Leave Those SharePoint Permissions for Office 365 Groups Alone

%3CLINGO-SUB%20id%3D%22lingo-sub-332363%22%20slang%3D%22en-US%22%3ELeave%20Those%20SharePoint%20Permissions%20for%20Office%20365%20Groups%20Alone%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332363%22%20slang%3D%22en-US%22%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EOffice%20365%20Groups%20and%20Teams%20make%20SharePoint%20much%20easier%20for%20people%20to%20use%2C%20with%20the%20price%20paid%20being%20the%20imposition%20of%20the%20groups%20permission%20model%20on%20SharePoint.%20On%20the%20upside%2C%20everything%20is%20very%20simple.%20On%20the%20downside%2C%20the%20permissions%20assigned%20to%20group%20members%20might%20not%20be%20what%20you%20want.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.petri.com%2Fleave-sharepoint-permissions-office-365-groups-alone%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.petri.com%2Fleave-sharepoint-permissions-office-365-groups-alone%3C%2FA%3E%3C%2FFONT%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-332363%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-332797%22%20slang%3D%22en-US%22%3ERe%3A%20Leave%20Those%20SharePoint%20Permissions%20for%20Office%20365%20Groups%20Alone%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332797%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20example%20I%20gave%20above%20is%20of%20course%20extreme%2C%20and%20Tony%20has%20already%20lectured%20me%20about%20it.%20But%20as%20a%20matter%20of%20fact%2C%20I%20did%20first%20find%20out%20about%20this%26nbsp%3Bbecause%20of%20a%20small%20incident%20we%20had%20with%20a%20file%20in%20a%20public%20group%20in%20my%20previous%20company.%20And%20we've%20seen%20the%20occasional%20thread%20or%20uservoice%20ask%20for%20changing%20the%20permissions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20all%20fairness%2C%20we%20can%20now%20easily%20toggle%20the%20permissions%26nbsp%3Bright%20after%20the%20group%20is%20created.%20Which%20is%20actually%20what%20Microsoft%20seem%20to%20be%20suggesting%20on%20few%20of%20those%20UV%20items%20lately.%20I%20still%20believe%20the%20proper%20solution%20would%20be%20to%20have%20the%20%22everyone%20except%20external%20users%22%20added%20to%20the%20Site%20Visitors%20group%20instead%2C%20by%20default.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-332563%22%20slang%3D%22en-US%22%3ERe%3A%20Leave%20Those%20SharePoint%20Permissions%20for%20Office%20365%20Groups%20Alone%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332563%22%20slang%3D%22en-US%22%3E%3CP%3ELots%20of%20interesting%20observations%20and%20opinions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20default%20permission%20level%20for%20the%20%22Site%20Members%22%20SharePoint%20Groups%20has%20been%20Edit%20in%20all%20the%20time%20I've%20been%20using%20SP%20Online%20(since%202013).%20I%20too%20would%20much%20rather%20this%20default%20be%20set%20at%20Contribute%20(and%20to%20be%20honest%20I%20don't%20see%20much%20of%20a%20use%20for%20the%20Edit%20permission%20level%20in%20practice).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat%20said%2C%20even%20though%20Edit%20is%20give%20to%20many%20many%20users%20where%20Contribute%20is%20probably%20the%20%22safer%22%20choice%2C%20because%20Edit%20is%20the%20default%2C%20we%20have%20seen%20virtually%20zero%20issues%20with%20people%20accidentally%2Fon-purpose%20creating%20or%20deleting%20lists%20or%20libraries%20inappropriately.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-332502%22%20slang%3D%22en-US%22%3ERe%3A%20Leave%20Those%20SharePoint%20Permissions%20for%20Office%20365%20Groups%20Alone%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332502%22%20slang%3D%22en-US%22%3E%3CP%3EVasil%2C%20stop%20being%20silly.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPeople%20in%20the%20real%20world%20don't%20do%20stuff%20like%20that.%20If%20they%20do%2C%20they%20are%20fired.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20it's%20easy%20to%20protect%20against%20this%20kind%20of%20thing%20by%20assigning%20a%20default%20retention%20policy%20(say%20for%20one%20year)%20to%20all%20sites%20in%20a%20tenant.%20Or%20assigning%20a%20default%20retention%20label%20to%20important%20sites.%20You%20don't%20have%20to%20mess%20with%20SharePoint%20permissions%20to%20protect%20information.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-332498%22%20slang%3D%22en-US%22%3ERe%3A%20Leave%20Those%20SharePoint%20Permissions%20for%20Office%20365%20Groups%20Alone%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332498%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%2C%20just%20let%20everyone%20delete%20your%20(public)%20group%20files.%20Back%20when%20we%20first%20brought%20this%20up%20to%20MS%20folks%2C%20I%20was%20tempted%20to%20create%20a%20simple%20script%20that%20goes%20over%20each%20public%20group%20in%20the%20tenant%20and%20trashes%20everything%20in%20the%20site.%20Doubt%20it%20would%20change%20their%20mind%20regardless...%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
MVP
 
Office 365 Groups and Teams make SharePoint much easier for people to use, with the price paid being the imposition of the groups permission model on SharePoint. On the upside, everything is very simple. On the downside, the permissions assigned to group members might not be what you want.
https://www.petri.com/leave-sharepoint-permissions-office-365-groups-alone
4 Replies
Highlighted

Yeah, just let everyone delete your (public) group files. Back when we first brought this up to MS folks, I was tempted to create a simple script that goes over each public group in the tenant and trashes everything in the site. Doubt it would change their mind regardless...

Highlighted

Vasil, stop being silly. 

 

People in the real world don't do stuff like that. If they do, they are fired.

 

And it's easy to protect against this kind of thing by assigning a default retention policy (say for one year) to all sites in a tenant. Or assigning a default retention label to important sites. You don't have to mess with SharePoint permissions to protect information.

Highlighted

Lots of interesting observations and opinions.

 

The default permission level for the "Site Members" SharePoint Groups has been Edit in all the time I've been using SP Online (since 2013). I too would much rather this default be set at Contribute (and to be honest I don't see much of a use for the Edit permission level in practice).

 

That said, even though Edit is give to many many users where Contribute is probably the "safer" choice, because Edit is the default, we have seen virtually zero issues with people accidentally/on-purpose creating or deleting lists or libraries inappropriately.

Highlighted

The example I gave above is of course extreme, and Tony has already lectured me about it. But as a matter of fact, I did first find out about this because of a small incident we had with a file in a public group in my previous company. And we've seen the occasional thread or uservoice ask for changing the permissions.

 

In all fairness, we can now easily toggle the permissions right after the group is created. Which is actually what Microsoft seem to be suggesting on few of those UV items lately. I still believe the proper solution would be to have the "everyone except external users" added to the Site Visitors group instead, by default.