This is a very long post, so please bear with me. It is for advanced SharePoint users only, not beginners.
This modern drive by Microsoft has got very serious governance implications and you need to take note. This has been going on for almost 2 years now and it is not getting any better. I have had very little to say over the modern experience to date, been waiting for it to settle down, but that’s not going to happen with the cloud. We need to work around these issues fast or risk decades of strict data governance going out the window all for the sake of a modern look.
Heads up if you are migrating from on premise to the cloud as well, these are all change management and support considerations. This post only covers internal permissions, not external sharing, (don’t even get me started on that….).
Let’s first be clear on SharePoint governance best practices :
- Site Collection Administrators are highly trained people who have super power rights over all content and sites in their site collections.
- The default Members, Owners and Visitors groups are used to manage permissions in SharePoint.
- Owners have got full control rights to add and remove users, create and delete apps, create subsites, change look and feel; and approve and delete content.
- Members have got rights to upload, edit and delete content.
- Visitors have got rights to read and download content.
- People are added into groups, not onto the site individually.
- Permissions can be done on site level, app level or subfolder level. (We don’t do this on document level, extremely bad practice).
In SharePoint Online in Office 365, there are modern and classic SharePoint sites. There are 3 types of modern sites – Microsoft Teams, Team Sites and Communication Sites. (Why Microsoft needs to use the same words for everything is beyond me, but anyway).
In classic SharePoint that has been around for 17 years, the permissions worked simply as follows :
- Three default permission groups with every team site created – Members, Owners, Visitors.
- Only the person who created the site is added to the Owners and Members group.
- The default Members group had Contribute for a permission level which allowed used to add, edit and delete content on a site.
- Site Collection Administrators had super power rights over all the sites in the site collection.
- Central Admin rights in on-premise SharePoint, gave you rights over all site collections and settings.
- In Office 365, that permission level is split up into Global Admin, Exchange Admin and SharePoint Admin rights.
- SharePoint Admin rights gave you super power in the SharePoint Admin Centre to view and manage all available site collections.
- Sites created in SharePoint Online used to be all in classic with the standard 3 default groups created which all get managed in SharePoint itself.
And then they started changing things to “modern”. Fast forward to today, and the permissions work as follows :
- The default Members group now has Edit as it’s permission level, which allows users to change settings of and delete apps, (this is the Site Owners role, not the Site Members). This can be changed in classic and communication sites, but not in modern team sites. You can create your own custom groups however and assign the permissions, but this totally negates the purpose of the default groups in the first place and creates a maintenance and governance nightmare!
- Also compounding the issue is that when a modern team site is created, “everyone except external users” is added to the Site Members group by default – effectively giving every person in the company rights to edit and/or delete apps!
- The default SharePoint site collection has external sharing switched on by default effectively exposing your entire intranet to anyone with anonymous access. Switch this off immediately until your governance is decided.
- When you create a modern team site, an Office 365 group is created, (not to be confused with SharePoint groups – again, double use of words confusing the market).
- If you create a public group instead of a private one, you give every person in the company access to edit and delete apps and all it’s content. Governance!!!!!!
- There is a difference between adding people to a group or to the SharePoint site – but both can be done from SharePoint.
- Every single user is able to create up to 250 groups by default straight out of Outlook, (have I mentioned governance yet).
- This Office 365 group is not managed in SharePoint, it is managed in the Office 365 Admin Centre – which means end users cannot access them to edit them.
- Even if you are a Global Administrator and created the site, you will get a message on the group saying “you can and remove members or delete the group, but you can’t make other changes due to permissions.”
- If users create Microsoft Teams, or modern team sites, and you have not been added as a member to it, you will simply not get access to it – regardless of the tenant rights you have. This means that….
- The SharePoint Admin rights level has become completely useless with modern SharePoint. Also,
- Even if you Global Admin rights and it is your own company, you will not get access to the sites.
- This means that you are effectively locked out of your own company / client and you will not even know the sites are there unless you use the modern SharePoint Admin Centre.
- The modern SharePoint Admin Centre has none of the settings of the classic centre, meaning you cannot manage the term store, space, site collection administrators, script settings, etc etc so you need to go back to classic to do that, (Microsoft “promises” to move all the settings over, but history has shown that we are getting fewer controls given, not more).
- But the classic SharePoint Admin Centre does not display any modern sites, so you need to go modern to see them. There is currently no way around this.
- There is a new mystery group called Office 365 Group Owners that apparently controls the groups created from the modern sites – not for love or money can we find that group anywhere in Office 365. We have searched the O365 Admin Centre, SharePoint Admin Centre, Exchange Admin Centre, Security & Compliance Admin Centre and Azure AD Admin Centre to no avail. Anyone else know where it is?
- The Office 365 Group only contains the people that can communicate via that email address assigned to it. It does not affect the SharePoint permissions. You can add the Office 365 Group created by default with a new modern team site to the appropriate permissions groups in SharePoint, and still add people on demand into the standard SharePoint Members, Owners, Visitors groups. (The split is between people you want to allow to use the group email address or not, keep the other product permissions in mind with this).
- In modern team sites, the default Users & Permissions options in Site Settings has been completely removed from Site Settings, but you can access it by adding /_layouts/15/user.aspx to the site name, or Advanced Settings from the Site Permissions menu.
- When you create a modern team site, the O365 group is added as Site Collection Administrators, effectively giving everyone in it, super power rights over the site – the group contains the members and owners. But it doesn’t really give them that access, it just makes you think it does. Thanks for this one Microsoft!
- In modern communication sites, it is still there, as it is in classic SharePoint sites.
- Modern communication sites don’t create Office 365 groups, they use the standard SharePoint groups.
- When you add a user to your modern site, you cannot add them as a visitor from the standard Site Actions – Site Permissions or from the Members link on the home page of the site. They can only get added as Members or Owners.
- When you create a modern team site, it creates a group that contains the members and owners – which gets added as an AD group into the default Members group on the site! What? Why? So now you have the members and owners of the site added to the Members group! Microsoft come on!
- Only the top level sites of modern team and communication sites are in the modern template. If you create subsites in them, they are created in classic SharePoint. Have fun with user adoption, change management and training material.
- Compulsory metadata in libraries no longer checks out documents when it is not filled in, leaving no motivation whatsoever for users to actually stick to the corporate governance.
- Despite all the hoohaa about the new hub sites, the default site collection in Office 365 tenants is a classic SharePoint site, which doesn’t link to hubs.
- If you delete an Office 365 Group in the O365 Admin Centre, the associated site collection is also deleted.
- “They” say you can use PowerShell to get around some of this, but this was stock standard functionality for over a decade. So now you need developers to do what power users did quite fine on their own.
== What it all looks like ==
Creating new site collections in classic vs modern :
Accessing permissions from Site Actions – Site Settings :
To get to the normal site permissions screen, you need to go back to the home page of the modern team site, Site Actions – Site Permissions – Advanced Permission Settings.
Site permissions management is now done in the Office 365 Admin Centre, they have removed them from SharePoint – extremely disempowering to the majority of the user base because they don’t have rights to go there. Also adding to the load on IT now, because more support calls will be logged.
This is Microsoft’s positioning of groups. This is all well and fine, but a governance disaster area. You can learn more in-depth about them from AvePoint, which only gives you more grey hairs.
A typical error you will encounter, no explanation as to how to any of that should you need to :
You can add /_layouts/15/mngsiteadmin.aspx to the end of your modern team site name to get to the SCA list …. but only if you have been given access to the site in the first place to see it at all…
The O365 group added as SCA’s :
Access site permissions in modern from the Site Settings cog.
For some bizarre reason, the link above takes you to this where you can change the permissions of the members group to owner rights! And you would want to do this because……? You can’t add users from here. You must click Invite People.
You can also see the group members and edit them by clicking on the link indicated below.
But you can only add them as members there.
Once users are added, you can edit their permissions from the Site Permissions in modern – but you can only go to Edit or Full Control, it might as well be the same thing because edit allows you to delete and mess up app settings!
The AD ‘group’ that is created and added to the SharePoint Members group – which contains members and owners in it.
We better make a list of all the stuff we currently have access to in the classic admin centre, or it’s just going to disappear in the modern one. Screenshot everything so you know what we had, then we can compare it and hold them accountable to it in future.
You know, maybe I just don’t get it. This is as far as I can figure it out so far. But when industry experts and Microsoft themselves can’t explain the “modern” permission model to me, then maybe nobody else gets it either. And as I said, this doesn’t even touch the external sharing aspect. All I know, is that something that used to work perfectly fine, is now an administrative – and more importantly – a governance nightmare! Companies are going to walk into a wall of fire with this and I pity any newbies in the market trying to build intranets with this lot in place. Confidential information is being exposed left, right and centre internally and externally because of this new “modern” thing. I for one, think that Microsoft tried to fix something that was not broken! But, it sure is now.
So how are we dealing with all this? Keeping in mind that hub sites have now been thrown in just to further mess up any architecture ideas you had..
Well, we are not abandoning classic SharePoint for a start. There are millions of classic SharePoint sites across the globe in tens of thousands of companies. Classic SharePoint still has a place, especially if you need a clean look to see your operational data properly. You can activate some modern features in your classic site and that is good enough. Classic just works! From a business risk perspective, classic sites win hands down. The modern sites simply expose too much information to too many people without people realising it, and they have been locked down too much to do anything about it.
Secondly, if we have to use modern to build an intranet, we are using the Communication site template, not the Team site template. The Communication site will still link to the hub sites when necessary but it has proper permissions management. BUT!!! You can no longer activate Publishing Features, which means you can’t get the link that says Navigation. You can still create dropdown menu’s but you can’t do any audience targeting on links, and you can’t open any links in new tabs. All links must have URL’s so just add the URL back to the home page. You also can’t automatically show subsites like we used to be able to with Navigation. Do you know of a single intranet in the world that doesn’t use a dropdown menu on the top link bar? I don’t. This is stock standard functionality that has been made worse in the modern communication site.
Third, we are absolutely not abandoning subsites as Microsoft would like us to suddenly do! Like subfolders, they are actually sometimes necessary, and we do not believe that absolutely everything must be an entire site collection!
Fourth, hub sites can just wait. Not everything is about the news! All a hub site is, is a very glorified Content Query Web Part with navigation you can push down. And in real life in companies, almost no departments have news they have to share with the entire company on a daily basis. On departmental level it is about operational data only. Focus on what the department has to deliver on.
We will not be dictated to by what Microsoft decides! Don’t forget that most people in the world do not work in or own IT businesses. Microsoft has 40% of its 125000 strong work force as engineers messing around with their platforms, releasing hundreds of enhancements a month. Nobody else is Microsoft. Remember the purpose of your company / business. If you are getting value from any version of SharePoint and getting the reporting you need, you do NOT need to rollout every hairbrained scheme that Microsoft throws at us! We are their beta testers! Half the stuff they push out doesn’t work properly until enough people complain on UserVoice. Use what works for you and leave the rest. You have a job to do, technology must support that, not dominate it.