cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Additional document library shielded from guests?

Deleted
Not applicable

‎Apr 19 2020 06:32 AM

‎Apr 19 2020 06:32 AM

Additional document library shielded from guests?

Hi,

 

we're soon moving from classic sites to M365 group connected and Teams site collections.

In classic we had set up the logic that internal users had a document library with unique permissions that only they could see. Tenant external users / guests were excluded.

 

This worked because we could invite guests into the "Site Visitors" group and have internal users live in "Site Owners" and "Site Members". We then gave the "internal" document library unique permissions in that we removed the "Site Visitors" security group. This made it so that external users / guests could not participate in that library.

 

Now, moving on to the M365 group security model. Here, the SharePoint security group "Site Visitors" is not used. M365 group owners are put into the security group "Site Owners" and M365 group members go into "Site Members". This effectively mixes internal members and guests allowing them access edit permissions wherever "Site Members" is set.

 

I can't come up with a mechanism that would allow me to have a secure document library with this model since a third security group is not used like "Site Visitors" used to be.

 

Looking forward to your input, perhaps you have an easy solution for this.

 

Thanks.

 

The SharePoint security group "Members" now

1,062 Views
0 Likes
3 Replies
Reply
3 Replies
Marijn Somers

‎Apr 19 2020 06:49 AM

‎Apr 19 2020 06:49 AM

Re: Additional document library shielded from guests?

@Deleted What I do for a number of customers is create a SharePoint security group in the SharePoint itself called "externals" or "Visitors". This security group has all the external guests in. In SharePoint, they would get read access to the site, and no access to specific document libraries.

 

So in short, the logic still applies, you just need to add that extra "visitors" group yourself.

You can create that from the "advanced permission settings".

1 Like
Reply

‎Apr 19 2020 10:30 PM

‎Apr 19 2020 10:30 PM

Re: Additional document library shielded from guests?

@Marijn Somers, thanks and I think I understand what you're saying. However, a visitors already exists on each modern team site with the permission level "Read", doesn't it?

 

The problem with this is that it is not possible to manage its users through M365 groups as they only work with the owners/members logic. Whenever someone eligible from the team invites a guest in Teams it will be part of the M365 groups' members, thus of the "Members" security group of the site collection. 

 

Can't wrap my head around how to get this to work at the moment...

0 Likes
Reply
best response
Marijn Somers

‎Apr 20 2020 04:48 AM

‎Apr 20 2020 04:48 AM

Solution

Re: Additional document library shielded from guests?

@Deleted It will be a 2 step approach.. As you said, there is no way to split these out in Teams. Therefore you will need a separate location where you can add the "Everyone except external people" or just the required people.

 

I understand you are looking for a 1 step way... but that isn't in there right now. The goal of a group is to "connect people with resources", therefore it defeats the purpose of easily doing that.  But I encourage you to take it up to UserVoice and send it in as an idea.

1 Like
Reply
1 best response

Accepted Solutions
best response
Marijn Somers

‎Apr 20 2020 04:48 AM

‎Apr 20 2020 04:48 AM

Solution

Re: Additional document library shielded from guests?

@Deleted It will be a 2 step approach.. As you said, there is no way to split these out in Teams. Therefore you will need a separate location where you can add the "Everyone except external people" or just the required people.

 

I understand you are looking for a 1 step way... but that isn't in there right now. The goal of a group is to "connect people with resources", therefore it defeats the purpose of easily doing that.  But I encourage you to take it up to UserVoice and send it in as an idea.

View solution in original post

1 Like
Reply