If you own a SharePoint site, I am sure you followed all the best practices regarding the site security setup and permissions. However, you might also want to control the experience of the users who do not have access to the site just yet, but who might need one. Likewise, you might want to view pending access requests at any point in time and either approve or reject them. In addition, if you happened to share the site externally, you might want to track who accepted your invite and who did not. I know I listed a few different scenarios in this article, but they will all be answered by the wonderful feature of Site access requests. Buckle up and enjoy another sermon of wisdom from rabbi Zelfond. By the way, you might want to read this post till the end as I also cover some important and unintended consequences of SharePoint access Site Requests.
Default User Experience
By default, on any given site, when the users who don’t have access to that site, when clicking on its URL, will get this message.
Here they can add a personal message and press the Request Access button, and request access to the site.
You can customize this page and either disable this button or control who the requests go to. Let me explain.
How to disable Site Access Requests
If you do not want users to bother you with these requests, you can disable them altogether.
- Navigate to the SharePoint Site, click Gear Icon > Site Permissions
- Under Site Sharing, click Change how members can share
- Toggle the switch next to Allow access requests to Off and click Save
- Once disabled, the user will get a nasty message when navigating to the SharePoint site URL: Access Denied. The user does not have permissions to access this resource.
How to specify who the Site Access Requests will be emailed to
Alternatively, you can also specify who the Site access requests will be emailed to. By default, they are sent to the Site Owners. However, you can also designate an alternate email address. It can be an email address of any user, and can even be an external email address as well. And you can also add a custom message to the request access page if necessary.
What happens to the user when you approve or reject requests
When the user requests access to the site, here is what happens:
- The Site Owners (or whoever you designated to receive these emails) will receive an email like this
- The Owner can either Accept or Decline the request
- In case the request is Declined, the owner will need to confirm the intention
- When navigating the site again, the page will display a message: Sorry, your request has been declined.
- The user will also receive an email advising that the request has been declined
- In case the request is Accepted, the user will immediately be granted access to the site and receive a corresponding email
How to access pending and completed sites requests
If you ever want to see all the past and present, and pending SharePoint access Site Requests, this is how you do it.
- Gear Icon > Site Information
- Click on View all site settings
- Under the Users and Permissions section, click on Access requests and invitations
- From the page that will appear, you will be able to see pending requests, invitations sent to external users (more on this below), as well as the history of site access requests
View Status of invitations sent to external users
What I also really like about this page above is that it allows you to view the status of pending invitations sent out to external users. So if you shared your site externally and wondering if external users accepted the invite or not, this is the page to view this on!
SharePoint access Site Requests and Group-connected Team Sites
It is also very important to note what is actually happening to the site permissions when you accept the user request to access the site, as this might lead to some unintended consequences. Let me explain.
When you Accept a given access request, then navigate to Site Permissions (Gear Icon > Site Permissions), you will see the users automatically added to the SharePoint Site Members Group (those with Edit role)
Of course, you can change their role to Visitor or remove them altogether if necessary. However, this behavior can also lead to confusion and unintended consequences if your SharePoint site is connected to a Microsoft 365 Group (i.e., the site is part of Microsoft Teams).
One would expect that by requesting access to the site, they become a member of the whole Microsoft 365 Group (Teams, Outlook, Planner, etc.). But that is not the case. They are just given access to the site itself only. If you check the group membership, they won’t appear there.
So if you would like to add those users to the group itself and give them access to Teams, etc., you would need to add them as members of the group. By the way, I explained these two different models of security for a group-connected site in this article.