SharePoint Modern Team Site Template Permissions Work-Around

Further to my previous blog on the modern site permissions, we have come up with a work-around to the modern experience governance issue.

What was the issue?

The default permission level for Site / Group Members is Edit rights.

O365 Groups 3

Which gives all users in that group to mess with every app on the site because of this permission level which is active by default in the Edit level.

O365 Groups 7

The problem is compounded because Site Owners are adding people to the sites via Outlook and SharePoint.

O365 Groups 8

O365 Groups 0

Remember that a new site collection is created every time you create a new Planner, new Microsoft Team, or add a site by clicking the SharePoint link.

O365 Groups 9

The new site collection also adds the Office 365 group members as Site Collection Administrators to every modern site collection created, so don’t forget to go and remove those and put in the real SCA’s.

O365 Groups 10

Now go to the Permissions Levels under Advanced Permissions.

O365 Groups 2

Then click on the Edit rights permission level and untick the Manage Lists option.  Update the description on top to remove the wording that it can delete lists.  If you want to, you can change the name too.  I do it this way so I can see instantly that I have changed this site collection without having to go into additional levels to check.

O365 Groups 4

The next issue then, is that Edit now has exactly the same rights as the Contributor level.

O365 Groups 5

So we do with this, is change the Contribute level to be Contribute No Delete rights because it is a very common requirement from business to allow people to add content, but not be able to delete it.  We edit the default Contribute rights and remove the delete options.

O365 Groups 6

Now both groups make more sense and our governance model is secured.

O365 Groups 11

Site Owners can add people to their hearts content now and we don’t have to worry about them deleting entire apps.

O365 Groups 12

Of course this means you need to do this manually on every single site collection.  This is where our PowerShell dudes need to step in.  They can right scripts to do this across the platform to fix the Edit rights and put in the right SCA’s.  The script would have to be run daily however if you have Microsoft Teams activated, because teams are created on demand across the business.

Next – get an alert when a new site collection is created!


  1. Thank you … Thank you … Thank you … I have now changed the permissions on all my site collections and can breathe a little easier now.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.