cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Permission inheritance

cbolwerk
Copper Contributor

‎Dec 14 2020 11:34 AM

‎Dec 14 2020 11:34 AM

Permission inheritance

I am confused on how permission inheritance works in the modern experience. I have created a couple of sites that will make up our intranet (will be adding more in the future). Do I need to go to each site and add users? From what I understand, the sites are no longer a part of the same site collection (each is it's own collection), so there is no inheritance between sites. Is that true? I feel like I'm missing something because if you had a lot of sites, this could be a lot of work to add people as well as maintain all of that.

 

What I've started with is a site that will be the main page for the intranet. I then added 2 sites - HR and Operations.  These are all communication sites.

 

Any help is greatly appreciated!!!!

 

Cal

 

Labels:
2,257 Views
0 Likes
4 Replies
Reply
4 Replies
best response confirmed by cbolwerk (Copper Contributor)
Trevor Seward

‎Dec 14 2020 01:00 PM

‎Dec 14 2020 01:00 PM

Solution

Re: Permission inheritance

Site Collections are a permissions boundary. This means that they do not share the same permissions and/or membership. You must add members to each site individually.

You can use a solution such as Azure Access Packages to automatically provision users into multiple locations or Azure AD Dynamic security groups (these cannot be nested into Microsoft 365 Groups, though). Access Packages require Azure AD P2 licensing for all users.

Lastly, you can set your M365 Group for Teams/Team sites to dynamic and create rules for them but you'd need to do this with each Group.

Dynamic groups require Azure AD P1 licensing for all users.
0 Likes
Reply
cbolwerk

‎Dec 14 2020 01:48 PM

‎Dec 14 2020 01:48 PM

Re: Permission inheritance

Thanks Trevor!  What about hubs and associated sites? Do permissions get inherited there?

 

Cal

 

0 Likes
Reply
Trevor Seward

‎Dec 14 2020 02:28 PM

‎Dec 14 2020 02:28 PM

Re: Permission inheritance

By default, no. You can synchronize _Visitor_ permissions between the hub and spoke sites, though.

https://support.microsoft.com/en-us/office/associate-a-sharepoint-site-with-a-hub-site-ae0009fd-af04...

Note that the article is incorrect at this time. Pushing down Visitor permissions is under gear icon -> Site Permissions -> Hub (tab).
0 Likes
Reply
Anthony_Tudor

‎Dec 14 2020 11:09 PM

‎Dec 14 2020 11:09 PM

Re: Permission inheritance

Hi @cbolwerk, you are correct every new SharePoint site is a site collection in the modern experience, so sub-sites inheriting permissions is a thing of the past!

If you look in the advanced permissions settings, from there you are able to leverage any existing Microsoft 365 or security groups into the SharePoint groups that are created when the site is provisioned (Owners, Members, Visitors).

Here's some more information on sharing and permissions in the modern experience: https://docs.microsoft.com/en-us/sharepoint/modern-experience-sharing-permissions#hub-site-permissio...

As part of your wider intranet build, have you looked at SharePoint home sites and hubs? If not, I'd suggest taking a look as they may shape your thinking:

Hub sites: https://docs.microsoft.com/en-us/sharepoint/planning-hub-sites

Home sites: https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/sharepoint-home-sites-a-landing-for...
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by cbolwerk (Copper Contributor)
Trevor Seward

‎Dec 14 2020 01:00 PM

‎Dec 14 2020 01:00 PM

Solution

Re: Permission inheritance

Site Collections are a permissions boundary. This means that they do not share the same permissions and/or membership. You must add members to each site individually.

You can use a solution such as Azure Access Packages to automatically provision users into multiple locations or Azure AD Dynamic security groups (these cannot be nested into Microsoft 365 Groups, though). Access Packages require Azure AD P2 licensing for all users.

Lastly, you can set your M365 Group for Teams/Team sites to dynamic and create rules for them but you'd need to do this with each Group.

Dynamic groups require Azure AD P1 licensing for all users.

View solution in original post

0 Likes
Reply