SOLVED
Home

Permission relations between Teams and SharePoint Online

%3CLINGO-SUB%20id%3D%22lingo-sub-216972%22%20slang%3D%22en-US%22%3EPermission%20relations%20between%20Teams%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-216972%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20understand%20how%20permissions%20in%20a%20team%20in%20Teams%20relates%20to%20permissions%20in%20the%20associated%20SPO%20site.%20I%20have%20a%20test%20team%2C%20%22Dream%20Team%22%2C%20and%20I%20can%20see%20that%20the%20group%20%22Dream%20Team%22%20is%20Site%20Collection%20Admin%2C%20which%20surprises%20me.%20Does%20this%20mean%20that%20all%20members%20and%20owners%20(and%20guests%3F)%20of%20a%20team%20automatically%20becomes%20Site%20Collections%20Admins%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20is%20it%20ok%20to%20assign%20permissions%20to%20the%20SPO%20site%20directly%2C%20if%20I%20want%20to%20grant%20access%20to%20the%20SPO%20site%20but%20not%20the%20team%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20good%20documentation%20links%20for%20this%20subject%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-216972%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217306%22%20slang%3D%22en-US%22%3ERe%3A%20Permission%20relations%20between%20Teams%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217306%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20your%20answers.%20If%20you%2C%20or%20anybody%20else%2C%20knows%20about%20an%20article%20documenting%20the%20permissions%20relations%20between%20Teams%2C%20Groups%20and%20SPO%2C%20I%20would%20appreciate%20to%20hear%20about%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217049%22%20slang%3D%22en-US%22%3ERe%3A%20Permission%20relations%20between%20Teams%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217049%22%20slang%3D%22en-US%22%3EOnly%20actually%20owners%20of%20the%20group%20get%20site%20collection%20admin%20permissions.%20You%20can%20tweak%20the%20members%20Sharepoint%20group%20to%20restrict%20things%20on%20the%20site%20and%20you%20can%20also%20add%20any%20unique%20permission%20to%20others%20not%20on%20the%20group%20that%20you%20want%20to%20the%20Sharepoint%20site%20without%20issue%20as%20well.%20So%20if%20you%20don%E2%80%99t%20want%20your%20members%20adding%20news%20or%20editing%20pages%20to%20your%20site%20for%20example%20you%20can%20do%20to%20your%20site%20pages%20library.%20Break%20inheritance%20and%20change%20the%20members%20Sharepoint%20group%20permission%20to%20read%20only.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217019%22%20slang%3D%22en-US%22%3ERe%3A%20Permission%20relations%20between%20Teams%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217019%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can%20see%20where%20your%20confusion%20lies%20because%20in%20SharePoint%20the%20UPN%20which%20is%20created%20for%20the%20Group%20i.e.%20dreamteam%40yourtenancy.onmicrosoft.com%20is%20used%20for%20both%20Site%20Collection%20Administrators%20and%20for%20Members.%20This%20claim%20however%20does%20understand%20difference%20between%20the%20Ownership%20list%20on%20the%20O365%20Group%20(view%20this%20in%20Exchange%20Admin%20Centre)%20and%20the%20Membership%20list.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20prove%20this%20you%20can%20use%20Check%20Permissions%2C%20so%20you%20can%20see%20what%20the%20permissions%20someone%20in%20the%20Owner%20role%20has%20compared%20to%20the%20Member%20role.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20owner%20will%20have%20Full%20Control%2C%20whereas%20a%20Member%20will%20only%20have%20Edit.%20The%20confusing%20part%20comes%20from%20where%20SharePoint%20says%20you%20get%20the%20permissions%20from%20e.g.%20as%20a%20Team%20Owner%2C%20you%20will%20be%20told%20that%20you%20get%20Full%20Control%20from%20the%20%22Dream%20Team%20Owners%22%20group%2C%20when%20in%20truth%20you%20get%20it%20from%20the%20O365%20Group%20Ownership%20list.%20I%20suspect%20it%20is%20just%20a%20case%20that%20the%20Check%20Permissions%20dialogue%20hasn't%20been%20updated%20to%20understand%20what's%20going%20on%20in%20the%20background.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat's%20really%20the%20only%20confusing%20part%2C%20everything%20else%20behaves%20like%20SharePoint%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-216986%22%20slang%3D%22en-US%22%3ERe%3A%20Permission%20relations%20between%20Teams%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-216986%22%20slang%3D%22en-US%22%3E%3CP%3EThen%20I%20don't%20understand%20why%20I%20see%20the%20group%20%22Dream%20Team%22%20added%20as%20Site%20Collection%20Admin%2C%20because%20I%20assume%20this%20group%20contains%20both%20Owners%20and%20Members.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20what%20about%20Guests%3F%20They%20are%20also%20members%20of%20the%20Dream%20Team%20groups%2C%20right%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20look%20at%20the%20Owner%2C%20Members%20and%20Visitors%20groups%20in%20SPO%2C%20both%20Owners%20and%20Visitors%20are%20empty%2C%20and%20the%20Dream%20Team%20group%20is%20added%20to%20the%20Members%20group.%20So%20everybody%20are%20Site%20Collection%20Admins%20and%20nobody%20are%20Owners.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-216985%22%20slang%3D%22en-US%22%3ERe%3A%20Permission%20relations%20between%20Teams%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-216985%22%20slang%3D%22en-US%22%3E%3CP%3EThen%20I%20don't%20understand%20why%20I%20see%20the%20group%20%22Dream%20Team%22%20added%20as%20Site%20Collection%20Admin%2C%20because%20I%20assume%20this%20group%20contains%20both%20Owners%20and%20Members.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20what%20about%20Guests%3F%20They%20are%20also%20members%20of%20the%20Dream%20Team%20groups%2C%20right%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20look%20at%20the%20Owner%2C%20Members%20and%20Visitors%20groups%20in%20SPO%2C%20both%20Owners%20and%20Visitors%20are%20empty%2C%20and%20the%20Dream%20Team%20group%20is%20added%20to%20the%20Members%20group.%20So%20everybody%20are%20Site%20Collection%20Admins%20and%20nobody%20are%20Owners.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-216983%22%20slang%3D%22en-US%22%3ERe%3A%20Permission%20relations%20between%20Teams%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-216983%22%20slang%3D%22en-US%22%3EWhen%20you%20create%20a%20Team%2C%20you%20are%20creatin%20a%20Group%20behind%20the%20scenes%20and%20the%20Team%20Site%20(or%20Group%20Site)%20security%20is%20configured%20in%20a%20very%20specific%20way%3A%3CBR%20%2F%3E-%20Group%20Owners%20(Team%20Owners)%20become%20Site%20Collection%20Admins%3CBR%20%2F%3E-%20Group%20Members%20(Team%20Member)%20become%20Site%20Members.%3CBR%20%2F%3EThis%20is%20by%20design%3C%2FLINGO-BODY%3E
Frequent Contributor

I am trying to understand how permissions in a team in Teams relates to permissions in the associated SPO site. I have a test team, "Dream Team", and I can see that the group "Dream Team" is Site Collection Admin, which surprises me. Does this mean that all members and owners (and guests?) of a team automatically becomes Site Collections Admins?

 

And is it ok to assign permissions to the SPO site directly, if I want to grant access to the SPO site but not the team?

 

Any good documentation links for this subject?

 

 

6 Replies
When you create a Team, you are creatin a Group behind the scenes and the Team Site (or Group Site) security is configured in a very specific way:
- Group Owners (Team Owners) become Site Collection Admins
- Group Members (Team Member) become Site Members.
This is by design

Then I don't understand why I see the group "Dream Team" added as Site Collection Admin, because I assume this group contains both Owners and Members.

 

And what about Guests? They are also members of the Dream Team groups, right?

 

If I look at the Owner, Members and Visitors groups in SPO, both Owners and Visitors are empty, and the Dream Team group is added to the Members group. So everybody are Site Collection Admins and nobody are Owners. 

Then I don't understand why I see the group "Dream Team" added as Site Collection Admin, because I assume this group contains both Owners and Members.

 

And what about Guests? They are also members of the Dream Team groups, right?

 

If I look at the Owner, Members and Visitors groups in SPO, both Owners and Visitors are empty, and the Dream Team group is added to the Members group. So everybody are Site Collection Admins and nobody are Owners. 

Solution

I can see where your confusion lies because in SharePoint the UPN which is created for the Group i.e. dreamteam@yourtenancy.onmicrosoft.com is used for both Site Collection Administrators and for Members. This claim however does understand difference between the Ownership list on the O365 Group (view this in Exchange Admin Centre) and the Membership list.

 

To prove this you can use Check Permissions, so you can see what the permissions someone in the Owner role has compared to the Member role.

 

An owner will have Full Control, whereas a Member will only have Edit. The confusing part comes from where SharePoint says you get the permissions from e.g. as a Team Owner, you will be told that you get Full Control from the "Dream Team Owners" group, when in truth you get it from the O365 Group Ownership list. I suspect it is just a case that the Check Permissions dialogue hasn't been updated to understand what's going on in the background.

 

That's really the only confusing part, everything else behaves like SharePoint

 

 

Only actually owners of the group get site collection admin permissions. You can tweak the members Sharepoint group to restrict things on the site and you can also add any unique permission to others not on the group that you want to the Sharepoint site without issue as well. So if you don’t want your members adding news or editing pages to your site for example you can do to your site pages library. Break inheritance and change the members Sharepoint group permission to read only.

Thank you for your answers. If you, or anybody else, knows about an article documenting the permissions relations between Teams, Groups and SPO, I would appreciate to hear about it.

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
22 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies