SOLVED

How to deal with Security groups in SharePoint and Office 365 groups

%3CLINGO-SUB%20id%3D%22lingo-sub-113716%22%20slang%3D%22en-US%22%3EHow%20to%20deal%20with%20Security%20groups%20in%20SharePoint%20and%20Office%20365%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-113716%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20question%20regarding%20SharePoint%20and%20Office%20365%20groups.%20As%20we%20heart%20that%20you%20can%20Groupify%20almost%20everything%20at%20Ignite.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20you%20may%20now%20when%20you%20create%20an%20Office%20365%20group%20you%20can%20manage%20the%20members%20and%20owners%20from%20the%20admin%20portal.%20But%20now%20in%20my%20SharePoint%20site%2C%20I%20have%20more%20SharePoint%20Groups%20especially%20for%20different%20members%20and%20different%20Libraries(with%20broken%20inheritance).%3C%2FP%3E%3CP%3EThese%20SharePoint%20Groups%20I%20cannot%20edit%20on%20the%20admin%20portal%2C%20but%20only%20in%20SharePoint%20and%20have%20issues%20when%20they%20want%20to%20use%20planner%20for%20example.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20vision%20for%20this%3F%3C%2FP%3E%3CP%3EIs%20the%20future%20that%20all%20SP%20groups%20can%20be%20edit%20in%20the%20Admin%20portal%3F%3C%2FP%3E%3CP%3Eor%20do%20we%20need%20to%20minify%20the%20SP%20groups%20to%20members%2C%20Owners%2C%20visitors%3F%3CBR%20%2F%3EAnd%20how%20should%20we%20deal%20with%20security%20in%20libraries%20for%20different%20groups%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-113716%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESites%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138842%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20deal%20with%20Security%20groups%20in%20SharePoint%20and%20Office%20365%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138842%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20trend%20appears%20to%20be%20to%20leave%20alone%20%22standard%20groups%22%20permissions%20for%20modern%20team%20sites.%3C%2FP%3E%0A%3CP%3EIf%20you%20want%20to%20customize%20permissions%20it%20is%20better%20to%20use%20classic%20team%20sites%20instead.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138837%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20deal%20with%20Security%20groups%20in%20SharePoint%20and%20Office%20365%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138837%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI've%20noticed%20you%20also%20cannot%20change%20the%20default%20permissions%20for%20the%20Modern%20Team%20site%20Member%20group%20to%20Contribute.%20It's%20seems%20the%20choice%20are%20now%20down%20to%20Full%20Control%2C%20Edit%20or%20Read%20only.%26nbsp%3B%20Can't%20even%20do%20it%20in%20the%20user.aspx%20page.%20Sharepoint%20seems%20to%20be%20getting%20dumbed%20down.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-116568%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20deal%20with%20Security%20groups%20in%20SharePoint%20and%20Office%20365%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116568%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESharePoint%20groups%20will%20continue%20to%20exist%20as%20SharePoint-only%20entities%20that%20can%20be%20utilized%20for%20permissions%20purposes.%26nbsp%3B%20You%20are%20correct%20that%20you%20cannot%20manage%20these%20in%20admin%20portal%2C%20and%20we%20have%20no%20plans%20to%20enable%20that.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EFor%20group%20connected%20sites%20(including%20classic%20sites%20you%20connect%20to%20new%20Office%20365%20Groups)%2C%20we%20do%20ensure%20that%20the%203%20default%20SP%20groups%20exists%20(i.e.%20Owners%2C%20Members%2C%20Visitors).%26nbsp%3B%20While%20you%20will%20continue%20to%20be%20able%20to%20add%20your%20own%20SP%20groups%20to%20sites%2C%20any%20custom%20permissions%20you%20employ%20on%20site%20resources%20do%20not%20map%20across%20to%20Office%20365%20Group%20membership.%26nbsp%3B%20This%20is%20an%20important%20point%20-%20that%20while%20SharePoint%20will%20allow%20you%20to%20break%20permissions%20inheritance%20on%20resources%2C%20if%20you%20do%20so%20you%20can%20end%20up%20with%20members%20of%20the%20Office%20365%20Group%20*not*%20having%20access%20to%20those%20resources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20this%20helps.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3ETejas%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114004%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20deal%20with%20Security%20groups%20in%20SharePoint%20and%20Office%20365%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114004%22%20slang%3D%22en-US%22%3EOne%20thing%20to%20consider%2C%20the%20value%20of%20separated%20group%20administration%20in%20SharePoint%20is%20delegation%20of%20control.%20Many%20organizations%20we%20work%20with%20want%20to%20allow%20team%20admins%20to%20manage%20site%20groups%20but%20don't%20want%20them%20to%20have%20access%20to%20the%20Office%20365%20administration%20areas.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114000%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20deal%20with%20Security%20groups%20in%20SharePoint%20and%20Office%20365%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114000%22%20slang%3D%22en-US%22%3E%3CP%3Eadding%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8984%22%20target%3D%22_blank%22%3E%40Tejas%20Mehta%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-113738%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20deal%20with%20Security%20groups%20in%20SharePoint%20and%20Office%20365%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-113738%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%40Deleted%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20a%20very%20long%20time%20I've%20suggested%20that%20each%20SharePoint%20group%20should%20have%20a%20matching%20security%20group.%20The%20problem%20however%20with%20this%20appraoch%20has%20always%20been%20...%20users!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20the%20whole%20empowering%20idea%20that%20Microsoft%20is%20pushing%20this%20becomes%20even%20harder.%20Sharing%20with%20a%20user%20breaks%20this%20whole%20plan.%20I've%20never%20really%20found%20a%20better%20solution%20than%20simply%20to%20give%20up%20on%20controlling%20permissions%20too%20much.%20The%20alternative%20for%20giving%20up%20would%20be%20to%20give%20users%20not%20the%20option%20to%20share...%20and%20I'm%20not%20happy%20with%20that%20either.%20Of%20course%2C%20you%20still%20want%20to%20control%20the%20users%20with%20special%20permissions%20like%20admins%2C%20designers%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-113730%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20deal%20with%20Security%20groups%20in%20SharePoint%20and%20Office%20365%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-113730%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20guess%20is%20that%20the%20three%20standard%20security%20groups%20will%20continue%20to%20be%20managed%20(also)%20by%20the%20standard%20Group%20UI%2C%20while%20other%20security%20groups%20will%20be%20managed%20(only)%20by%20the%20advanced%20UI%2C%20as%20it%20happens%20now%20when%20you%20add%20more%20security%20groups%20to%20a%20Group.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-964550%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20deal%20with%20Security%20groups%20in%20SharePoint%20and%20Office%20365%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-964550%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8984%22%20target%3D%22_blank%22%3E%40Tejas%20Mehta%3C%2FA%3EI've%20noticed%20that%20the%20Office%20365%20Members%20group%20appears%20to%20be%20added%20to%20the%20SharePoint%20members%20group.%26nbsp%3B%20The%20Office%20365%20Owners%20group%20does%20not%20appear%20to%20be%20added%20to%20the%20SharePoint%20owners%20group.%26nbsp%3B%20The%20reason%20this%20came%20up%20was%20that%20I%20was%20doing%20some%20working%20using%20SharePoint%20search%20which%20still%20relies%20on%20SharePoint%20groups%20for%20security%20trimming.%26nbsp%3B%20I%20wasn't%20seeing%20a%20lot%20of%20files%20that%20others%20were%20seeing%20and%20started%20a%20bit%20of%20digging.%26nbsp%3B%20Once%20I%20added%20the%20Owners%20to%20the%20SharePoint%20Owners%20group%2C%20things%20began%20to%20appear%20in%20search%20for%20me.%20Is%20there%20a%20reason%20why%20the%20Office%20365%20Members%20group%20is%20added%20to%20the%20SharePoint%20group%20but%20the%20Owners%20group%20is%20not%3F%20This%20was%20on%20a%20Modern%20Team%20site%2C%20feeding%20content%20to%20SharePoint%20search.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

I have a question regarding SharePoint and Office 365 groups. As we heart that you can Groupify almost everything at Ignite.

 

As you may now when you create an Office 365 group you can manage the members and owners from the admin portal. But now in my SharePoint site, I have more SharePoint Groups especially for different members and different Libraries(with broken inheritance).

These SharePoint Groups I cannot edit on the admin portal, but only in SharePoint and have issues when they want to use planner for example.

 

What is the vision for this?

Is the future that all SP groups can be edit in the Admin portal?

or do we need to minify the SP groups to members, Owners, visitors?
And how should we deal with security in libraries for different groups?

 

thanks in advance

8 Replies
Highlighted

My guess is that the three standard security groups will continue to be managed (also) by the standard Group UI, while other security groups will be managed (only) by the advanced UI, as it happens now when you add more security groups to a Group.

Highlighted

Hi @Deleted,

 

For a very long time I've suggested that each SharePoint group should have a matching security group. The problem however with this appraoch has always been ... users!

 

With the whole empowering idea that Microsoft is pushing this becomes even harder. Sharing with a user breaks this whole plan. I've never really found a better solution than simply to give up on controlling permissions too much. The alternative for giving up would be to give users not the option to share... and I'm not happy with that either. Of course, you still want to control the users with special permissions like admins, designers etc.

 

 

Highlighted
Highlighted
One thing to consider, the value of separated group administration in SharePoint is delegation of control. Many organizations we work with want to allow team admins to manage site groups but don't want them to have access to the Office 365 administration areas.
Highlighted
Best Response
Solution

Hi there,

 

 

SharePoint groups will continue to exist as SharePoint-only entities that can be utilized for permissions purposes.  You are correct that you cannot manage these in admin portal, and we have no plans to enable that.  


For group connected sites (including classic sites you connect to new Office 365 Groups), we do ensure that the 3 default SP groups exists (i.e. Owners, Members, Visitors).  While you will continue to be able to add your own SP groups to sites, any custom permissions you employ on site resources do not map across to Office 365 Group membership.  This is an important point - that while SharePoint will allow you to break permissions inheritance on resources, if you do so you can end up with members of the Office 365 Group *not* having access to those resources.

 

Hope this helps.


Tejas

 

 

Highlighted

 

I've noticed you also cannot change the default permissions for the Modern Team site Member group to Contribute. It's seems the choice are now down to Full Control, Edit or Read only.  Can't even do it in the user.aspx page. Sharepoint seems to be getting dumbed down.

Highlighted

The trend appears to be to leave alone "standard groups" permissions for modern team sites.

If you want to customize permissions it is better to use classic team sites instead.

Highlighted

@Tejas MehtaI've noticed that the Office 365 Members group appears to be added to the SharePoint members group.  The Office 365 Owners group does not appear to be added to the SharePoint owners group.  The reason this came up was that I was doing some working using SharePoint search which still relies on SharePoint groups for security trimming.  I wasn't seeing a lot of files that others were seeing and started a bit of digging.  Once I added the Owners to the SharePoint Owners group, things began to appear in search for me. Is there a reason why the Office 365 Members group is added to the SharePoint group but the Owners group is not? This was on a Modern Team site, feeding content to SharePoint search.