Microsoft Security

Introduction to SharePoint Security

Microsoft SharePoint empowers teamwork with dynamic and productive team sites for any project or department. With the frequent sharing of files, data, resources, and more, it is important to collaborate effortlessly and securely with team members both inside and outside your organization across all devices.

Managing SharePoint security in groups is more important than ever before, and proper permission level management will ensure that your SharePoint sites will be protected from both internal and external threats. In this article, we will provide an overview of security groups and how to use them to improve your SharePoint security.

Overview of SharePoint Security Groups

Every team in Microsoft Teams is associated with a SharePoint site for content storage. 

SharePoint groups are security groups within the SharePoint environment and are how SharePoint manages access to its sites. SharePoint Security Groups consist of three default permission groups:  

  • Owners – Full Control Permissions: Users added to the Owners permission group have full access (full control) to all parts of the site and are usually responsible for managing the SharePoint site.  
  • Members – Edit Permissions: Users added to the Members permission group has add/edit/delete (contribute) permissions. 
  • Visitors – Read Permissions: Users added to the Visitors permission group have read-only (view) rights. 

These permissions are set on the site level and are inherited on everything in the site, such as document libraries or lists – unless inheritance is broken at the library or list level and unique permissions are applied. 

 


Additional permission groups and custom permission levels can be created as necessary. 

When a new Team is created from MS Teams:  

  • A Microsoft 365 Group with an Exchange Mailbox and a SharePoint site are created.  
  • The name of the Team becomes the name of the Microsoft 365 Group and SharePoint site.
  • The mailbox is not visible in Outlook and is only used for calendaring and for storage of Teams chat in a hidden folder. This option can be changed in the Microsoft Admin Center.

  • The Microsoft 365 Group Owners are the same as the Team Owners and are added to the SharePoint Owners Security group. 
  • Microsoft 365 Group owners are added to the SharePoint Owners security group – a group within a group. The owners are also assigned as Site Admins.


  • Microsoft 365 Group controls access to the Team and SharePoint site. Adding users to the SharePoint site alone does not give them access to the Team associated with it. Users must be added as Members in Teams to have access to the Team in MS Teams.
  • The Team Owners are the SharePoint site owners and are responsible for managing Team and SharePoint site access.  
  • The Team Members are the SharePoint site members and can add/edit/delete content. 

 

  • Microsoft Groups have two roles: Owners and Members. So, every member of the Microsoft 365 Group/Team has edit access to the Team and its associated SharePoint site as Group/Team does not have a Visitors group with Read-only access.  
  • If there is a requirement to give members read access instead of edit, then delete the Microsoft 365 members group from the SharePoint members group and add the Microsoft 365 members groups to the SharePoint Visitors group. Individual users can also be added to groups in the same manner. 

  • If there is a requirement to give everyone in the organization read-only or edit access to the SharePoint site, then add the ‘Everyone except external users’ to either the SharePoint Members or SharePoint visitors group. 

  • External users are added as Guests in Teams, these users are also added to the SharePoint Members Security group and have edit access by default. 

Why You Should Use Microsoft 365 Groups

Unlike SharePoint security groups that only provide access to single resources, Microsoft 365 Groups can be used to control access to multiple resources such as SharePoint sites, Teams, shared mailbox, Planner, etc. This allows admins to easily manage access to multiple resources by grouping together users that require identical permissions. This way you only need to assign access once for the entire group, not for each user individually. This ensures consistency in permissions to a group of related resources. 

Resources that are provided depend slightly on the kind of group that is created. 

What kind of group should you create? 

Different teams may prefer to work in different ways and Microsoft 365 has the tools to enable collaboration in whatever form your teams prefer. 

  • Create a Microsoft 365 Group in Outlook: If your team prefers to collaborate via email and needs a shared calendar. 
  • Create a Microsoft Team: If your team wants to collaborate in a persistent chat environment or use embedded apps. 
  • Create a group in Yammer: If you want to create a large, open, discussion forum for your company – for example for executive-level announcements and discussions. 

Microsoft 365 Groups can also be used to restrict the creation of Teams in MS Teams. If your organization requires that you restrict who can create Teams or groups, you can restrict Microsoft 365 Groups creation to the members of a particular Microsoft 365 group or security group.  

Create a group for users who need to create Microsoft 365 groups  

  • Go to Microsoft Admin Center > Teams & Group > Active Teams & Group. 
  • Add a group à Microsoft 365 > Next > Add a name and description > Next. 
  • Add Owners (adding at least two owners is best practice) and members to your group.

  • On the settings page enter the group name as group email address, choose whether you’d like the group to be Public or Private and whether to Add Microsoft Teams to your Group > Next to finish setting up your group. 

Run PowerShell commands 

The preview version of Azure Active Directory PowerShell for Graph (AzureAD) – Module Name AzureADPreview must be used. 

If the preview version is already installed, run Install-Module AzureADPreview to ensure you have the latest version of the module. 

Run the script below, replace the $GroupName with your group name. 

$GroupName = “AllowToCreateGroups” 
$AllowGroupCreation = $False 
Connect-AzureAD 
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).id 
if(!$settingsObjectID) 
{ 
    $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq “group.unified”} 
    $settingsCopy = $template.CreateDirectorySetting() 
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy 
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).id 
} 
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID 
$settingsCopy[“EnableGroupCreation”] = $AllowGroupCreation 
if($GroupName) 
{ 
  $settingsCopy[“GroupCreationAllowedGroupId”] = (Get-AzureADGroup -SearchString $GroupName).objectid 
} else { 
$settingsCopy[“GroupCreationAllowedGroupId”] = $GroupName 
} 
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy 
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values 

If you want to turn off the group creation restriction and again allow all users to create groups, set $GroupName to “” and $AllowGroupCreation to “True” and rerun the script. 

Verify Changes 

Changes can take thirty minutes or more to take effect. Sign in with a user account who was not a member of the AllowToCreateGroups group. Go into teams and click on Join or Create a Team, you should see the Create Team tile is not visible anymore. 

SharePoint: The New Way of Working

Want to discover more about SharePoint? Read more here.

Contact us to get started or learn how you can implement and use SharePoint & Teams for maximum collaboration and productivity.

You might also like to check out: