< All Articles

Public vs. Private Office 365 Groups

Posted on November 14, 2019

Security Microsoft 365 Groups Permissions Microsoft 365

Introduction of Office 365 Groups has significantly reduced the anxiety for Site Owners to be familiar with ins out outs of SharePoint Information Architecture. Specifically, the security management of a site. With this post, I would like to explain how security works for Office 365 Groups, in particular, explain the concept of Public vs. Private Office 365 Groups privacy settings.

How Security works with classic SharePoint sites

Prior to Office 365 Groups, Site Owners were required to have a Ph.D. in SharePoint to manage security on their sites. Seriously, it was not an easy thing to understand and explain. I wrote a separate post on this a while back. As you can see from the length of that post, there were LOTS of decisions a Site Owner had to make to ensure the site security was done correctly, and the site was indeed secure.

Publicvsprivateoffice365groups9a

Yep, this was pretty much the experience for many in the “classic” SharePoint

Public vs. Private Office 365 Groups

Lots of decisions and pain posts from the post/section above have been resolved with the move to flat site architecture. Office 365 Groups, as well as Communication Sites, are not subsites in a site collection, but rather are separate site collections themselves. So no more accidental sharing when you inherit permissions from a parent site!

Security management is more straightforward with Office 365 Groups. There are plenty of ways to create an Office 365 Group. No matter which option you choose, you are prompted to only choose between the two privacy/security options: Public or Private. Let me explain the difference between the two.

Public vs. Private Office 365 Groups

Public Office 365 Group

Public Group means everyone can join it freely without obtaining permissions from the Group Owner. In other words – free lunch for all. Any member can join and have Add/Edit/Delete access to all the assets of an Office 365 Group (SharePoint Site, Planner, Calendar, Teams). I honestly do not see many uses cases for such groups. Might work for an all-company site/calendar if it is a small business, but with larger companies might lead to Wild West.

Publicvsprivateoffice365groups3

Private Office 365 Group

This is the default privacy setting when you create an Office 365 Group. Essentially what that means is that Group Owners control access to an Office 365 Group. You won’t be able to join one unless Site Owners let you in (add you to the group membership). The majority, if not all Office 365 Groups in your organization, will be Private.

Publicvsprivateoffice365groups2

What access to the Office 365 group means

It is essential to remind you here that Office 365 Group is an eco-system. Whether you joined a Public or Private group, you got access to all the components of an Office 365 Group. I provided a detailed description of what’s included in an Office 365 Group here, but let me remind you here as well. Here is what Group Members have access to once they are part of an Office 365 Group:

SharePoint Site (collection)
Plan in Planner
A team in MS Teams (if Office 365 Group was connected to a Team or created directly from the MS Teams)
Distribution list in Outlook
Group Calendar in Outlook

How SharePoint Site security is handled with Office 365 Groups

Let’s take a look at how SharePoint Security is dealt with Public and Private Office 365 Groups.

Public Office 365 Group

If you click on Gear icon > Site permissions from Public Office 365 Group SharePoint site… Publicvsprivateoffice365groups4

…you will notice that Everyone except external users domain group is part of the Site Members Group! This is consistent with the definition of the Public Office 365 Group – everyone by default has add/edit/delete access to the Office 365 Group and, in this instance, SharePoint Site.

Publicvsprivateoffice365groups5

Private Office 365 Group

If we do the same steps on the Private Office 365 Group, it will not contain Everyone except external users domain group.

Publicvsprivateoffice365groups6

Change from Private to Public or from Public to Private

If you created a Public Office 365 Group and need to change it to Private or vice versa, no problem! The group owner can make the change in the Outlook portion of the Office 365 Group.

Public vs. Private Office 365 Groups

Once you adjust this Privacy setting, the SharePoint site security will adjust accordingly. Below are the Site Permissions settings for the Board Office 365 Group site that used to be Public above and now converted to Private. If you notice, Everyone except external users domain group is gone from Site members group.

Publicvsprivateoffice365groups8

How to alter security for a SharePoint site that is part of an Office 365 Group

Being a member of an Office 365 Group, you can add/edit/delete content on any of the Office 365 Group assets listed in previous sections. It is pretty simple – if you are part of an Office 365 Group – you can add/edit/delete stuff in Outlook, Planner, Teams, Calendar, and SharePoint Sites. If you are not part of an Office 365 Group, you have no access to any of the above.

The exception is a SharePoint Site. And what I mean by exception is that you can alter the default security settings and create unique permissions for a site, independent of the Office 365 Group membership.

Let me explain what you can do:

Share a site only

There are situations where you might want to share your SharePoint site with others, but do not want to invite them to the Group membership (otherwise they will get to see your private Outlook or Teams conversations, group Outlook calendar, and tasks in Planner). In this case, you can invite them to a site, without making them a member of your Private Office 365 Group. Please reference instructions in this post on how to do this.

2waystoshareoffice365group6

Unique security on document libraries and folders

Likewise, you might need to hide certain documents from the majority of the Office 365 Group members and only have select few individuals being able to access specific files or folders. While I always advocate for creating separate sites for such cases, you can also set unique security for particular files and folders. Please reference Options 2 and 3 in this post for instructions.

Securityfilessharepoint10

Create a subsite with unique security

Now, some may argue that this is against best practices, and I agree, but I still want to explain this option as well. Creating subsites in Office 365 Groups might lead to confusion and might defeat the purpose behind flat architecture. Still, I like this option better than managing files and folder security using the instructions above. Just like with alcohol, if used in moderation, this might work if you need to have a separate site to organize your content and possibly have unique security on it. You might want to read this post too, just in case.

About Me

I’m Greg Zelfond, a U.S. based SharePoint consultant, and I provide affordable out-of-the-box SharePoint consulting, training, and configuration assistance to small and medium-sized businesses all over the world.

Need help?

Share Article

Shutterstock 617915693

How to invite users to the SharePoint Site without making them a member of the Team or Group

Ever since Microsoft 365 Groups were introduced in 2016, we have had a relatively simple and straightforward way to manage access to Microsoft 365 applications. However, scenarios often pop up…

Read More

Shutterstock 1477948949

Should we save our documents in SharePoint as PDFs to avoid editing?

In this article, I would like to answer a question that arises more often than it should. The question is whether or not to save documents in SharePoint as PDFs…

Read More

Shutterstock 319332548

A New Way to Share Pages in SharePoint Online

I kind of blogged about this topic recently, but since Microsoft updated the user interface and functionality on this, I would like to write another post on the topic as…

Read More