Permissions on a communication site has been modified automatically by the SharePoint system

%3CLINGO-SUB%20id%3D%22lingo-sub-329279%22%20slang%3D%22en-US%22%3EPermissions%20on%20a%20communication%20site%20has%20been%20modified%20automatically%20by%20the%20SharePoint%20system%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329279%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EPermissions%20on%20a%20communication%20site%20has%20been%20modified%20automatically%20by%20the%20SharePoint%20system%20account.%20We%20have%20configured%20the%20site%20so%20that%20%E2%80%9CEveryone%20except%20external%20users%E2%80%9D%20is%20member%20of%20%E2%80%9CSite%20Visitors%E2%80%9D%20group.%20However%2C%20at%20two%20times%20the%20system%20account%20has%20moved%20%E2%80%9CEveryone%20except%20external%20users%E2%80%9D%20from%20%E2%80%9CSite%20Visitors%E2%80%9D%20to%20%E2%80%9CSite%20Members%E2%80%9D.%20According%20to%20the%20audit%20logs%20it%20is%20the%20SharePoint%20System%20account%20that%20modified%20the%20permissions%20behind%20the%20scenes.%20It%E2%80%99s%20very%20important%20that%20the%20permissions%20are%20not%20modified%20by%20the%20system%20in%20this%20way%2C%20because%20the%20site%20is%20a%20global%20intranet%20site%20that%20should%20only%20be%20available%20as%20read%20only%20for%20all%20users%20in%20the%20organization.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-329279%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-471868%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20on%20a%20communication%20site%20has%20been%20modified%20automatically%20by%20the%20SharePoint%20system%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-471868%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F276522%22%20target%3D%22_blank%22%3E%40Surabh_12521%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20happened%20on%20our%20tenant%20last%20night.%26nbsp%3B%20I%20just%20opened%20a%20ticket%20with%20Microsoft.%26nbsp%3B%20The%20group%20'Everyone%20except%20external%20users'%20that%20we%20had%20added%20to%20'Site%20Visitors'%20group%20got%20added%20to%20'Site%20Members'%20group.%26nbsp%3B%20This%20is%20very%20serious%20as%20the%20Portal%20was%20now%20editable%20by%20everyone%20company%20wide%20and%20one%20of%20the%20users%20tried%20editing%20the%20home%20page.%26nbsp%3B%20It%20is%20our%20global%20landing%20page.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-329367%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20on%20a%20communication%20site%20has%20been%20modified%20automatically%20by%20the%20SharePoint%20system%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329367%22%20slang%3D%22en-US%22%3EYou%20probably%20need%20to%20contact%20support%20through%20your%20admin%20center%20and%20get%20a%20ticket%20going%20there.%20I%20have%20never%20personally%20seen%20this.%20%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20seen%20however%20in%20the%20past%20that%20there%20was%20a%20rendering%20bug%20where%20it%20would%20show%20as%20Site%20members%20but%20actually%20they%20were%20still%20read%20only%20permissions%20when%20you%20click%20advanced%20permission%20and%20look%20at%20the%20SharePoint%20group%20there.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-329292%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20on%20a%20communication%20site%20has%20been%20modified%20automatically%20by%20the%20SharePoint%20system%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329292%22%20slang%3D%22en-US%22%3E%3CP%3ESomeone%20please%20reply%20on%20post.........just%20want%20to%20Investigate%26nbsp%3Bwhy%20this%20has%20occurred%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-329286%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20on%20a%20communication%20site%20has%20been%20modified%20automatically%20by%20the%20SharePoint%20system%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329286%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWe%20have%20explicitly%20given%20Everyone%20except%20external%20users%20membership%20in%20the%20site%20visitors%20group%20to%20give%20them%20read%20only%20access.%20Expected%20behavior%20is%20that%20this%20permission%20assignment%20should%20stay%20that%20way%2C%20and%20not%20be%20modified%20by%20the%20system.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-473294%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20on%20a%20communication%20site%20has%20been%20modified%20automatically%20by%20the%20SharePoint%20system%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-473294%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F323448%22%20target%3D%22_blank%22%3E%40Anjali_Sharma%3C%2FA%3E%20As%20a%20workaround%2C%20consider%20adding%20Everyone%20Except%20External%20Users%20as%20a%20direct%20permission%2C%20not%20inside%20a%20SharePoint%20Group.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20652px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F109530iA3BB0C860BC6B4F1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Screen%20Shot%202019-04-18%20at%201.50.19%20PM.png%22%20title%3D%22Screen%20Shot%202019-04-18%20at%201.50.19%20PM.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480358%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20on%20a%20communication%20site%20has%20been%20modified%20automatically%20by%20the%20SharePoint%20system%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480358%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104%22%20target%3D%22_blank%22%3E%40Kevin%20Crossman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInteresting.%26nbsp%3B%20I%20will%20try%20that.%26nbsp%3B%20Do%20you%20believe%20that%20when%20it%20is%20outside%2C%20the%20groups%20do%20not%20get%20moved%20around%20by%20system%20account%3F%26nbsp%3B%20Microsoft%20is%20still%20investigating%20this%20and%20i%20have%20a%20few%20other%20permissions%20that%20were%20modified%20by%20the%20System%20account%20which%20I%20would%20like%20to%20determine%20why%20if%20so.%26nbsp%3B%20I%20will%20however%20implement%20this%20workaround.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-487919%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20on%20a%20communication%20site%20has%20been%20modified%20automatically%20by%20the%20SharePoint%20system%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-487919%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F323448%22%20target%3D%22_blank%22%3E%40Anjali_Sharma%3C%2FA%3E%26nbsp%3B%20Directly%20applied%20permissions%20have%20been%20stable%20in%20my%20experience%2C%20yes.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Permissions on a communication site has been modified automatically by the SharePoint system account. We have configured the site so that “Everyone except external users” is member of “Site Visitors” group. However, at two times the system account has moved “Everyone except external users” from “Site Visitors” to “Site Members”. According to the audit logs it is the SharePoint System account that modified the permissions behind the scenes. It’s very important that the permissions are not modified by the system in this way, because the site is a global intranet site that should only be available as read only for all users in the organization.

7 Replies
Highlighted

We have explicitly given Everyone except external users membership in the site visitors group to give them read only access. Expected behavior is that this permission assignment should stay that way, and not be modified by the system.

Highlighted

Someone please reply on post.........just want to Investigate why this has occurred

Highlighted
You probably need to contact support through your admin center and get a ticket going there. I have never personally seen this.

I have seen however in the past that there was a rendering bug where it would show as Site members but actually they were still read only permissions when you click advanced permission and look at the SharePoint group there.
Highlighted

@Surabh_12521 

 

This happened on our tenant last night.  I just opened a ticket with Microsoft.  The group 'Everyone except external users' that we had added to 'Site Visitors' group got added to 'Site Members' group.  This is very serious as the Portal was now editable by everyone company wide and one of the users tried editing the home page.  It is our global landing page.

Highlighted

@Anjali_Sharma As a workaround, consider adding Everyone Except External Users as a direct permission, not inside a SharePoint Group.

Screen Shot 2019-04-18 at 1.50.19 PM.png

Highlighted

@Kevin Crossman 

 

Interesting.  I will try that.  Do you believe that when it is outside, the groups do not get moved around by system account?  Microsoft is still investigating this and i have a few other permissions that were modified by the System account which I would like to determine why if so.  I will however implement this workaround.

Highlighted

@Anjali_Sharma  Directly applied permissions have been stable in my experience, yes.