Managing Default Permissions in SharePoint Online (Office 365)

I stumbled across an interesting difference between the Enterprise and Professional level plans of Office 365 recently.  If you subscribe to a Microsoft Office for professionals and small businesses plan (Plan P) then any non-admin user added to SharePoint online automatically has Enhanced Contributor permission in all your sites.  But if you subscribe to one of the midsize businesses and enterprises plans (E plans) then adding users gives them no rights in SharePoint online.  You must add the users to SharePoint online sites just like you would add users to an on-premise SharePoint site.  Since most administrators only have access to one Office 365 plan this difference often goes un-noticed. 

But the more important question is how do you change the default behavior in the professional level plan.  Its actually quite simple once you know what to look for.  In your Office 365 admin page there is a link to change permissions on your Team sites and documents (see screenshot below)

 

o365perms1

 

Clicking on that link will take you to the Site permissions page for you default Team Site. 

NOTE:  Another difference between the two levels is that in the professional version you only get one Team site collection and one public website.  In Enterprise you can create multiple internal site collections but you are still limited to one public website.

On the site permissions page you will see a Domain Group named Tenant_Users (see screenshot below).  This is the group that contains ALL the users you create in Office 365.  You can see that the group is given the Enhanced Contribute permission level.  So every user that you create and assign a license to is automatically given permission to log on to your SharePoint online site.  This is very convenient, but causes a problem if you want most of your users to be limited to Read Only access to the site.

o365perms2

 

But once you recognize that this default group exists the solution is fairly simple. 

  • Select the checkbox next to the group
  • Click the Edit User Permissions button in the ribbon.
  • In the dialog that appears clear the check box next to Enhanced Contribute and select the check box next to either Read or View Only depending on how limited you want the average user’s permissions to be.  (see screenshot below)
  • Click OK

 

    o365perms3

    User’s will now default to either Read Only or View Only access to the site.  If you want to give them more permissions than that you’ll need to add them to an appropriate group or assign them rights individually.

    I’m sure there are other differences between the different plan levels that aren’t well documented.  This is just the first one I ran into.

    SharePoint Saturday: Denver – Nov. 11-12

    spsDen_logo_smallNext week I’ll be headed for Denver to speak at the Denver SharePoint Saturday event.  I will be presenting two sessions.  One will be an overview for users, admins, and developers who are just getting started on SharePoint online in Office 365.  The other is a more in depth talk for developers and admins on managing the various places that SharePoint stores user information.  I’ve reprinted the abstracts for my talks below:

    Intro to Developing for SharePoint Online: What Tools Can I Use? – The introduction of Office 365 drastically changed the SharePoint development landscape. As a managed online service the rules for developing customizations for SharePoint Office 365 are radically different from the ones for an “on-premise” installation. They are also slightly different than developing sandbox solutions. In addition many companies who currently use dedicated SharePoint installations are beginning to consider eventual migration to the Office 365 cloud environment. That means even current “on-premise” development is often constrained in new ways. No matter what kind of development you currently do you need to know how to develop for Office 365. In this workshop/session we’ll cover the following topics:

    • Setting up an Office 365 development environment
    • Developing sandbox solutions for SharePoint Online
    • Building reusable workflows in SharePoint Designer 2010
    • Why the Client Object Model is even more important in Office 365

    Users, Profiles, and MySites: Managing a Changing SharePoint User population – Every company has some level of employee change and turnover. The question is how do you manage the graceful removal or modification of user information from SharePoint? If everything is perfectly aligned SharePoint will automatically process and delete the user account, permissions, profile, and MySite for users that are deleted from Active Directory. Updates to user information are also automatic in many cases. But most SharePoint installations don’t have all the necessary components aligned for automated removal of old users and some profile properties refuse to update. In this session we will examine the underlying processes controlling user accounts, permissions, profiles and MySites and how they interact. We’ll look at what works, what doesn’t work, and how to work around it. Along the way we’ll recommend Best Practices for managing users, their profiles, and MySites in a SharePoint environment.