As part of a webinar we ran, our Solutions Architect, Andrew Jolly, wonderfully explained how the relationship between Microsoft Teams and SharePoint permissions work together. The webinar was a huge success, but the real winners were the fantastic diagrams Andrew created to demonstrate his points.
Below we have shared these diagrams along with Andrew’s annotations to explain the relationships between a Team, its SharePoint Site, the role of the Microsoft Group and SharePoint Groups in facilitating access. Enjoy!
When you are a member of a Microsoft Team your membership is determined by your account being a member of a ‘Microsoft Group’. Every Microsoft Team has a corresponding Microsoft Group of the same name, in fact a Microsoft Team cannot exist without the Microsoft Group. Within a Microsoft Group there are two types of membership, that of ‘Owners’ and ‘Members’, owners can administer membership.
Behind every Microsoft Team is a SharePoint Site (specifically a ‘SharePoint Team site’). It’s where all the files are stored for the channels within the Microsoft Team. A Microsoft Team cannot exist without its corresponding SharePoint Site.
SharePoint Sites also have a concept of permissions known as ‘SharePoint Groups’, this has been the case as far back as the product goes (to SharePoint 2003!). In order to control access and permissions to the SharePoint Site, the Microsoft Group is used in conjunction with the SharePoint Groups to make this possible.
The Microsoft Group’s owners are included in the Site collection administrators specified for the site collection. The Microsoft Group’s members are included in the SharePoint sites members SharePoint Group.
Individuals and AD Groups can be added to the SharePoint Groups for a given site without being added into the the Microsoft Team members or owners. This means it’s possible to allow people to access the SharePoint site directly without ever needing to be part of the corresponding team. This has many advantages, but it also does mean it may not be immediately apparent who has access to an MS Team’s file as the MS Team doesn’t display any SharePoint Permissions configuration.
When you create a private channel, a separate Microsoft Group is created along with a separate SharePoint Site, you don’t really see the Microsoft Group but it’s possible to see the separate SharePoint site if you go to ‘Files’ and then click the ‘Open in SharePoint’ option and look at the URL.
The separate Microsoft Group is created to manage access to the private channel and the SharePoint Site, the private channel’s Microsoft Group can only contain users from the main Microsoft Group that underpins the Microsoft Team.
This is where it gets interesting as the way in which people are added to the SharePoint groups differs somewhat from the way that access is controlled in the standard MS Team/SharePoint Site configuration:
At the time the private channel is created the ‘creator’ of the private channel is specified as the site collection administrator (if you’re interested to see this for yourself, as an owner you can browse to https://<URL of site>/_layouts/15/mngsiteadmin.aspx, there is no way to browse to this settings page.)
Subsequent owners of a private channel are added individually to the SharePoint site’s Owners Group as individuals.
Members of a private channel are also added individually to the SharePoint Site’s Members Group.
As with the SharePoint site that backs the main MS team, it is also possible for an owner to add ‘Non-MS team members’ to SharePoint Groups.
If you were wondering, the tool used to create this diagram was none other than PowerPoint which you can download here. If you found this post and the diagram useful drop a comment with your feedback below.
Andrew is the Information Management Practice Lead at Engage Squared, he helps organisations craft systems to share information, manage documents and content, collaborate on projects, automate processes, and meet record keeping and compliance obligations; allowing everyone to make improved decisions, more effectively.
With over 15 years’ experience with the Microsoft SharePoint and 365 platforms Andrew combines a pragmatic approach to modern records management means which his extensive knowledge of what information management and productivity mean when it comes to the Microsoft ecosystem.
Contact him at andrew.jolly@engagesq.com or on 0423 539 710.