Microsoft Teams and SharePoint permissions explained – 2023 update

Re-published June 2023

As part of a webinar we ran back in 2021, our Information Management Practice Lead, Andrew Jolly, explained how the relationship between Microsoft Teams and SharePoint permissions work together. The webinar was well-received, but the real winners were the fantastic diagrams Andrew created to demonstrate his points.

Below we have shared these diagrams along with Andrew’s annotations to explain the relationships between a Team, its SharePoint Site, the role of the Microsoft Group and SharePoint Groups in facilitating access.

This blog was first published in April 2021. Updates have been made in June 2023.

Microsoft Teams and SharePoint permissions explained

When you are a member of a Microsoft Team (1) your membership is determined by your account being a member of a ‘Microsoft Group’ (2). Every Microsoft Team has a corresponding Microsoft Group of the same name, in fact a Microsoft Team cannot exist without the Microsoft Group. Within a Microsoft Group there are two types of membership, that of ‘Owners’ and ‘Members’ (3), owners can administer membership and control many of the settings of the Microsoft Team.

Behind every Microsoft Team is a SharePoint Site (4) , specifically a ‘SharePoint Team site’). It’s where all the files are stored for the channels within the Microsoft Team. A Microsoft Team cannot exist without its corresponding SharePoint Site.

SharePoint Sites also have a concept of permissions known as ‘SharePoint Groups’ (5), this has been the case as far back as the product goes (to SharePoint 2003!). In order to control access and permissions to the SharePoint Site, the Microsoft Group is used in conjunction with the SharePoint Groups to make this possible.

How permissions are configured within the SharePoint site depends on the ‘Privacy’ setting within the Microsoft Group. Private teams can only be joined if the team owner adds someone to them. Public teams are visible to everyone from the teams gallery and you can join them without getting approval from the team owner. This setting also determines how permissions and access are configured within the SharePoint site.

In a ‘Public’ site 

• The Microsoft Group’s owners are included in the Site collection administrators specified for the site collection. 
• The Microsoft Group’s members are included in the SharePoint sites members SharePoint Group.
• The Everyone except external users AD Group is included in the SharePoint sites members SharePoint Group.

In a ‘Private’ site  

• The Microsoft Group’s owners are included in the Site collection administrators specified for the site collection. 
• The Microsoft Group’s members are included in the SharePoint sites members SharePoint Group.

Individuals and AD Groups can be added to the SharePoint Groups for a given site without being added into the Microsoft Team members or owners. This means it’s possible to allow people to access the SharePoint site directly without ever needing to be part of the corresponding team. This has many advantages, but it also does mean it may not be immediately apparent who has access to an MS Team’s file as the MS Team doesn’t display any SharePoint Permissions configuration.

Microsoft Teams and SharePoint permissions explained in private channels

When you create a private channel, a separate SharePoint Site is created, the private channel can only contain users from the main Microsoft Group that underpins the Microsoft Team. 

This is where it gets interesting, as the way in which people are added to the SharePoint groups differs somewhat from the way that access is controlled in the standard MS Team/SharePoint Site configuration:

• At the time the private channel (6) is created the ‘creator’ of the private channel is specified as the site collection administrator*
• Subsequent owners of a private channel are added individually to the SharePoint site’s Owners Group as individuals.
• Members of a private channel are also added individually to the SharePoint Site’s Members Group (7).

*If you’re interested to see this for yourself, as an owner you can browse to https://<URL of site>/_layouts/15/mngsiteadmin.aspx, there is no way to browse to this settings page. You can browse to _layouts/15/user.aspx and see how users are added to the relevant site owners and members groups.

Microsoft Teams and SharePoint permissions explained in shared channels 

When you create a shared channel, again a separate site is created, permissions are a little different also. Like a private channel the channel has Owners, Members but it’s also possible to add other Teams (8). 

Shared channels do not rely on Azure B2B Collaboration, therefore external members are not required to have guest accounts within the host tenant in order to access the channel. Instead, these channels utilise Azure B2B Direct Connect (9), which operates differently. In practical terms, your tenant acknowledges the credentials users acquire by authenticating against their own home tenant.

Consequently, a single channel can accommodate users from various external tenants. B2B direct connect requires a mutual trust relationship between two Azure AD organizations to allow access to each other’s resources. Both the resource organisation and the external organisation need to mutually enable B2B direct connect in their cross-tenant access settings. When the trust is established, the B2B direct connect user has single sign-on access to resources outside their organisation using credentials from their home Azure AD organisation.

Like what you see?

If you liked our diagrams and want to use them in your organisation, the tool used to create these diagrams was none other than PowerPoint! Download it here.

When it comes to deploying information management initiatives it is seldom a flick of switch affair. Most initiatives have a wide reach touching large numbers of employees, where applicable we design stage-based rollouts that deliver the initiative through the business in waves that include support and knowledge transfer to ensure ongoing operational assurance well beyond ’go live.

About the author 

Andrew Jolly is the Information Management Practice Lead at Engage Squared, he helps organisations craft systems to share information, manage documents and content, collaborate on projects, automate processes, and meet record keeping and compliance obligations; allowing everyone to make improved decisions, more effectively.

With over 17 years’ experience with the Microsoft SharePoint and 365 platforms Andrew combines a pragmatic approach to modern records management means which his extensive knowledge of what information management and productivity mean when it comes to the Microsoft ecosystem.

This blog is part of our ‘modernise and secure teamwork with M365’ campaign. Follow us on LinkedIn as we share our insights across a series of blogs, client success stories, and events, as we explore how M365 can help solve today’s unique set of challenges.