The world of SharePoint permissions is changing, with Office 365 Groups, external users, and the integration of other Office 365 features, such as Microsoft Teams. How do you make sense of it all? In this session we will demystify the world of permissions management for sites, to ensure the right people have access to the right information, at the right time.
3. TABLE OF CONTENTS
ADVANCED SCENARIOS
What about an extranet?
PERMISSIONS BASICS
How SharePoint permissions work.
EXTERNAL USER ACCESS
How to share SharePoint content with guest
users.
2
3
1
4. THE BASICS OF SHAREPOINT
SECURITY
Permission Level
Full Control
Edit
Contribute
Read
View Only
Approve
Design
Site Collection
Site
Library or List
Item, Document, Folder
USER OR
GROUP
PERMISSIO
N LEVEL
SHAREPOI
NT OBJECT
5. THE STANDARD SHAREPOINT
PERMISSIONS
More Information
PERMISSION
LEVEL DESCRIPTION 2010
2013,
2016,
2019, SPO
Owner (Full Control) Contains all available SharePoint
permissions.
X X
Member (Edit) Can add, edit and delete lists; can
view, add, update and delete list items
and documents.
X
Member
(Contributor)
View, add, update, and delete list items
and documents.
X
Visitor (Read) View pages and items in existing lists
and document libraries and download
documents.
X X
6. TYPES OF SHAREPOINT ONLINE
MODERN SITES
TEAM SITE COMMUNICATION
SITE
HUB SITE
Public
Private
Permissions are a bit different in each site type.
HOME SITE COMING SOON!
7. CREATE
SHAREPOINT
SITE
AUTOMATICALLY
CREATES
OFFICE 365
GROUP
CREATES
OFFICE 365
CONNECTED
SERVICES
SHAREPOINT PERMISSIONS IN MODERN
TEAM SITES
• Automatically
Creates Owner,
Member, and Visitor
SharePoint Groups
• Creates Owner and
Member Azure Active
Directory Groups
• If public site, add
everyone except
external users to
Member AAD Group
• Planner Plan
• OneNote Notebook
• Stream Video Portal
• PowerBI Workspace
(if licensed)
• Outlook Team
mailbox
• Outlook Group
Calendar
8. WHAT IS AN OFFICE 365 GROUP?
IT Pro
An Azure Active Directory
Security Group
End User
A group of people that are
working together, such as on
a team, project, or
department
IF YOU ARE
TECHNICAL
IF YOU ARE AN END
USER
9. OFFICE 365 GROUP PERMISSIONS
Office 365 Group Office 365
Connected
Services
Site Collection
Admin
SharePoint Group
OWNER
SharePoint Member
MEMBER
11. SHARING SETTINGS
• Sharing permissions:
• Who can share the site?
• Who can share files?
• Access requests:
• Turn on or off
• Send requests to all owners or a specific
email address
• Set a custom message
12. COMMUNICATI
ON SITES
Aren’t
asked to
add people
when
creating
site
1
When you
add people
it defaults
to visitors
2
AAD
groups are
NOT
created
3
Office 365
Connected
Services
NOT
created
4
13. HUB SITES
Permissions will
depend on whether
you start with a Team
or Communication site
Recommend starting
with a communication
site
SharePoint site
collection
administrator can
associate a new or
existing site with a
SharePoint hub site
When users associate
their sites with a hub
site, it doesn't impact
the permissions of
either the hub site or
the associated sites.
Ensure that all users
you allow to associate
sites to the hub site
have permission to the
hub site.
15. WHAT IS AN EXTERNAL USER OR
GUEST?
Someone who does not have a license in your organization who has been
granted access to a site, file, or folder.
• Not licensed
• Limited to basic collaboration tasks
• Added to Azure AD with #EXT# in
username
Authenticated WITH Microsoft Account
• Not licensed
• Sent one-time access code
Authenticated WITHOUT Microsoft
Account
The guest will need to click a link in their email to accept privacy terms before
they can access any content.
16. SHARE A SITE WITH AN EXTERNAL
USER
1
2
3
Guests can only be site members, not owners
17. SHARING A FILE WITH GUESTS
Anyone
People in the Organization
People with Existing
Access
Specific People
18. ANYONE LINK SETTING
• A transferrable, revocable secret key
• Users can forward the link
• Access can be revoked at anytime
• Need link to gain access
• Guarantees users can open the
document anywhere, anytime
19. PEOPLE IN THE ORGANIZATION LINK
SETTING
• A transferrable, revocable secret key
• Users can forward the link
• Access can be revoked at anytime
• Need link to gain access
• Requires a sign in to an organizational
account
• Members (non-guests) in Azure AD
20. PEOPLE WITH EXISTING ACCESS LINK
SETTING
• This is basically just resending the link
without changing existing access
permissions
21. SPECIFIC PEOPLE LINK SETTING
• A non-transferrable, revocable secret key
that only works for the recipient
• Cannot forward to other people
• Existing users get access by signing into
account
• Can be internal or external users
• Can add external users through email
passcode
• Grants internal user access by breaking
inheritance
23. STEPS TO ENABLE EXTERNAL
ACCESS
Tenant Admin
configures external
sharing for the
company
01
Site Owner
configures external
sharing for the site
02
End User Shares
the Site with
External User
03
25. WHAT IF I DON’T LIKE MODERN
SHAREPOINT PERMISSIONS?
NEVER change
the default
Office 365
Member /
Owner groups
Instead, add
people to the
SharePoint
visitor group for
read only
Or, create a
new SharePoint
group for
custom
permissions
You can create
a custom
provisioning
solution to
make this
scalable
26. What if I need a
List, Library,
Document, or
Item to Have
Custom
Permissions?
• No problem!
• You can break inheritance the same as in
past versions of SharePoint
• Don’t do this for the default Document library
used by Microsoft Teams
• If you have legacy InfoPath forms or
SharePoint Designer workflows with
permission requirements they will still work
27. What if I
need an
Extranet?
Add Users Add internal and external users
Provision
Site
Provision sites manually or automatically
User
Accounts
Bulk create external user accounts using
Azure B2B
Site
Collection
Create a separate site collection