneNote, Planner, Teams(Files Tab content), all store artifacts within your SharePoint team site, so if you start changing permissions for your Office 365 Group members by moving around the associated domain-like groups in the SharePoint site, you could technically affect what Teams Members/Planner Members/etc. are able to do. 

 

I tested removing the "GroupName Owners" group from Site Collection Admins on a site of mine and I saw that a user in the Office 365 Group Owners role no longer had Site Collection Admin permissions, but they did somehow still have Full Control permissions to the site. I'm guessing that the Group Owners role must have Full Control applied to it somehow still, but it isn't showing through the UI. We might be able to surface more of what is going on by using PowerShell to pull up information about the Office 365 Group and Site, but I wasn't aware this would happen. 

 

@Kevin McKeown ,
The group-owner group is not only added to the SCA list. That group is also added to the SharePoint permission group [Site]-owners. It seems to be hidden from the GUI. But it's still there. That's why the owners still have full-control. See also: https://www.netwoven.com/2020/03/24/permissions-in-office-365-group-connected-modern-team-site/