News & Blogs

28 Reasons Why Modern SharePoint Online Site Permissions are a Hot Mess!

This is a very long post, so please bear with me.  It is for advanced SharePoint users only, not beginners.

This modern drive by Microsoft has got very serious governance implications and you need to take note.  This has been going on for almost 2 years now and it is not getting any better.  I have had very little to say over the modern experience to date, been waiting for it to settle down, but that’s not going to happen with the cloud.  We need to work around these issues fast or risk decades of strict data governance going out the window all for the sake of a modern look.

Heads up if you are migrating from on premise to the cloud as well, these are all change management and support considerations.  This post only covers internal permissions, not external sharing, (don’t even get me started on that….).

Let’s first be clear on SharePoint governance best practices :

  • Site Collection Administrators are highly trained people who have super power rights over all content and sites in their site collections.
  • The default Members, Owners and Visitors groups are used to manage permissions in SharePoint.
  • Owners have got full control rights to add and remove users, create and delete apps, create subsites, change look and feel; and approve and delete content.
  • Members have got rights to upload, edit and delete content.
  • Visitors have got rights to read and download content.
  • People are added into groups, not onto the site individually.
  • Permissions can be done on site level, app level or subfolder level.  (We don’t do this on document level, extremely bad practice).

In SharePoint Online in Office 365, there are modern and classic SharePoint sites.  There are 3 types of modern sites – Microsoft Teams, Team Sites and Communication Sites.  (Why Microsoft needs to use the same words for everything is beyond me, but anyway).

In classic SharePoint that has been around for 17 years, the permissions worked simply as follows :

  1. Three default permission groups with every team site created – Members, Owners, Visitors.
  2. Only the person who created the site is added to the Owners and Members group.
  3. The default Members group had Contribute for a permission level which allowed used to add, edit and delete content on a site.
  4. Site Collection Administrators had super power rights over all the sites in the site collection.
  5. Central Admin rights in on-premise SharePoint, gave you rights over all site collections and settings.
  6. In Office 365, that permission level is split up into Global Admin, Exchange Admin and SharePoint Admin rights.
  7. SharePoint Admin rights gave you super power in the SharePoint Admin Centre to view and manage all available site collections.
  8. Sites created in SharePoint Online used to be all in classic with the standard 3 default groups created which all get managed in SharePoint itself.

And then they started changing things to “modern”.  Fast forward to today, and the permissions work as follows :

  1. The default Members group now has Edit as it’s permission level, which allows users to change settings of and delete apps, (this is the Site Owners role, not the Site Members).  This can be changed in classic and communication sites, but not in modern team sites.  You can create your own custom groups however and assign the permissions, but this totally negates the purpose of the default groups in the first place and creates a maintenance and governance nightmare!
  2. Also compounding the issue is that when a modern team site is created, “everyone except external users” is added to the Site Members group by default – effectively giving every person in the company rights to edit and/or delete apps!
  3. The default SharePoint site collection has external sharing switched on by default effectively exposing your entire intranet to anyone with anonymous access.  Switch this off immediately until your governance is decided.
  4. When you create a modern team site, an Office 365 group is created, (not to be confused with SharePoint groups – again, double use of words confusing the market).
  5. If you create a public group instead of a private one, you give every person in the company access to edit and delete apps and all it’s content. Governance!!!!!!
  6. There is a difference between adding people to a group or to the SharePoint site – but both can be done from SharePoint.
  7. Every single user is able to create up to 250 groups by default straight out of Outlook, (have I mentioned governance yet).
  8. This Office 365 group is not managed in SharePoint, it is managed in the Office 365 Admin Centre – which means end users cannot access them to edit them.
  9. Even if you are a Global Administrator and created the site, you will get a message on the group saying “you can and remove members or delete the group, but you can’t make other changes due to permissions.”
  10. If users create Microsoft Teams, or modern team sites, and you have not been added as a member to it, you will simply not get access to it – regardless of the tenant rights you have.  This means that….
  11. The SharePoint Admin rights level has become completely useless with modern SharePoint. Also,
  12. Even if you Global Admin rights and it is your own company, you will not get access to the sites.
  13. This means that you are effectively locked out of your own company / client and you will not even know the sites are there unless you use the modern SharePoint Admin Centre.
  14. The modern SharePoint Admin Centre has none of the settings of the classic centre, meaning you cannot manage the term store, space, site collection administrators, script settings, etc etc so you need to go back to classic to do that, (Microsoft “promises” to move all the settings over, but history has shown that we are getting fewer controls given, not more).
  15. But the classic SharePoint Admin Centre does not display any modern sites, so you need to go modern to see them.  There is currently no way around this.
  16. There is a new mystery group called Office 365 Group Owners that apparently controls the groups created from the modern sites – not for love or money can we find that group anywhere in Office 365. We have searched the O365 Admin Centre, SharePoint Admin Centre, Exchange Admin Centre, Security & Compliance Admin Centre and Azure AD Admin Centre to no avail.  Anyone else know where it is?
  17. The Office 365 Group only contains the people that can communicate via that email address assigned to it.  It does not affect the SharePoint permissions.  You can add the Office 365 Group created by default with a new modern team site to the appropriate permissions groups in SharePoint, and still add people on demand into the standard SharePoint Members, Owners, Visitors groups. (The split is between people you want to allow to use the group email address or not, keep the other product permissions in mind with this).
  18. In modern team sites, the default Users & Permissions options in Site Settings has been completely removed from Site Settings, but you can access it by adding /_layouts/15/user.aspx to the site name, or Advanced Settings from the Site Permissions menu.
  19. When you create a modern team site, the O365 group is added as Site Collection Administrators, effectively giving everyone in it, super power rights over the site – the group contains the members and owners.  But it doesn’t really give them that access, it just makes you think it does.  Thanks for this one Microsoft!
  20. In modern communication sites, it is still there, as it is in classic SharePoint sites.
  21. Modern communication sites don’t create Office 365 groups, they use the standard SharePoint groups.
  22. When you add a user to your modern site, you cannot add them as a visitor from the standard Site Actions – Site Permissions or from the Members link on the home page of the site.  They can only get added as Members or Owners.
  23. When you create a modern team site, it creates a group that contains the members and owners – which gets added as an AD group into the default Members group on the site!  What?  Why?  So now you have the members and owners of the site added to the Members group!  Microsoft come on!
  24. Only the top level sites of modern team and communication sites are in the modern template.  If you create subsites in them, they are created in classic SharePoint.  Have fun with user adoption, change management and training material.
  25. Compulsory metadata in libraries no longer checks out documents when it is not filled in, leaving no motivation whatsoever for users to actually stick to the corporate governance.
  26. Despite all the hoohaa about the new hub sites, the default site collection in Office 365 tenants is a classic SharePoint site, which doesn’t link to hubs.
  27. If you delete an Office 365 Group in the O365 Admin Centre, the associated site collection is also deleted.
  28. “They” say you can use PowerShell to get around some of this, but this was stock standard functionality for over a decade.  So now you need developers to do what power users did quite fine on their own.

== What it all looks like ==

Creating new site collections in classic vs modern :

New Site Collection - Classic

New Site Collection - Modern

Accessing permissions from Site Actions – Site Settings :

Users and Permissions - Communications Site

To get to the normal site permissions screen, you need to go back to the home page of the modern team site, Site Actions – Site Permissions – Advanced Permission Settings.

Users and Permissions - Modern Team Site

Site permissions management is now done in the Office 365 Admin Centre, they have removed them from SharePoint – extremely disempowering to the majority of the user base because they don’t have rights to go there.  Also adding to the load on IT now, because more support calls will be logged.

Office 365 Groups

This is Microsoft’s positioning of groups.  This is all well and fine, but a governance disaster area.  You can learn more in-depth about them from AvePoint, which only gives you more grey hairs.

Office 365 Groups Purpose

A typical error you will encounter, no explanation as to how to any of that should you need to :

Office 365 Groups Error

You can add /_layouts/15/mngsiteadmin.aspx to the end of your modern team site name to get to the SCA list …. but only if you have been given access to the site in the first place to see it at all…

Users and Permissions - Modern Team Site SCA Hack

The O365 group added as SCA’s :

Modern SCA

Access site permissions in modern from the Site Settings cog.

Site Permissions Front - Modern Team Site b

For some bizarre reason, the link above takes you to this where you can change the permissions of the members group to owner rights! And you would want to do this because……?  You can’t add users from here.  You must click Invite People.

Site Permissions Front - Modern Team Site d

You can also see the group members and edit them by clicking on the link indicated below.

Site Permissions Front - Modern Team Site c

But you can only add them as members there.

Site Permissions Front - Modern Team Site e

Once users are added, you can edit their permissions from the Site Permissions in modern – but you can only go to Edit or Full Control, it might as well be the same thing because edit allows you to delete and mess up app settings!

Site Permissions Front - Modern Team Site f

The AD ‘group’ that is created and added to the SharePoint Members group – which contains members and owners in it.

Site Permissions Front - Modern Team Site Members AD Group

Site Permissions Front - Modern Team Site Members AD Group b'

We better make a list of all the stuff we currently have access to in the classic admin centre, or it’s just going to disappear in the modern one. Screenshot everything so you know what we had, then we can compare it and hold them accountable to it in future.

SharePoint Admin Centre Classic

SharePoint Admin Centre Modern

You know, maybe I just don’t get it. This is as far as I can figure it out so far.  But when industry experts and Microsoft themselves can’t explain the “modern” permission model to me, then maybe nobody else gets it either.  And as I said, this doesn’t even touch the external sharing aspect.  All I know, is that something that used to work perfectly fine, is now an administrative – and more importantly – a governance nightmare!  Companies are going to walk into a wall of fire with this and I pity any newbies in the market trying to build intranets with this lot in place. Confidential information is being exposed left, right and centre internally and externally because of this new “modern” thing.  I for one, think that Microsoft tried to fix something that was not broken!  But, it sure is now.

So how are we dealing with all this?  Keeping in mind that hub sites have now been thrown in just to further mess up any architecture ideas you had..

Well, we are not abandoning classic SharePoint for a start.  There are millions of classic SharePoint sites across the globe in tens of thousands of companies.  Classic SharePoint still has a place, especially if you need a clean look to see your operational data properly.  You can activate some modern features in your classic site and that is good enough.  Classic just works!  From a business risk perspective, classic sites win hands down.  The modern sites simply expose too much information to too many people without people realising it, and they have been locked down too much to do anything about it.

Secondly, if we have to use modern to build an intranet, we are using the Communication site template, not the Team site template.  The Communication site will still link to the hub sites when necessary but it has proper permissions management.  BUT!!! You can no longer activate Publishing Features, which means you can’t get the link that says Navigation.  You can still create dropdown menu’s but you can’t do any audience targeting on links, and you can’t open any links in new tabs.  All links must have URL’s so just add the URL back to the home page.  You also can’t automatically show subsites like we used to be able to with Navigation.  Do you know of a single intranet in the world that doesn’t use a dropdown menu on the top link bar?  I don’t.  This is stock standard functionality that has been made worse in the modern communication site.

Third, we are absolutely not abandoning subsites as Microsoft would like us to suddenly do!  Like subfolders, they are actually sometimes necessary, and we do not believe that absolutely everything must be an entire site collection!

Fourth, hub sites can just wait.  Not everything is about the news! All a hub site is, is a very glorified Content Query Web Part with navigation you can push down.  And in real life in companies, almost no departments have news they have to share with the entire company on a daily basis.  On departmental level it is about operational data only.  Focus on what the department has to deliver on.

We will not be dictated to by what Microsoft decides!  Don’t forget that most people in the world do not work in or own IT businesses.  Microsoft has 40% of its 125000 strong work force as engineers messing around with their platforms, releasing hundreds of enhancements a month.  Nobody else is Microsoft.  Remember the purpose of your company / business.  If you are getting value from any version of SharePoint and getting the reporting you need, you do NOT need to rollout every hairbrained scheme that Microsoft throws at us!  We are their beta testers! Half the stuff they push out doesn’t work properly until enough people complain on UserVoice.  Use what works for you and leave the rest.  You have a job to do, technology must support that, not dominate it.

Share this awesome content

13 Comments

  1. Francois Coeries

    July 3, 2018 at 09:37

    I’ve read this article and not sure if a chuckle or a anger should be the response. I have been looking into the “Modern” roll-out from MS, but the first things that came to mind, and that any SharePoint or O365 consultant usually think about, is governance. We’ve seen this nightmare play out all too often, and was hoping that MS would make it easier to get right, but nope, they made it worse.
    I come across quite a few people that have made up their minds that SharePoint sucks… and sometimes it’s hard to blame them. I love SharePoint and what it brings to the table. And yes, I have years of experience now on the platform and can probably make the platform sing like a bird, but I must say that for newcomers it is not an easy transition.
    I’ve learnt over the years not to get too excited and to not get caught up in any industry hype. Wait for the new to prove its worth and value.
    I certainly hope someone at the MS mother ship wakes up to the confusion and does something about it. They owe it to us, the consumers and service providers.

    • Veronique Palmer Says :

      July 3, 2018 at 10:50

      That’s why I’ve waited so long to get onto the “modern” ship. I’m also playing the waiting game. I agree with you 100% on your assessment. SharePoint used to be an amazing platform, but they are really just over-complicating it now.

  2. Hogne Bø Pettersen Says :

    July 5, 2018 at 12:02

    This is a very good and thorough blog posting. I’ve only begun to scratch the surface of the Office 365 suite, but I do give user training in the use of Teams and other applications in Office 365. My experience is that users are completely confused about how to use it, because it’s so complicated. In my blog today I posted a story about two scenarios, one where a customer of mine was working on a shared file in Offiec 365 and one where a customer was working on it in IBM Connections. I touch upon some of the things you write in this posting. I will certainly bookmark your blog posting and use it for future reference.

    • Veronique Palmer Says :

      July 10, 2018 at 10:16

      Hi Hogne,

      Yeah it’s not a funny situation anymore. Add the links to your blog posts here so we can see them. We can cross reference. Every bit helps.

  3. Ehsan Says :

    July 9, 2018 at 04:33

    Great post! I start using O365 from 2014. It has improved a lot now but they haven’t pay attention to some of the fundamental requirements yet. With inventing Modern site, Groups, new experience and so on … they are just creating more confusion (not only for users but also for experts). 100% agree with your points. (and Neil comment about 57 ways of doing one thing)

    I remember the day that MS release new experience and many of SP2013 feature including having multiple view, group by, mandatory metadata weren’t exist anymore. Some of them hasn’t fixed yet.
    Hope somebody from MS is reading this:
    1- Customer expecting fully backward compatibility. Please wait and only publish a new feature if it is including all of the functionality from the previous version. Releasing a half-finished product (and ask to use classic version if it not fit) is a nightmare for admin/developer/users and company governance.
    2- We are not expecting weekly/monthly release. More stable release and useful feature is required. i.e. for teams, group, … we want to hear 2 different use case scenarios (why they are needed) but also permissions should work exactly as other SP site.
    otherwise the user adoption become much harder and user leave eco-system sooner or later.
    P.S: Providing REST API was really helpful and appreciate it. It was really beneficial but not all company have resource to use it (not applicable for many cases)

    • Veronique Palmer Says :

      July 10, 2018 at 10:18

      Yes Ehsan, I agree with your sentiments. It has gotten completely out of control. We need to push back to Microsoft in a big way,

  4. Tony Chappell

    July 9, 2018 at 18:24

    Very good and thorough blog post pointing out the pain points of SPO admin. Although there are other methods to manage users in modern sites using PowerShell and PnP modules, but these admin functions should be built in the SPO Admin Center, including the “modern” version. Keep it up and maybe Microsoft will make changes for the better.

    • Veronique Palmer Says :

      July 10, 2018 at 10:19

      Hi Tony, yes I’m sure there are. But the point is, that all this stuff was available out of box to power users in the business. Now we need to get developers to do basic site maintenance. It’s ridiculous.

  5. Vaughan van Dyk

    July 19, 2018 at 01:23

    While it is a thorough post and you list several points that cause confusion, there are indeed a few areas here that are misinformed.

    Let’s recap the following about Office 365 Groups:
    * You create an Office 365 Group through Outlook or as a result of creating a Microsoft Teams team, a Planner plan, PowerBI workspace, or SharePoint Modern team site
    * An Office 365 Group automatically provisions a shared Outlook calendar, an email address, a Planner plan, PowerBI workspace, OneNote notebook, and SharePoint Modern team site
    * You can fully manage an Office 365 Group via Outlook, including removing users and configuring owners
    * The Office 365 group is for provisioning resources and doesn’t determine SharePoint permissions directly as that is merely one resource provisioned – but the Office 365 group is automatically added into the SharePoint groups it creates, and it’s these SharePoint groups that have permissions associated with them
    * I do agree that the default permission level for the Members SharePoint group should be Contribute, not Edit – and that the group should not be made site collection admin. This is also a highly voted item on UserVoice. In the meantime, one can drop the Members permission level from Edit to Read, and then create a Contributors SharePoint group (with Contribute permission level) and add the Office 365 group into that

    Then about hub sites:
    * There are 3 types of Modern sites as you mention but these are Team sites, Communication sites, and Hub sites – not Microsoft Teams (which is a chat/collaboration app built on top of an Office 365 group that uses the automatically provisioned Modern Team site that was provisioned for the group)
    * Hub sites have not been ‘thrown in to mess up’ architecture ideas – they were introduced precisely because a rigid subsite structuring makes it difficult to re-architect when a company inevitably changes team and project structures
    * A hub site is not just about news or content query – it is about dynamically linking Modern communication and team sites with a consistent look and navigation where you can change around what sites belong to the hub without affecting URLs. Aggregation of news is just another benefit.

    There is much I can write here to the points you list, but in the meantime:
    2: This is only if you set your Office 365 Group to Public, use Private groups by default – if you choose Public then you are saying the entire company has equal rights within that group
    7: You can (and should) use Powershell to specify which users are allowed to create Office 365 Groups, at least until the company has determined how to manage this
    20: It would not make sense for communication sites to create an Office 365 Group, the latter is for collaboration and therefor has the other associated items (such as calendar, email address, Planner etc) whereas the former is merely informational
    22: I’m uncertain what the concern is about this? The owners of an Office 365 Group are also members of that group, thus they are in the Members SP group and transparently in an Owners SP group (which has higher permissions and therefore overrules the Members SP group they are in). This structure ensures if you ever remove ownership from a person in the group, they still retain member permissions.
    23: There is talk that this will be added but as you point out, the goal with Modern is to not use subsites as much as possible so this is not a top priority
    24: The New Experience libraries do clearly highlight where metadata is missing though – I found much more often with classic that users were confused why they could see their files but others couldn’t because of course required metadata was not in place
    26: This also deletes the associated calendar, email address, Planner, PowerBI etc as it should – without the group in place, none of those would work as expected and you’d have these lying around doing nothing

    The Modern approach is very different from classic SharePoint and is intended to empower non-IT teams to do more within the areas they’ve been entrusted with rather than IT admins being involved in every single part of this. IT’s role then becomes more around reporting, governance, auditing etc. I have been working with SharePoint for 15 years and personally applaud the move to Modern, but admins need to thoroughly read the support available on the Microsoft site. I find seasoned admins and many IT people are reluctant to engage with a model that is trying to make it easier for users to collaborate and communicate.

    That said, nowhere is Microsoft ‘dictating’ we must use Modern sites as you seem to imply. They clearly state on their site that classic is not going away.

    • HP

      September 7, 2018 at 19:36

      I enjoy the simplicity of the Modern sites where I can restructure an entire intranet in a matter of minutes. Previously there would be months of planning to make sure that the site/subsite structure was PERFECT and would never change – however businesses change all the time. With the flat Modern model everything can be restructured or changed instantly to adapt. However I guess I’m not so interested in getting between users and the sites- I am glad the power users can adjust what they need when they need it.

  6. Martijn Eikelenboom Says :

    July 24, 2018 at 10:29

    I totally agree with the baseline of your post. It’s a mess and they need to give some control back. My personal pain is especially with changing permissions on the group connected team site: http://www.oak3.org/sharepoint/permissions-on-a-group-connected-team-site/

    However I do have some other opinions or ‘facts’ regarding some points:
    1. In my view, the default has always been edit (https://support.office.com/en-us/article/understanding-permission-levels-in-sharepoint-87ecbb0e-6550-491a-8826-c075e4859848). However, we mostly changed it, or site members didn’t know what to do. Now they’ve made the ui/ux too easy to keep the permission level the same.
    7. It’s pretty easy to restrict this, or build your own governance solution. That’s basically the same as it has been. Although I agree, the default is something that you should be very aware of.
    9. You can, but I think you need to have an exchange license (which is weird) or you could use the Exchange admin center (which is weird as well from a SharePoint perspective).
    12. I don’t agree. I’ve given myself owner access to many teams and groups through the Exchange admin centre.
    23. Not giving an opinion on the guidance, but the guidance itslef is very clear => don’t create subsites anymore unless you really can’t avoid it. And if that’s the case, classic sites seem to be the best option. New controls to prevent subsite creation are on the way.
    24. I actually like this chage
    27. PowerShell is not for developers. If you want to administer Office 365 (or SharePoint onpremises) you need to have PowerShell skills.

  7. Thomas Berman

    November 13, 2018 at 13:28

    How about the fun fact that after moving someone (or everyone) to “Visitors”, they can still see the “Add News” button in an empty news web part, and they can still access the “Add Members” button in the page UI, although both fail with an error message because they don’t have permissions.

Leave a comment

Your email address will not be published. Required fields are marked *