SharePoint Access Requests Settings

Brass Contributor

This has long been a problem but there appears to have been a subtle but significant change to the abilities here in SPO.  It appears you can now specify the site owners group as the destination of the request emails.  Has anyone seen any announcements or tried it out yet ?

Access request Settings.png 

72 Replies

If you want to reset that default groups configuration (subsite or rootsite) Owners, Members, Visitors (in case of deletion of site migration for example).

 

You can use that technical page (not available from the settings menu):

That will offer you the choice from the existing groups list or create your own.

 

Fab

Hi Stephen,

This change was a surprise for me in our tenant; however, I like the concept of now being able to assign the Owners group or an individual to these requests and also the ability to set a custom message. Nice touch.

 

The question / issue for me is why when we set an email address to receive the request, why do all owners still receive the access request email and not just the email address specified? Everything looks set correctly. Has anyone else noticed this?

 

Thanks!

Hi @Tina A Garavaglia,

 

Can you share how you have the access requests set up? You should have options for whether the mails go to the owners group or a specified e-mail address. If they're going to both, then that definitely doesn't sound right :) Thanks!

 

Stephen Rice

OneDrive Program Manager II

Thanks for the quick reply. I am attaching a screen shot of how the Access Request setting is set up for the site (see below). When someone requested access the other day, my Team Lead also received a copy of the email--he is not the person specified below, but he is in the Owners group. I just cannot see what is wrong here.access request settings.png

Thanks Tina,

 

Yep, you have it set up correctly! Let me see what I can dig up :)

 

Stephen Rice

OneDrive Program Manager II

The fact that you don't have a default Members group is never a good sign. I recommend going to the members group and resetting it. GroupSettings.png

 

Dear all,

Be careful with that option, because it's only possible for the "Members" group.

If you want to reset the owners and visitors default group, you have to do it via PowerShell or via this technical page:

Fab

Thanks! I reset the Members group to the default group and I guess we'll see how it goes the next time someone requests access. Keeping my fingers crossed that this fixes the issue. I'm pretty sure that someone went in a couple of weeks ago and did the permsetup (that Fab mentions in the reply) on the site, and wondering if that did something when the Owners group was reset.

This site was a collection that we used a tool to migrate from an on-premise environment to the Cloud so there were a couple of permissions issues we found that needed to be resolved. Appreciate your response!

I also like the change but I have a question which I have asked in other threads related to if its possible to disable the "allow access requests" across multiple sites via PS. I can see there are commands available for setting "Allow members to share" and "Allow members to invite"...but nothing related to "Allow access requests". Cheers

Dear Damien,

If you use the script to set the access request with an empty string into the email address, the access request will be automatically disable.

Fab

Hi Fabrice,

 

I have the same issue.

In case the option is "e-mail address" it works well. But in case the option is default it does not work.AccessRequestSetting.png I can not disable the "allowaccess requests" in case option is default via PS.

A part of the PS commands are not yet integrated into CSOM

 

This is why is developed that script for example:

<#
Source:
 - https://sharepoint.stackexchange.com/questions/219634/sp-online-powershell-web-requestaccessemail-is-not-returning-any-value
 - https://sharepoint.stackexchange.com/questions/241415/csom-property-for-access-request-group
 - https://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.client.web.aspx
 - https://techcommunity.microsoft.com/t5/SharePoint-Developer/Changing-the-quot-Allow-members-to-share-quot-SharePoint-site/td-p/18562
#>

[string]$MyRootWebURL = "https://tenant.sharepoint.com/sites/YourSiteCollection"
[string]$SiteOwnerEmailAdress = ""
[boolean]$ChangeRequestAccessEmail = $true

[string]$username = "admin@tenant.onmicrosoft.com"
[string]$PwdTXTPath = "C:\SECUREDPWD\ExportedPWD-$($username).txt"

$secureStringPwd = ConvertTo-SecureString -string (Get-Content $PwdTXTPath)
$creds = New-Object System.Management.Automation.PSCredential $username, $secureStringPwd

function Load-DLLandAssemblies
{
	[string]$defaultDLLPath = ""

	# Load assemblies to PowerShell session 

	$defaultDLLPath = "C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.dll"
	[System.Reflection.Assembly]::LoadFile($defaultDLLPath)

	$defaultDLLPath = "C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.Runtime.dll"
	[System.Reflection.Assembly]::LoadFile($defaultDLLPath)

	$defaultDLLPath = "C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.Online.SharePoint.Client.Tenant.dll"
	[System.Reflection.Assembly]::LoadFile($defaultDLLPath)
}

Function Invoke-LoadMethod() {
param(
   [Microsoft.SharePoint.Client.ClientObject]$Object = $(throw "Please provide a Client Object"),
   [string]$PropertyName
) 
   $ctx = $Object.Context
   $load = [Microsoft.SharePoint.Client.ClientContext].GetMethod("Load") 
   $type = $Object.GetType()
   $clientLoad = $load.MakeGenericMethod($type) 


   $Parameter = [System.Linq.Expressions.Expression]::Parameter(($type), $type.Name)
   $Expression = [System.Linq.Expressions.Expression]::Lambda(
            [System.Linq.Expressions.Expression]::Convert(
                [System.Linq.Expressions.Expression]::PropertyOrField($Parameter,$PropertyName),
                [System.Object]
            ),
            $($Parameter)
   )
   $ExpressionArray = [System.Array]::CreateInstance($Expression.GetType(), 1)
   $ExpressionArray.SetValue($Expression, 0)
   $clientLoad.Invoke($ctx,@($Object,$ExpressionArray))
}

function Get-SPOSubWebs
{
	Param( 
        [Microsoft.SharePoint.Client.ClientContext]$Context, 
        [Microsoft.SharePoint.Client.Web]$RootWeb 
    ) 
	
	$Webs = $RootWeb.Webs
	$Context.Load($Webs)
	$Context.ExecuteQuery()
	ForEach ($sWeb in $Webs)
	{
		Write-host " -------------------------------------------------------- "
		Write-host "       -->> SubSite:", $sWeb.URL -ForegroundColor green
		Invoke-LoadMethod -Object $sWeb -PropertyName "HasUniqueRoleAssignments"
		$context.ExecuteQuery()
		Write-Host "       -->> Has Unique Permissions:", $sWeb.HasUniqueRoleAssignments

		if($sWeb.HasUniqueRoleAssignments)
		{

			Invoke-LoadMethod -Object $sWeb -PropertyName "RequestAccessEmail"
			Invoke-LoadMethod -Object $sWeb -PropertyName "MembersCanShare"
			Invoke-LoadMethod -Object $sWeb -PropertyName "AssociatedMemberGroup"
			Invoke-LoadMethod -Object $sWeb -PropertyName "AssociatedOwnerGroup"
			$context.ExecuteQuery()
			Write-Host "            -->> Request Access Email Before change:", $sWeb.RequestAccessEmail, " - Member Can Share:", $sWeb.MembersCanShare, "- AssociatedMemberGroup.AllowMembersEditMembership: " $sWeb.AssociatedMemberGroup.AllowMembersEditMembership -ForegroundColor Red
			Write-Host "            -->> AssociatedOwnerGroup Name:", $sWeb.AssociatedOwnerGroup.Title   -ForegroundColor Yellow
			
			if(($ChangeRequestAccessEmail) -and ($sWeb.RequestAccessEmail -ne $SiteOwnerEmailAdress))
			{
				Write-Host "      ===->> Request Access Email to change"
				$sWeb.RequestAccessEmail = $SiteOwnerEmailAdress
				$sWeb.Update()
				$context.ExecuteQuery()
				Invoke-LoadMethod -Object $sWeb -PropertyName "RequestAccessEmail"
				$context.ExecuteQuery()
				Write-Host "   -->> Request Access Email After change:", $sWeb.RequestAccessEmail
			}

		}
		Get-SPOSubWebs -Context $Context -RootWeb $sWeb
	} 
}


cls
Write-Host " ---------------------------------------------- "
Load-DLLandAssemblies
Write-Host " ---------------------------------------------- "

	$Myctx = New-Object Microsoft.SharePoint.Client.ClientContext($MyRootWebURL)

	$Myctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($creds.UserName,$creds.Password)
	$Myctx.RequestTimeout = 1000000 # milliseconds
	$MyspoRootweb = $Myctx.Web
	$Myctx.Load($MyspoRootweb)
	$Myctx.ExecuteQuery()

Write-Host " "
Write-Host " ---------------------------------------------------------"
Write-Host "  >>>> # Server Version:" $Myctx.ServerVersion " # <<<<<<" -ForegroundColor Green 
Write-Host " ---------------------------------------------------------"
Write-Host " "

Write-host " -------------------------------------------------------- "
Write-host "   -->> RootSite:", $MyspoRootweb.URL -ForegroundColor green

Invoke-LoadMethod -Object $MyspoRootweb -PropertyName "RequestAccessEmail"
Invoke-LoadMethod -Object $MyspoRootweb -PropertyName "MembersCanShare"
Invoke-LoadMethod -Object $MyspoRootweb -PropertyName "AssociatedMemberGroup"
Invoke-LoadMethod -Object $MyspoRootweb -PropertyName "AssociatedOwnerGroup"
$Myctx.ExecuteQuery()

Write-Host "   -->> Request Access Email Before change:", $MyspoRootweb.RequestAccessEmail -ForegroundColor Red
Write-Host "       ==> Member Can Share:", $MyspoRootweb.MembersCanShare
Write-Host "       ==> AssociatedMemberGroup Name:", $MyspoRootweb.AssociatedMemberGroup.Title ,"- AssociatedMemberGroup.AllowMembersEditMembership: " $MyspoRootweb.AssociatedMemberGroup.AllowMembersEditMembership  -ForegroundColor Yellow
Write-Host "       ==> AssociatedOwnerGroup Name:", $MyspoRootweb.AssociatedOwnerGroup.Title   -ForegroundColor Yellow

if(($ChangeRequestAccessEmail) -and ($MyspoRootweb.RequestAccessEmail -ne $SiteOwnerEmailAdress))
{
	Write-Host "   ===->> Request Access Email to change"
	$MyspoRootweb.RequestAccessEmail = $SiteOwnerEmailAdress
	$MyspoRootweb.Update()
	$Myctx.ExecuteQuery()
	Invoke-LoadMethod -Object $MyspoRootweb -PropertyName "RequestAccessEmail"
	$Myctx.ExecuteQuery()
	Write-Host "   -->> Request Access Email After change:", $MyspoRootweb.RequestAccessEmail
}

Get-SPOSubWebs -Context $Myctx -RootWeb $MyspoRootweb

That will give you the solution to manage that value at any level of the site collection.

To remove the access request, you just have to let the value "" into the variable $SiteOwnerEmailAdress

If you want to set it to someone, set the email address.

 

You can adapt that code as you need.

 

Fab

 

 

Hi there. Any updates on this? We are starting to receive questions from our users about how to stop the Owners group from getting the requests. They just want one or two people to get the requests, not the whole Owners group. Not sure how to stop this when the option is set to go to just one person and the requests are going to all owners. Is anyone else having this problem?

It sounds like the Access Request settings needs to be reviewed in your sites. It also sounds like the setting has been switched from the previous email address to the Owners Group automagically. May need to be reset back manually.

Yes, that did happen to us and is causing a lot of confusion for our people who were used to our on-premise settings--we are migrating to the Cloud and everything was set the same originally and then this setting showed up.

To workaround this, slowly we are having them go through their Access Request Settings and making sure they are correct. Although, the individual email setting does not appear to be working as expected for us. To workaround that, we are having people review their permissions and making sure only those who should truly have Owner full control rights are in that group. A lot of people seem to have upwards of 10 people in that group just because they need people to contribute to the site.

Is there anyone who is able confirm that distribution list is work with Request For Access. I've got an error when I try to put 2 email addresses or distribution list. 

Error Sorry, something went wrong

The e-mail address being passed is either empty, too big or incorrect.

Hi @Stephen Rice,

 

We are getting a mismatch between MS Teams SharePoint Members group and the MS Teams members group. This is because often staff have their first interaction with a Team via the Team's SharePoint site. If they don't have access they request access.

This sends an email to the MS Teams SharePoint Owners group (the default, and how our sites are setup), the owner then clicks the Accept link in the email.

Accept adds the person to the MS Teams SharePoint Members group BUT NOT the MS Teams Members group.

 

I understand that there are times when there is a need to give access to just the SharePoint content , and not the entire Teams experience.

I also understand that this issue is arising because this is a legacy feature.

 

What would be great is the following:

If the SharePoint site is related to a MS Team, then on the Permissions / Access request screen have a 2 radio buttons "Access request Accept action: Add requester to SharePoint members OR Add requester to Team members"

- The other way to do this would be in the Request access email that goes to Site owners. Change the wording to "Accept request: Add to SharePoint members OR Add to Team members"

 

Let me know what you think

 

 

Hi @Dorje McKinnon,

 

When the user is request access, there should be a set of radio buttons asking them if they want access to just the site (or file or folder) or if they want to request membership in the group. Are your users not seeing this? Thanks!

 

Stephen Rice

OneDrive Program Manager II

@Stephen Ricewe are not seeing the UI you describe. When someone navigates directly to a SharePoint site, they get the traditional Access denied, request access screen and then the SP Site Owner gets a request, when they click Accept, the user is added to the site directly and not to the associated O365 group. Attached are images of our experience.

Hi @Stephen Rice,

 

Wow thanks for the quick response.

From the  teams app, users can search for teams, but if they aren't a member of it already they get the "Hmm we can't find any matches" message.

If the staff member gets a link to the SharePoint part of a private team, they get the attached standard SharePoint "Access required : You need permission to access this site" message with a comment box and request access button.

 

My guess is that there is a setting that we haven't set in our tennant, which shows the radio buttons you mention. Just like @Dean Gross 

[Shout out for Dean, thanks for all the great questions and answers you post]

Like