Introduction of Office 365 Groups has significantly reduced the anxiety for Site Owners to be familiar with ins out outs of SharePoint Information Architecture. Specifically, the security management of a site. With this post, I would like to explain how security works for Office 365 Groups, in particular, explain the concept of Public vs. Private Office 365 Groups privacy settings.
How Security works with classic SharePoint sites
Prior to Office 365 Groups, Site Owners were required to have a Ph.D. in SharePoint to manage security on their sites. Seriously, it was not an easy thing to understand and explain. I wrote a separate post on this a while back. As you can see from the length of that post, there were LOTS of decisions a Site Owner had to make to ensure the site security was done correctly, and the site was indeed secure.
Yep, this was pretty much the experience for many in the “classic” SharePoint
Public vs. Private Office 365 Groups
Lots of decisions and pain posts from the post/section above have been resolved with the move to flat site architecture. Office 365 Groups, as well as Communication Sites, are not subsites in a site collection, but rather are separate site collections themselves. So no more accidental sharing when you inherit permissions from a parent site!
Security management is more straightforward with Office 365 Groups. There are plenty of ways to create an Office 365 Group. No matter which option you choose, you are prompted to only choose between the two privacy/security options: Public or Private. Let me explain the difference between the two.
Public Office 365 Group
Public Group means everyone can join it freely without obtaining permissions from the Group Owner. In other words – free lunch for all. Any member can join and have Add/Edit/Delete access to all the assets of an Office 365 Group (SharePoint Site, Planner, Calendar, Teams). I honestly do not see many uses cases for such groups. Might work for an all-company site/calendar if it is a small business, but with larger companies might lead to Wild West.
Private Office 365 Group
This is the default privacy setting when you create an Office 365 Group. Essentially what that means is that Group Owners control access to an Office 365 Group. You won’t be able to join one unless Site Owners let you in (add you to the group membership). The majority, if not all Office 365 Groups in your organization, will be Private.
What access to the Office 365 group means
It is essential to remind you here that Office 365 Group is an eco-system. Whether you joined a Public or Private group, you got access to all the components of an Office 365 Group. I provided a detailed description of what’s included in an Office 365 Group here, but let me remind you here as well. Here is what Group Members have access to once they are part of an Office 365 Group:
- SharePoint Site (collection)
- Plan in Planner
- A team in MS Teams (if Office 365 Group was connected to a Team or created directly from the MS Teams)
- Distribution list in Outlook
- Group Calendar in Outlook
How SharePoint Site security is handled with Office 365 Groups
Let’s take a look at how SharePoint Security is dealt with Public and Private Office 365 Groups.
Public Office 365 Group
If you click on Gear icon > Site permissions from Public Office 365 Group SharePoint site…
…you will notice that Everyone except external users domain group is part of the Site Members Group! This is consistent with the definition of the Public Office 365 Group – everyone by default has add/edit/delete access to the Office 365 Group and, in this instance, SharePoint Site.
Private Office 365 Group
If we do the same steps on the Private Office 365 Group, it will not contain Everyone except external users domain group.
Change from Private to Public or from Public to Private
If you created a Public Office 365 Group and need to change it to Private or vice versa, no problem! The group owner can make the change in the Outlook portion of the Office 365 Group.
Once you adjust this Privacy setting, the SharePoint site security will adjust accordingly. Below are the Site Permissions settings for the Board Office 365 Group site that used to be Public above and now converted to Private. If you notice, Everyone except external users domain group is gone from Site members group.
How to alter security for a SharePoint site that is part of an Office 365 Group
Being a member of an Office 365 Group, you can add/edit/delete content on any of the Office 365 Group assets listed in previous sections. It is pretty simple – if you are part of an Office 365 Group – you can add/edit/delete stuff in Outlook, Planner, Teams, Calendar, and SharePoint Sites. If you are not part of an Office 365 Group, you have no access to any of the above.
The exception is a SharePoint Site. And what I mean by exception is that you can alter the default security settings and create unique permissions for a site, independent of the Office 365 Group membership.
Let me explain what you can do:
Share a site only
There are situations where you might want to share your SharePoint site with others, but do not want to invite them to the Group membership (otherwise they will get to see your private Outlook or Teams conversations, group Outlook calendar, and tasks in Planner). In this case, you can invite them to a site, without making them a member of your Private Office 365 Group. Please reference instructions in this post on how to do this.
Unique security on document libraries and folders
Likewise, you might need to hide certain documents from the majority of the Office 365 Group members and only have select few individuals being able to access specific files or folders. While I always advocate for creating separate sites for such cases, you can also set unique security for particular files and folders. Please reference Options 2 and 3 in this post for instructions.
Create a subsite with unique security
Now, some may argue that this is against best practices, and I agree, but I still want to explain this option as well. Creating subsites in Office 365 Groups might lead to confusion and might defeat the purpose behind flat architecture. Still, I like this option better than managing files and folder security using the instructions above. Just like with alcohol, if used in moderation, this might work if you need to have a separate site to organize your content and possibly have unique security on it. You might want to read this post too, just in case.