Home

Modern teamsites - unable to change permission level for security groups

%3CLINGO-SUB%20id%3D%22lingo-sub-218277%22%20slang%3D%22en-US%22%3EModern%20teamsites%20-%20unable%20to%20change%20permission%20level%20for%20security%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218277%22%20slang%3D%22en-US%22%3E%3CP%3EI%20noticed%20that%20for%20a%20newly%20created%20modern%20teamsite%20(via%20New-PnPSite)%20I'm%20unable%20to%20change%20permission%20levels%20for%20the%20out%20of%20the%20box%20security%20groups.%20For%20example%2C%20I%20go%20to%20%2Fuser.aspx%20and%20put%20a%20check%20mark%20in%20front%20of%20a%20security%20group.%20Usually%2C%20the%20%22Edit%20User%20Permissions%22%20and%20%22Remove%20User%20Permissions%22%20menus%20become%20selectable.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20for%20modern%20teamsites%20they%20remain%20greyed%20out%20although%20I'm%20a%20site%20collection%20admin%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20135px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F38130i9900704E8EB9241A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22chrome_2018-07-24_09-48-19.png%22%20title%3D%22chrome_2018-07-24_09-48-19.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20unfortunate%20thing%20is%20is%20that%20I%20can%20grant%20additional%20permission%20levels%20through%20the%20leftmost%20%22Grant%20permissions%22%20button%20but%20because%20%22Edit%20User%20Permissions%22%20is%20always%20greyed%20out%2C%20I%20cannot%20remove%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20why%20that%20is%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-218277%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESites%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-218882%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20teamsites%20-%20unable%20to%20change%20permission%20level%20for%20security%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218882%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20this%20is%20quite%20interesting.%20Another%20thing%20I%20found%20out%20is%20that%20the%20GUI%20let's%20you%20assign%20the%20security%20group%20itself%20two%20different%20permission%20levels%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20956px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F38254i57BE9AAD5800CB62%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222_chrome_2018-07-25_17-24-41.png%22%20title%3D%222_chrome_2018-07-25_17-24-41.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBut%2C%20contrary%20to%20classic%20teamsites%2C%20you%20cannot%20change%2Fremove%20them%20afterwards%20since%20%22Edit%20User%20Permissions%22%20is%20greyed%20out.%20Quite%20Frustrating%20I%20might%20say.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-218328%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20teamsites%20-%20unable%20to%20change%20permission%20level%20for%20security%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218328%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20known%20limitation%20on%20the%20Owners%2C%20Members%2C%20and%20Visitors%20groups%20in%20a%20Team%20site%20(actually%20on%20all%20Office%20Group%20sites).%26nbsp%3B%20I%20wrote%20a%20Blog%20post%20about%20the%20issue%2C%20and%20a%20potential%20workaround%2C%20that%20you%20can%20read%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.dontpapanic.com%2Fblog%2F%3Fp%3D526%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.dontpapanic.com%2Fblog%2F%3Fp%3D526%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-218288%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20teamsites%20-%20unable%20to%20change%20permission%20level%20for%20security%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218288%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20able%20to%20partly%20reproduce%20your%20behavior%20in%20my%20tenant%2C%20only%20for%20the%20first%20part%20in%20which%20the%20buttons%20remain%20greyed%20out%20for%20the%20default%20created%20Groups.%20When%20I%20grant%20permissions%20using%20leftmost%20Grant%20Permissions%20button%20I%20am%20able%20to%20use%20both%20buttons%20afterwards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20exactly%20why%20this%20is%2C%20but%20I%20can%20imagine%20it's%20to%20protect%20you%20from%20messing%20up%20the%20permissions%20with%20regards%20to%20the%20underlying%20O365%20Group%20that's%20created%20for%20modern%20team%20sites%20and%20keep%20the%20basic%20permissions%20model%20controlled%20through%20O365%20Group%20settings%20working.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1328854%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20teamsites%20-%20unable%20to%20change%20permission%20level%20for%20security%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1328854%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F37813%22%20target%3D%22_blank%22%3E%40Florian%20Hein%3C%2FA%3E%26nbsp%3BI%20have%20found%20you%20have%20to%20allow%20custom%20scripting%20on%20your%20site.%20This%20is%20turned%20off%20by%20default.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESet-SPOsite%20-Identity%20%22%3CA%20href%3D%22https%3A%2F%2Funitedchurch.sharepoint.com%2Fsites%2FYOURSITE%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Funitedchurch.sharepoint.com%2Fsites%2FYOURSITE%3C%2FA%3E%22%20-DenyAddAndCustomizePages%200%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20then%20have%20to%20wait%20a%20few%20minutes%20and%20refresh%20the%20page%2C%20once%20it's%20done%20you%20can%20edit%20your%20permissions%20like%26nbsp%3B%20you%20could%20before.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1330912%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20teamsites%20-%20unable%20to%20change%20permission%20level%20for%20security%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1330912%22%20slang%3D%22en-US%22%3EThe%20button%20may%20be%20grayed%20out%20but%20the%20Edit%20Permissions%20page%20is%20still%20there%20and%20working%2C%20just%20need%20to%20figure%20out%20and%20manually%20enter%20the%20URL%20to%20it..%3CBR%20%2F%3E%3CBR%20%2F%3E1)%20Go%20to%20your%20permissions%20page%20%3CA%20href%3D%22https%3A%2F%2Fmyorg.sharepoint.com%2Fsites%2Fmysite%2F_layouts%2F15%2Fuser.aspx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmyorg.sharepoint.com%2Fsites%2Fmysite%2F_layouts%2F15%2Fuser.aspx%3C%2FA%3E%3CBR%20%2F%3E2)%20click%20the%20group%20you%20want%20to%20edit%2C%20and%20note%20the%20groupID%20from%20the%20url%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fmyorg.sharepoint.com%2Fsites%2Fmysite%2F_layouts%2F15%2Fpeople.aspx%3FMembershipGroupId%3D6%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmyorg.sharepoint.com%2Fsites%2Fmysite%2F_layouts%2F15%2Fpeople.aspx%3FMembershipGroupId%3D6%3C%2FA%3E%3CBR%20%2F%3E3)%20Navigate%20to%20the%20edit%20permissions%20page%20of%20another%20group%20(it%20seems%20to%20work%20for%20the%20non-default%20ones)%20and%20change%20the%20groupId%20query%20in%20the%20url%20to%20the%20one%20you%20want%20to%20actually%20edit%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fmyorg.sharepoint.com%2Fsites%2Fmysite%2F_layouts%2F15%2Feditprms.aspx%3Fobj%3Dhttps%253A%252F%252Fmyorg%252Esharepoint%252Ecom%252Fsites%252Fmysite%252CWEB%26amp%3Bsel%3D6%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmyorg.sharepoint.com%2Fsites%2Fmysite%2F_layouts%2F15%2Feditprms.aspx%3Fobj%3Dhttps%253A%252F%252Fmyorg%252Esharepoint%252Ecom%252Fsites%252Fmysite%252CWEB%26amp%3Bsel%3D6%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3Ereplace%20myorg%20and%20mysite%20in%20both%20the%20domain%20and%20query%20string%2C%20and%20replace%206%20with%20the%20group%20id%20you%20want%20to%20edit%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1332208%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20teamsites%20-%20unable%20to%20change%20permission%20level%20for%20security%20groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1332208%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F633618%22%20target%3D%22_blank%22%3E%40mufassa%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F350041%22%20target%3D%22_blank%22%3E%40jfranz%3C%2FA%3E%2C%20both%20suggestions%20were%20helpful.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

I noticed that for a newly created modern teamsite (via New-PnPSite) I'm unable to change permission levels for the out of the box security groups. For example, I go to /user.aspx and put a check mark in front of a security group. Usually, the "Edit User Permissions" and "Remove User Permissions" menus become selectable.

 

However, for modern teamsites they remain greyed out although I'm a site collection admin:

 

chrome_2018-07-24_09-48-19.png

 

The unfortunate thing is is that I can grant additional permission levels through the leftmost "Grant permissions" button but because "Edit User Permissions" is always greyed out, I cannot remove them.

 

Any idea why that is?

 

Thanks

 

6 Replies
Highlighted

I am able to partly reproduce your behavior in my tenant, only for the first part in which the buttons remain greyed out for the default created Groups. When I grant permissions using leftmost Grant Permissions button I am able to use both buttons afterwards

 

I don't know exactly why this is, but I can imagine it's to protect you from messing up the permissions with regards to the underlying O365 Group that's created for modern team sites and keep the basic permissions model controlled through O365 Group settings working.

Highlighted

This is a known limitation on the Owners, Members, and Visitors groups in a Team site (actually on all Office Group sites).  I wrote a Blog post about the issue, and a potential workaround, that you can read here:

https://www.dontpapanic.com/blog/?p=526

Highlighted

Thanks, this is quite interesting. Another thing I found out is that the GUI let's you assign the security group itself two different permission levels:

2_chrome_2018-07-25_17-24-41.png

But, contrary to classic teamsites, you cannot change/remove them afterwards since "Edit User Permissions" is greyed out. Quite Frustrating I might say.

Highlighted

@Florian Hein I have found you have to allow custom scripting on your site. This is turned off by default.

 

Set-SPOsite -Identity "https://unitedchurch.sharepoint.com/sites/YOURSITE" -DenyAddAndCustomizePages 0

 

I then have to wait a few minutes and refresh the page, once it's done you can edit your permissions like  you could before.

 

 

 

Highlighted
The button may be grayed out but the Edit Permissions page is still there and working, just need to figure out and manually enter the URL to it..

1) Go to your permissions page https://myorg.sharepoint.com/sites/mysite/_layouts/15/user.aspx
2) click the group you want to edit, and note the groupID from the url
https://myorg.sharepoint.com/sites/mysite/_layouts/15/people.aspx?MembershipGroupId=6
3) Navigate to the edit permissions page of another group (it seems to work for the non-default ones) and change the groupId query in the url to the one you want to actually edit
https://myorg.sharepoint.com/sites/mysite/_layouts/15/editprms.aspx?obj=https%3A%2F%2Fmyorg%2Esharep...

replace myorg and mysite in both the domain and query string, and replace 6 with the group id you want to edit
Highlighted

Thanks @mufassa , @jfranz, both suggestions were helpful.