Limit access to guest members

Occasional Contributor

I have O365 groups/teams and the connected SP sites. We have a team for each customer, at the moment team members are only internal members but they are asking me a way to collaborate with some representative of the customer including them in the team as guest. The problem is that the Sharepoint site contains some documents that can be shared with the customer and a lot of documents that are "internal only" and cannot be shared with the customer. Now, if I add the customer as guest, he will be a regular member so he will be able to browse the entire SP site; I created a separate library but I realized I cannot setup a permission with a scope like "all members except guests" and I don't want to use the named account but only groups. Is there a way to achieve native "partial" collaboration between "regular members" and "guest members"?

10 Replies

@mauros801 When this comes it will be the solution. But You will have to rearrange the content so that the "private stuff" resides in the Private Channel(s) before you invite the Guests to the team, https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=44370

@Magnus Goksøyr I do not think this will help me. My teams are all private and will always be. It's not a matter of how to discover a team or how to invite a guest, it's a matter of distinguish a team member based on his "domain": if he is mike@mycompany.com it should have regular members permission, if he is mike@customercompany.com he should have another set of permission, because he is actually a team member but is a "guest" member.

@mauros801 The only possible solution that i can think of is using Azure Information Protection and to use a group containing "Internals" and protect files based on that. However You will not be able to protect the conversations in the channels.

https://docs.microsoft.com/en-us/office365/securitycompliance/protect-sharepoint-online-files-with-a...

 

 

@Magnus Goksøyr I got your point, but I think it will only block guests from opening some labeled files, not to browse the folder tree.

You could utilize AD security groups for this instead of using a SharePoint or O365 group for the permission on that other library.
Keep in mind currently guests do have access to all chat history etc. in the Team as well until private channels come out.

@Chris Webb I got your point but the permission are opposite... I mean, I need standard members to be able to browse the whole site but guest members should only browse a part of the site... but guest members are by default members of the native sharepoint group "site members" and I cannot set a deny for guests...

@mauros801 

I have had the same challenge (that is, if I understand your problem correctly), and the solution was to control the permissions on folder level in Team sites.

 

As far as I remember, I did something like this:

 

You operate with two levels of permissions: Members and (let’s call it) Advanced Members. Advanced Members will be able to see everything, Members only what you allow them to see.

 

So, in your SharePoint Team site (under Site contents) you do the following:

 

Create your Document libraries – normal Document Libraries visible for everyone and Restricted Libraries visible only for chosen members.  Don’t place your libraries under the default Document Library, that won’t work.

 

Your “internal only” documents should be placed in the restricted libraries.

 

In Office 365 create a group (“Advanced members”) that gives permissions to the Restricted Libraries. Add the advanced users to this group (be aware: Outlook will default send a Welcome message to new group members).

 

In the Restricted Libraries:

  1. In Library Settings / Permissions for this document library you choose “Stop Inheriting Permissions”.
  2. Remove the SharePoint Group “Members” (and perhaps, in your case, also “Visitors”?).
  3. Now add (“Grant permissions”) the SharePoint Group “Advanced members” to the Library.

Now only members of the “Advanced members” group have access to this restricted library.

 

In the public libraries:

Well, you really don’t have to do anything, just be sure, that the members of the “Advanced members” group are also members of the sites “Member” group. Everybody will have access to these Document Libraries.

 

All so, if you display content from the restricted libraries in a web part on your Team site, the webpart/the content will not be visible for non “Advanced members”.

 

In Teams you can show your document libraries, and again, only “Advanced members” will be able to se content from the restricted libraries.

 

This works for me, hope it will for you to :smiling_face_with_smiling_eyes:

@CartenS the scenario is exactly the one you described, I have already followed that approach because I have a bunch of sites in which a unique set of users should access a "private" library, and it was pretty easy because the "advanced group" was the same in all the groups so I had to break inheritance, remove all permissions and grant permissions only to this group (and I did it programmatically). In this new challenge, inheritance on default objects (like the default Documents library) should be broken to use security groups and the default O365 group membership becomes useless.... since the default permission level for objects in a site will not be "Group A Members" but "Security Group A members" that is an object that needs to be populated manually. Think of replicating this on dozens of sites and understand the complexity added - in a topic, SP permission, where best practices say to change the less possible. I know this is a potentially working solution, I asked to understand if I was missing something and a easier solution could exist...

@mauros801 

Ok, then I’m out - I try my best not to use Security Groups (hasn’t been necessary yet, but I guess you never know …), and I am not aware of an easier solution to your problem. But good luck, hope you'll find a solution :smile:

@mauros801 did you find a more elegant solution to this problem? I too have a client project site where we allow guest access. Our partners should be able to do just about everything but I don't want them to see one or two folders like pricing.