Managing Default Permissions in SharePoint Online (Office 365)

I stumbled across an interesting difference between the Enterprise and Professional level plans of Office 365 recently.  If you subscribe to a Microsoft Office for professionals and small businesses plan (Plan P) then any non-admin user added to SharePoint online automatically has Enhanced Contributor permission in all your sites.  But if you subscribe to one of the midsize businesses and enterprises plans (E plans) then adding users gives them no rights in SharePoint online.  You must add the users to SharePoint online sites just like you would add users to an on-premise SharePoint site.  Since most administrators only have access to one Office 365 plan this difference often goes un-noticed. 

But the more important question is how do you change the default behavior in the professional level plan.  Its actually quite simple once you know what to look for.  In your Office 365 admin page there is a link to change permissions on your Team sites and documents (see screenshot below)

 

o365perms1

 

Clicking on that link will take you to the Site permissions page for you default Team Site. 

NOTE:  Another difference between the two levels is that in the professional version you only get one Team site collection and one public website.  In Enterprise you can create multiple internal site collections but you are still limited to one public website.

On the site permissions page you will see a Domain Group named Tenant_Users (see screenshot below).  This is the group that contains ALL the users you create in Office 365.  You can see that the group is given the Enhanced Contribute permission level.  So every user that you create and assign a license to is automatically given permission to log on to your SharePoint online site.  This is very convenient, but causes a problem if you want most of your users to be limited to Read Only access to the site.

o365perms2

 

But once you recognize that this default group exists the solution is fairly simple. 

  • Select the checkbox next to the group
  • Click the Edit User Permissions button in the ribbon.
  • In the dialog that appears clear the check box next to Enhanced Contribute and select the check box next to either Read or View Only depending on how limited you want the average user’s permissions to be.  (see screenshot below)
  • Click OK

 

    o365perms3

    User’s will now default to either Read Only or View Only access to the site.  If you want to give them more permissions than that you’ll need to add them to an appropriate group or assign them rights individually.

    I’m sure there are other differences between the different plan levels that aren’t well documented.  This is just the first one I ran into.