SOLVED

External guests and Teams SharePoint site - unusual access question

%3CLINGO-SUB%20id%3D%22lingo-sub-1310549%22%20slang%3D%22en-US%22%3EExternal%20guests%20and%20Teams%20SharePoint%20site%20-%20unusual%20access%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1310549%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20read%20through%20all%20the%20questions%20that%20deal%20with%20Guest%20access%2C%20but%20have%20not%20found%20similar%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETeam%20is%20created%20with%20two%20channels%2C%20one%20public%2C%20one%20private.%20Our%20own%20employees%20are%20members%20(by%20default)%20of%20Public%2C%20and%20have%20been%20added%20as%20members%20of%20Private.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESix%20guest%20users%20have%20been%20added%20via%20email%20address%20to%20Team.%20They%20have%20confirmed%20can%20see%20and%20access%20everything.%20They%20have%20not%20been%20added%20to%20Private.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20request%20has%20been%20made%20to%20have%20a%20folder%20on%20the%20Teams%20SharePoint%20site%20that%20one%20of%20the%20guest%20users%20will%20have%20write%20access%20to%2C%20but%20everyone%20else%20(including%20our%20company%20employees)%20will%20have%20read%20access%20to.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20possible%3F%20I%20understand%20we'd%20be%20in%20inheritance-breaking%20territory%2C%20which%20is%20disfavored%2C%20and%20I've%20advised%20requester%2C%20who%20nonetheless%20wants%20to%20proceed%20if%20possible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20are%20guest-user-permissions%20assigned%20to%20files%2Ffolders%26nbsp%3B%20once%20inheritance%20is%20broken%3F%20By%20email%20address%3F%20If%20so%2C%20would%20it%20simply%20be%3A%3CBR%20%2F%3E%3CBR%20%2F%3Eguest%20email%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BEdit%3C%2FP%3E%3CP%3ETeam%20Members%20Group%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BRead%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1310549%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EFiles%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETips%20%26amp%3B%20Tricks%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1312531%22%20slang%3D%22en-US%22%3ERe%3A%20External%20guests%20and%20Teams%20SharePoint%20site%20-%20unusual%20access%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1312531%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F259747%22%20target%3D%22_blank%22%3E%40RB_MMII%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESee%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoft365pro.co.uk%2F2019%2F07%2F14%2Fteams-real-simple-with-pictures-controlling-who-can-edit-documents-in-a-channel%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoft365pro.co.uk%2F2019%2F07%2F14%2Fteams-real-simple-with-pictures-controlling-who-can-edit-documents-in-a-channel%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20should%20be%20able%20to%20do%20it%20by%20amending%20the%20permissions%20on%20the%20underlying%20sharepoint%20site%20and%20giving%20the%20specific%20guest%20owner%20or%20edit%20permissions%20and%20everybody%20else%20view%20or%20limited%20view%20permissions%20but%20as%20you%20say%2C%20it%20would%20break%20inheritance.%20%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20other%20way%20I%20can%20think%20of%20doing%20this%20is%20to%20set%20up%20a%20completely%20seperate%20SharePoint%20site%20with%20no%20Team%20attached%2C%20set%20the%20permissions%20as%20needed%20(the%20guest%20owner%20or%20edit%20permissions%20and%20all%20others%20view%20or%20limited%20view)%20and%20then%20sufacing%20another%20document%20library%20inside%20the%20channel%20(using%20a%20document%20library%20tab).%20Having%20tested%20you%20can%20do%20this%20in%20both%20public%20and%20private%20channels.%20Doing%20it%20in%20this%20way%20may%20be%20advantageous%20so%20you%20don't%20break%20the%20inheritance%20of%20the%20sharepoint%20site%20that%20the%20Team%20sits%20on%3CBR%20%2F%3E%3CBR%20%2F%3ELet%20me%20know%20how%20it%20goes%20and%20hope%20one%20of%20these%20ways%20answers%20your%20questions%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1312633%22%20slang%3D%22en-US%22%3ERe%3A%20External%20guests%20and%20Teams%20SharePoint%20site%20-%20unusual%20access%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1312633%22%20slang%3D%22en-US%22%3EHi%20Chris-%3CBR%20%2F%3E%3CBR%20%2F%3EMany%20thanks%20for%20your%20quick%20reply%20--%20will%20have%20a%20look%20at%20that%20site%2C%20digest%20your%20comments%2C%20and%20let%20you%20know%20the%20outcome.%3CBR%20%2F%3E%3CBR%20%2F%3ECheers!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1316193%22%20slang%3D%22en-US%22%3ERe%3A%20External%20guests%20and%20Teams%20SharePoint%20site%20-%20unusual%20access%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1316193%22%20slang%3D%22en-US%22%3EMorning%20Chris-%3CBR%20%2F%3E%3CBR%20%2F%3EWell%2C%20after%20going%20through%20the%20two%20options%20with%20them%2C%20explaining%20the%20associated%20consequences%20of%20each%2C%20and%20reminding%20them%20of%20the%20nature%20and%20purpose%20of%20Teams%2C%20the%20trust%20factor%20that%20really%20should%20exist%20if%20two%20groups%20are%20going%20to%20collaborate%2C%20and%20highlighting%20the%20built-in%20oversight%20safeguards%20(version%20history%2C%20recycle%20bin%2C%20etc)%2C%20they%20decided%20to%20leave%20as-is.%3CBR%20%2F%3E%3CBR%20%2F%3EAh%2C%20the%20growing%20pains%20of%20adoption...%3CBR%20%2F%3E%3CBR%20%2F%3EReally%20appreciate%20your%20help%2C%20though%20--%20I've%20filed%20away%20your%20second%20suggestion%20as%20that%20hadn't%20even%20occurred%20to%20me.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1415902%22%20slang%3D%22en-US%22%3ERe%3A%20External%20guests%20and%20Teams%20SharePoint%20site%20-%20unusual%20access%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1415902%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%22Six%20guest%20users%20have%20been%20added%20via%20email%20address%20to%20Team.%20They%20have%20confirmed%20can%20see%20and%20access%20everything.%20They%20have%20not%20been%20added%20to%20Private.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAre%20you%20saying%20the%20guest%20users%20can%20see%20the%20content%20of%20prviate%20channels%20to%20which%20they%20have%20not%20been%20added%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1417899%22%20slang%3D%22en-US%22%3ERe%3A%20External%20guests%20and%20Teams%20SharePoint%20site%20-%20unusual%20access%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1417899%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F676864%22%20target%3D%22_blank%22%3E%40SamG_A%3C%2FA%3E%26nbsp%3B%20-%20No%2C%20no%2C%20not%20at%20all.%20It%20meant%20they%20could%20see%20and%20access%20everything%20they%20should%20have%20been%20able%20to.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I've read through all the questions that deal with Guest access, but have not found similar scenario.

 

Team is created with two channels, one public, one private. Our own employees are members (by default) of Public, and have been added as members of Private.

 

Six guest users have been added via email address to Team. They have confirmed can see and access everything. They have not been added to Private.

 

A request has been made to have a folder on the Teams SharePoint site that one of the guest users will have write access to, but everyone else (including our company employees) will have read access to.

 

Is this possible? I understand we'd be in inheritance-breaking territory, which is disfavored, and I've advised requester, who nonetheless wants to proceed if possible.

 

How are guest-user-permissions assigned to files/folders  once inheritance is broken? By email address? If so, would it simply be:

guest email                       Edit

Team Members Group     Read

5 Replies
Highlighted
Best Response confirmed by RB_MMII (Occasional Contributor)
Solution
Hi @RB_MMII

See here

https://microsoft365pro.co.uk/2019/07/14/teams-real-simple-with-pictures-controlling-who-can-edit-do...

You should be able to do it by amending the permissions on the underlying sharepoint site and giving the specific guest owner or edit permissions and everybody else view or limited view permissions but as you say, it would break inheritance.

The other way I can think of doing this is to set up a completely seperate SharePoint site with no Team attached, set the permissions as needed (the guest owner or edit permissions and all others view or limited view) and then sufacing another document library inside the channel (using a document library tab). Having tested you can do this in both public and private channels. Doing it in this way may be advantageous so you don't break the inheritance of the sharepoint site that the Team sits on

Let me know how it goes and hope one of these ways answers your questions

Best, Chris
Highlighted
Hi Chris-

Many thanks for your quick reply -- will have a look at that site, digest your comments, and let you know the outcome.

Cheers!
Highlighted
Morning Chris-

Well, after going through the two options with them, explaining the associated consequences of each, and reminding them of the nature and purpose of Teams, the trust factor that really should exist if two groups are going to collaborate, and highlighting the built-in oversight safeguards (version history, recycle bin, etc), they decided to leave as-is.

Ah, the growing pains of adoption...

Really appreciate your help, though -- I've filed away your second suggestion as that hadn't even occurred to me.
Highlighted

"Six guest users have been added via email address to Team. They have confirmed can see and access everything. They have not been added to Private."

 

Are you saying the guest users can see the content of prviate channels to which they have not been added?

Highlighted

@SamG_A  - No, no, not at all. It meant they could see and access everything they should have been able to.