cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restricting some users from accessing 'public' SharePoint sites

roddenshaw
Copper Contributor

‎Jul 23 2019 09:47 AM

‎Jul 23 2019 09:47 AM

Restricting some users from accessing 'public' SharePoint sites

My company is in the middle of migrating from Dropbox to SharePoint, with most new SharePoint sites having a corresponding Team for the sake of collaboration. We have made most of our teams 'public' so that our employees can easily access them, however a number of contractors have O365 accounts on our domain, and we would like to restrict them from accessing the SharePoint sites connected to the public Teams. Does anybody know of a way of restricting a specific group of users from accessing a 'public' SharePoint site?

4,525 Views
0 Likes
9 Replies
Reply
9 Replies
Kevin McKeown

‎Jul 23 2019 10:17 AM

‎Jul 23 2019 10:17 AM

Re: Restricting some users from accessing 'public' SharePoint sites

How many Teams/Sites are you dealing with? Depending on the number, you might be better off making all of the Teams Private and then just adding everyone except contractors to all of the Teams.

 

When you set a team as Public, I think it is technically giving the "Everyone except external users" access to the associated SharePoint site. I don't think it shows up in Site Permissions either and would have to be managed via PowerShell. Even if you did remove this from site permissions, then you would still have to specify SharePoint site permissions the old fashioned way which could break connected functionality in Teams. 

 

Teams and its associated SharePoint site permissions are closely integrated. Once you start messing with permissions directly in the site, you can create a lot of unnecessary overhead for yourself as an admin. 

 

In my opinion, for your situation, I would set the Teams to be private and add everyone as Members except for the contractors. If you have tons of users and teams, then I would look into using PowerShell to add the members to the teams.

0 Likes
Reply
Chris Webb

‎Jul 23 2019 02:52 PM - edited ‎Jul 23 2019 02:53 PM

‎Jul 23 2019 02:52 PM - edited ‎Jul 23 2019 02:53 PM

Re: Restricting some users from accessing 'public' SharePoint sites

You can still use security groups in SharePoint, so I would suggest if you don't have an "All Employee's" Distro list, you can convert that usually to a security group in addition to it being a dist list. Then you can just utilize this Security group for your access instead of using the Everyone Except External option.

 

Or if you can't get the Distro list figured out just create a universal security group called All employee's and use that once it syncs up. 

1 Like
Reply
roddenshaw

‎Jul 23 2019 11:57 PM

‎Jul 23 2019 11:57 PM

Re: Restricting some users from accessing 'public' SharePoint sites

@Kevin McKeown we have 340 teams. Unfortunately searching for 'private' teams doesn't work in our environment (apparently it's being worked on), so if I make the teams private it will make discovery effectively impossible, and I don't want to add every employee to 340 teams. Thanks for the replies.

0 Likes
Reply
Norman Young

‎Jul 24 2019 03:56 AM

‎Jul 24 2019 03:56 AM

Re: Restricting some users from accessing 'public' SharePoint sites

Hi @roddenshaw,

 

With no deny access option in SharePoint, I would agree with @Chris Webb's recommendation to use or create an all employees security group that does not include the contractors.

 

I hope this helps.

 

Norm

0 Likes
Reply
Kevin McKeown

‎Jul 24 2019 05:02 AM - edited ‎Jul 24 2019 05:08 AM

‎Jul 24 2019 05:02 AM - edited ‎Jul 24 2019 05:08 AM

Re: Restricting some users from accessing 'public' SharePoint sites

@Norman Young @Chris Webb We are talking about Public Office 365 Groups/Teams here right? Which means anyone, including the contractors who are Office 365 licensed, will be able to join the group anytime they want. How does using a security group in the connected SharePoint site help you keep these users from joining the Office 365 Group/Team itself (which in-turn will give them access to the connected site)? Just using a new All Users (minus contractors) security group doesn't seem like it would solve the entire issue described here. I think you would at the very least need to remove the Office 365 Group's associated domain group from the connected site and then replace it with your suggested All User(except contractors) security group. But if you did that, it essentially makes adding people to the Office 365 Group irrelevant, since you would now be controlling access through your SharePoint site the old-fashioned way with the security group instead of through the Office 365 Group.

0 Likes
Reply
Norman Young

‎Jul 24 2019 05:47 AM

‎Jul 24 2019 05:47 AM

Re: Restricting some users from accessing 'public' SharePoint sites

@Kevin McKeown changing the Groups privacy settings to "Private" would also be required.

 

I hope this helps.

 

Norm

1 Like
Reply
Kevin McKeown

‎Jul 24 2019 06:42 AM

‎Jul 24 2019 06:42 AM

Re: Restricting some users from accessing 'public' SharePoint sites

@Norman Young I'm not sure your point helps, as he has already stated that he doesn't want to set the groups to Private and if you are suggesting that setting groups to Private in addition to Chris Webb's security group suggestion would be helpful, then I don't think you fully understand how Office 365 Groups, Microsoft Teams, and their connected SharePoint site are actually working together from a security standpoint. I was trying to get elaboration of Chris's point as I think it is incomplete. Your post does not help to elaborate.

 

Also, I already mentioned changing the group to Private in my first post. The point of the original request is that Groups/Teams need to be available for users (except contractors) to join and just setting them to Private doesn't solve the issue described. And setting the group to Private in addition to Chris Webb's suggestion really really really doesn't solve the problem. 

 

Personally, I'm not seeing another good option here except for my first suggestion of setting all relevant Groups to Private, then using a PowerShell script to add all users (except contractors) to each Group. An update to Microsoft Teams is supposed to be coming out that will allow Private Teams to be viewable and let users request to join the team. 

 

Unfortunately the integration between Office 365 Groups, Teams, SharePoint, Planner, etc. make security scenarios like this very difficult, if not impossible, to manage. 

 

 

 

 

1 Like
Reply
Chris Webb

‎Jul 24 2019 06:51 AM

‎Jul 24 2019 06:51 AM

Re: Restricting some users from accessing 'public' SharePoint sites

You you are pretty much spot on with your assessment. Groups do hold back individual products other than SharePoint really since it has its own security model. My idea was geared towards SharePoint only and I read it as public to the org everyone settings. Didn’t put two and two together that you meant Microsoft Teams groups when I first read it.

I think you can still tweak SharePoint by removing the public group from the SharePoint group to not allow everyone into it but they will still be able to access the other group resources.
0 Likes
Reply
Norman Young

‎Jul 24 2019 08:14 AM

‎Jul 24 2019 08:14 AM

Re: Restricting some users from accessing 'public' SharePoint sites

@Kevin McKeown I was simply clarifying the point that Private groups would be required to limit the Group security. It was not my intention to elaborate of Chris' point. 

 

Norm

 

 

0 Likes
Reply