SOLVED

Why have group owners full control in the SharePoint teamsite

%3CLINGO-SUB%20id%3D%22%5C%26quot%3Blingo-sub-3166684%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3EWhy%20have%20group%20owners%20full%20control%20in%20the%20SharePoint%20teamsite%26lt%3B%5C%2Flingo-sub%26gt%3B%3CLINGO-BODY%20id%3D%22%5C%26quot%3Blingo-body-3166684%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CP%3ELets%20say%20I%20create%20a%20new%20Microsoft%20Team%20called%20%22MyTest%22.%20Now%20a%20SharePoint%20team%20site%20will%20be%20created%20in%20the%20background%20with%20three%20SharePoint%20security%20groups%3A%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%5C%26quot%3B%23CF3600%5C%26quot%3B%22%3E%3CSTRONG%3EMyTest%20Visitors%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FFONT%26gt%3B%20(empty)%26lt%3B%5C%2FP%26gt%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%5C%26quot%3B%23CF3600%5C%26quot%3B%22%3E%3CSTRONG%3EMyTest%20Members%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FFONT%26gt%3B%20(contains%20an%20item%20with%20the%20name%20%22MyTest%20Members%22)%26lt%3B%5C%2FP%26gt%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%5C%26quot%3B%23CF3600%5C%26quot%3B%22%3E%3CSTRONG%3EMyTest%20Owners%26lt%3B%5C%2FSTRONG%26gt%3B%20%26lt%3B%5C%2FFONT%26gt%3B(empty)%26lt%3B%5C%2FP%26gt%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3ENow%20I%20have%20two%20questions%20about%20this%3A%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E1.%20The%20mysterical%20%22MyTest%20Members%22%20item%20inside%20the%20%22%3CFONT%20color%3D%22%5C%26quot%3B%23CF3600%5C%26quot%3B%22%3E%3CSTRONG%3EMyTest%20Members%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FFONT%26gt%3B%22-SharePoint%20group%20is%20the%20%22Members%22%20part%20of%20the%20Microsoft%20365%20group%3F%20Can%20I%20understand%20it%20like%20this%3F%26lt%3B%5C%2FP%26gt%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E2.%20If%20my%20first%20assumption%20is%20correct%2C%20why%20is%20there%20not%20an%20%22Owners-Part%22%20of%20the%20same%20Microsoft%20365%20group%20that%20is%20either%3A%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E-%20A%20site%20collection%20admin%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E-%20Part%20of%20the%20%22%3CSTRONG%3E%3CFONT%20color%3D%22%5C%26quot%3B%23CF3600%5C%26quot%3B%22%3EMy%20Test%20Owners%26lt%3B%5C%2FFONT%26gt%3B%22%26lt%3B%5C%2FSTRONG%26gt%3B-SharePoint%20group%22%3F%26lt%3B%5C%2FP%26gt%3B%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EThe%20owners%20are%20not%20mentioned%20anywhere%20in%20the%20permissions.%20That%20appears%20strange%20to%20me%2C%20because%20they%20seem%20to%20have%20the%20%22Full%20control%22-Permission%20level%20somehow%3F%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3ECan%20you%20shed%20some%20light%20on%20that%3F%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-body%26gt%3B%3CLINGO-LABS%20id%3D%22%5C%26quot%3Blingo-labs-3166684%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CLINGO-LABEL%3EPermissions%26lt%3B%5C%2Flingo-label%26gt%3B%26lt%3B%5C%2Flingo-labs%26gt%3B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3167393%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20have%20group%20owners%20full%20control%20in%20the%20SharePoint%20teamsite%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3167393%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431566%22%20target%3D%22_blank%22%3E%40David_Elsner%3C%2FA%3E%26nbsp%3B-%20I%20just%20checked%20a%20couple%20of%20SharePoint%20site%20collections%20tied%20to%20Teams.%26nbsp%3B%20In%20both%20cases%2C%20there%20is%20a%20%22Group%20Members%22%20listed%20in%20the%20SharePoint%20members%20group%20and%20a%20%22Group%20Owners%22%20listed%20in%20the%20Site%20Collection%20Administrators.%26nbsp%3B%20However%2C%20the%20SharePoint%20Owners%20group%20is%20empty.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20see%20a%20%22MyTest%20Owners%22%20in%20the%20Site%20Collection%20Administrators%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Lets say I create a new Microsoft Team called "MyTest". Now a SharePoint team site will be created in the background with three SharePoint security groups:

 

MyTest Visitors (empty)

MyTest Members (contains an item with the name "MyTest Members")

MyTest Owners (empty)

 

Now I have two questions about this:

 

1. The mysterical "MyTest Members" item inside the "MyTest Members"-SharePoint group is the "Members" part of the Microsoft 365 group? Can I understand it like this?

 

2. If my first assumption is correct, why is there not an "Owners-Part" of the same Microsoft 365 group that is either:

 

- A site collection admin

- Part of the "My Test Owners"-SharePoint group"?

 

The owners are not mentioned anywhere in the permissions. That appears strange to me, because they seem to have the "Full control"-Permission level somehow?

 

Can you shed some light on that?

 

 

6 Replies
best response confirmed by David_Elsner (Contributor)
Solution

Hi @David_Elsner - I just checked a couple of SharePoint site collections tied to Teams.  In both cases, there is a "Group Members" listed in the SharePoint members group and a "Group Owners" listed in the Site Collection Administrators.  However, the SharePoint Owners group is empty.

 

Do you see a "MyTest Owners" in the Site Collection Administrators?

Who ever creates a SharePoint site automatically becomes the site collection administrator for the site and as a site collection administrator you have full control on the site.
The owner permission Level allows you to add new users or groups as owners to the site .

If you check the permission on the site level you will see everyone that has permission to the site.
Click on any of the groups and change the last digits on the URL to 0 and enter.
This will give you a display of all user's permissions
Your first assumption is correct and for the second question part, the "MyTest Owners" group gets added to Site collection administrators in SPO site permissions and that's how the owners have Full Control permissions on the site.
With M365/O365 group, there are only two modes, Owners and Members and the group membership is maintained via these two modes. With Owners having full control of the group membership and resources (Calendar, SharePoint, Planner, Team etc) and Members having Contribute/Edit rights to all the resources.
Since the SPO site gets created as part of O365 group creation process, the Membership from O365 group gets populated to SPO site. Owners -> Site Collection Administrator and Members -> SPO "MyTest Members" group.
- Since there is no visitors mode in O365 group, nothing gets added to SPO "MyTest Visitors" group.
As to the reason as to why "MyTest Owners" SPO group is empty, it's because O365 "MyTest Owners" group is already added to Site collection administrator so no point in duplicating that same action.

You can always add additional users, AD groups to any of these SPO groups , however, they will only have access to SPO site and not to any other resources in the O365 group, so it's always a good idea to manage the group membership via O365 group so that it percolates to all the resources in the O365 group. I hope this information helps.
https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/office-365-groups?view=o365-world...
Exactly here is my point. If I go to the site collection administrators, I do not see the Microsoft365 group there. The owners list is just empty... however - this might be, because I look there with the classical experience. Maybe that is not up-to-date...

Hi @David_Elsner - what you're seeing isn't the same that I see.  My Site Collection Administrators has the Microsoft 365 Group in it (name group + " Owners").

In the modern admin center I see the same. I was looking in the classical experience. This was my mistake. I think my question is answered... :)