Changing the permissions assigned to the default Owners, Members, and Visitors groups in a SharePoint site is easy. You just navigate to Site Settings > Site Permissions. Then select the group whose permissions you want to change and assign them a new permission level using the Edit User Permissions button in the Ribbon. But that won’t work in the Site created behind an Office 365 Group. When you try to use the same procedure you find that the Edit User Permissions button is greyed out if you select any of the built in administrative groups. (See the Screenshot below.
The problem is that Office groups are created when you create a Security Group in Office 365. By default that security group is added to the built-in Members group of the Site Collection. To make sure that you don’t inadvertently lock users out of the site Microsoft disables your ability to change the permission on the default Administrative groups when using an Office Group based site.
But there is still a way to modify the permissions for the users in the groups. If you navigate to the home page of the site and select Site Permissions from the Settings menu (the gear) you will see a panel open on the right hand side of the browser window. Under Site Members you will see the security group that provides the basis for the Office group you created. If you select Edit under that group you can change the permissions for the members of the group to either Read or Full Control. However, instead of changing the permission level for the group it will actually move the security group to either the Site Visitors or Site Owners groups respectively.
But what if I want to change the default group’s permissions to Contribute instead of Edit? To do that you’ll need to use two different SharePoint groups.
First, use the Site permissions panel to move the underlying security group from the Site Members group to the Site Visitors group. This will give all your users Read permissions to the site.
Second, click on the Advanced permissions settings link at the bottom of the panel. This will take you to the regular site permissions page that you are used to. Now you can create a new SharePoint group and assign it whatever permission level you want. After you create the group add the same security group you moved above as a member of the new SharePoint group. Since SharePoint permissions are additive this will give all your users both Read permission and whatever new permission level you assigned, for example Contribute.
I hope that clarifies how to manage Permissions in the new Office 365 group sites. Since Team sites are based on Office Groups, the same procedure applies to any Team sites you’ve created.
I really enjoyed my time at the Dogfood Conference in Columbus on Friday. The attendees were great and my talk on OneDrive Sync was well attended. There were lots of questions, but I was still able to power through my slides and the demos. I want to express my thanks to the conference organizers and the attendees for the wonderful conference. I really enjoyed myself and I hope to be invited back to speak again next year.
I promised attendees that I would post the slides, so I’ve uploaded them here. If you didn’t get a chance to respond to the survey I posted you can also find a link to that here:
An update to the OneDrive Next Gen Sync client that rolled out beginning in early January has limited where you can place the sync folder for your OneDrive files. The target is now required to be a New Technology File System (NTFS) formatted drive. When commenting on this Microsoft says that non-NTFS drives have never been supported, but that the client didn’t check in the past. The change, according to Microsoft, is just tightening up the error checking in the OneDrive client and not implementation of a new feature. According to Microsoft that’s why the change was released with no notice. It should be noted that OneDrive system requirements don’t list the NTFS limitation. Resilient File System (REFS), Microsoft’s newest formatting, is also not supported. User’s should plan to update the format of their drives to NTFS if they plan to use the OneDrive Next Gen Sync client.
When Office 365 Groups first shipped sharing with External Users was disabled. Over time that default policy was changed to allow sharing with External Users who were already in your Azure AD. In other words you could share with External Users IF you had already shared something else in your environment with that External User. Based on user feedback this default sharing policy is being further relaxed to allow sharing with any Authenticated External User. Anonymous Guest links will still not be allowed.
This change will apply to all Office Group sites that are created in the future, but will not apply to existing Office Group sites. To apply the new default to existing Office Group sites use the following PowerShell:
Set-SPOSite -Identity https://tenant.sharepoint.com/sites/groupsite `
You can also revert new Office Group sites back to the more restrictive setting using the following PowerShell:
Set-SPOSite -Identity https://tenant.sharepoint.com/sites/groupsite `
This change will loosen the security settings in Office 365 somewhat, but should also make the experience more predictable since it matches the setting in most other sites that allow External Sharing. So as long as you are aware of the change it should be a good move.
My wife and I really enjoyed our visit to Denver last week. The conference attendees were great and asked a lot of good questions at both of my sessions. It was a pleasure to feel that I was sharing information that people really wanted to learn about. It was even more exciting because this was my first chance to present under the logo of my own company. As you’ve probably seen on my web site I’ve left Blue Chip Consulting and launched my own one man firm under then name Don’t Pa..Panic Consulting. The Denver conference was just two weeks after deciding to go independent. So everything looked bright and shiny and new, to go with my new business cards.
The one thing that didn’t go well were the demos in my DLP talk. Despite checking them the night before, the SharePoint sites I was using for demos refused to load during my talk. I also tried demoing creating a new custom DLP policy and although that worked perfectly at 6:30 AM, when trying it for my talk PowerShell threw an error saying it couldn’t find the Exchange endpoint on the server. So I promised to spend some time this week recording the demos and making them available here. Note: I’m still working on the recordings, but they will be up soon.
I also promised to make my slides available, so I’ve uploaded them here. They are also available on the SharePoint Fest Denver site for attendees. If you have any follow-up questions please email me at firstname.lastname@example.org. You can download a copy of the slides from each talk using the links below:
Demo1: Creating Compliance Policy & eDiscovery Centers
More Soon !