SharePoint Access Request Ignoring Default Group

Iron Contributor

Has anyone noticed that the new release of functionality for Access Requests (where you can now pick the site Owners group to receive the email requests - excellent!) does not add the users to your site's default group anymore.

 

Instead it adds the user directly to the site, not in any group.

 

Im not sure how I feel about this - its a bit scary to think the idea is we have lots of users having permissions set directly.

 

Is this expected behaviour? If so, what do you guys think about this - is this what you want?

 

Thanks

 

Nigel

19 Replies

Hi @Nigel Witherdin,

 

We've had two changes to access requests in the last month or two. First, we now send actionable messages that let you accept/decline the access request immediately from Outlook instead of having to visit the SP page. We've heard some feedback on this feature that matches what you're seeing that we are investigating.

 

Hope that helps!

 

Stephen Rice

OneDrive Program Manager II

Hi Stephen - thanks for the reply!

 

I think the changes made are excellent, but my issue is that when an administrator accepts an invitation, the requester is added directly to the site - not to the default group for the site.

 

I foresee a few issues with this

  • Im not sure i like the idea of all the users being given individual permissions at the site level from a management piece. 
  • Groups are used for more then just site permissions. They can also be used for classifying users
  • Groups can be given custom permission settings. By not adding the users to groups we are forced to use only the three common permission roles (full control, edit, view)

 

Perhaps the best thing would be if the great Outlook control could be expanded to include a way of selecting the group the user should be added to? We have tried to instruct out users to go onto the site to accept the requests so they can do this, but I think most of them will not get that message, and instead simply click 'Accept'

 

Thanks

 

Nigel

Hi Nigel,

 

Thanks again for reaching out! We have identified an issue with the new actionable message card where it's not behaving quite how we want for site requests. We're working on a fix but don't have an ETA just yet.

 

In the meantime, in the actionable message in Outlook, there should be an option for seeing the original message. You can click the accept button there which will take you to the Access Request page where the behavior has not changed.

 

Hope that helps!

 

Stephen Rice

OneDrive Program Manager II

 

 

Thanks Stephen - look forward to seeing the new outlook update. 

Is this issue resolved? Are the users added to default group

I'm also waiting for a fix for this. It seems that the Outlook action still gives users individual Edit/Contribute permissions (which is logic for a Group Permission) but not for SharePoint permissions. Using the original message gives a solution for the mean time but I hope Microsoft fixes this soon!

Hi all,

 

The fix for this is in progress. Thanks for your patience!

 

Stephen Rice

OneDrive Program Manager II

Thanks Stephen, appreciate it!

Please explain this in more detail.   I am not clear on what you mean by ' in the actionable message in Outlook, there should be an option for seeing the original message. '   Do you mean that when the recipient of the notification clicks on the accept, the page for the 'User Access Requests and Invitations'  opens instead of just granting access?  Is there an option to make sure this happens?  I am the Site Admin for a 40+ Site Site-Collection.  Most has unique permissions.  I simply cannot keep managing this.  All of our sites have to be set up for the Owners Group to be notified of requests, because we have to many people who need access and our SLA dictates that we respond within one day.   I went into a site today and found individuals added outside security groups, which violates our security policy.   It would also be nice if we could she the person how approved in the Site Permission view.  

 

Thanks,

Dan

Hi @Daniel Paul,

 

The actionable message in Outlook replaces the original message content (which links the user out to the web page) but there is a link that says "Show original message" at the bottom of the e-mail. This will open the original message which will then link the user to the web page. The permanent fix here is in-progress now and we should have more to share soon. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Any news on this? Actionable messages i great but when the user is added directly to the site and not in a configurable group the user might not get access to lists that have broken permission inheritence.

 

I would like to have a dropdow in the actionable message where I can select the group the user should be added to. Like I can configure it inside sharepoint when I approve the request.

Hi @Deleted,

 

Stay tuned ;) Should have more to share soon! Thanks!

 

Stephen Rice

OneDrive Program Manager II

Hi@Stephen Rice,

Has this been corrected? I am still encountering this behavior in one of the sites I am working on. Please advise.

 

-Wilfredo S.

Hi @wseda22,


Can you clarify which behavior you are still seeing? Thanks!


Stephen Rice

OneDrive Program Manager II 

@Stephen Rice  HI, Ever since the update to the email notification for user access, user requests for access to sites are so much better.   

Hello@Stephen Rice,

Hopefully pictures can explain it better than I can. With that said, we have a SharePoint site ("Support Portal") that we allow users within our company to access. Upon accessing the site for the first time, users must request access. We set up access requests to this SharePoint to default to our "Support Portal Visitors" group and that works well.

 

If a new user were to try and access a sitepage within the Support Portal, they will need to request access. However, these requests are not defaulting to our "Support Portal Visitors" group. We have configured all sites to inherit permissions from the parent site, Support Portal, but this does not seem to have any effect. We have even tried going directly into the sitepage permissions, disabling parent inheritance and manually setting the default group to "Support Portal Visitors" but it does not work, neither.

 

Hopefully the screenshots will help explain this better than I can. Requesting access to Support Portal.Requesting access to Support Portal.Requesting access to sitepage within Support Portal.Requesting access to sitepage within Support Portal.

Hi @wseda22,

 

This is expected. When users request access to the entire site, we put them into the Visitors Group (on communication sites). When they request access to specific pages, we default to giving access ONLY to that item. Hope that helps explain what you are seeing! Thanks!

 

Stephen Rice

OneDrive Program Manager II

Hi @Stephen Rice ,

 

"When they request access to specific pages, we default to giving access ONLY to that item."

This is an big issue to us to maintain the permission, since our pages are highly customized by PnP which means if they only get the permission with specific page, they can not view the layout and content correctly. 

Is there any way to request the default group instead of specific page?

 

Thanks

Hi @Todd Chen,

 

There is no easy way to do this that I am aware of unfortunately, sorry. 

 

Stephen Rice

Senior Program Manager, OneDrive