Governing SharePoint in Office 365 can be a bit tricky. Creating a new method for governance was key to helping my customers navigate this new world. This is the fourth in a five part series exploring exactly how to create a new governance plan. In the first article we looked into creating your team, organizing meetings and building a plan. In the second article we covered how the settings in the Admin Centers can help achieve governance goals. In the third article we looked at information governance and how to best plan site architecture and manage content in Office 365.
Staying in the information governance realm, let’s review a few topics related to securing content in SharePoint Online. Overall the permission structure we are used to in SharePoint has remained the same. However, Microsoft has added few features that may confuse and complicate things. Let's take a look at Office 365 Groups, Sharing and External Users and hopefully provide insight into where specific guidance on these topics may be required.
Related Article: Create SharePoint Governance Policies That Don't Block Adoption
Office 365 Groups
Groups are an excellent tool for collaboration in Office 365. They allow you to seamlessly provide access to several resources including a unique Outlook inbox, calendar and SharePoint site. They can also tie into other tools like Teams and Planner. There is even an option for connecting an existing SharePoint site to a group.
The big thing to understand though is that the permission structure of a group and of a SharePoint site are quite different.
Groups allow for two different levels of access: owners and members. This automatically creates two separate Active Directory groups that are then granted access to the SharePoint site. The owner’s group is added as a Site Collection Administrator and then the members group is given Edit permission. This is important to know as the Edit permission not only allows users to edit and delete content, but also the ability to edit and delete lists and libraries on the site. There is also an option to create a public Office 365 group. This feature actually gives every user in the tenant Edit permission to the connected SharePoint site.
While you can provide users access to the SharePoint site using traditional permissions this will not automatically add them to the Office 365 group. Adding members to the group is handled on a separate screen in SharePoint or Outlook. If you do plan to use Office 365 groups, understand this functionality and plan for it. For example, if you don't want your Office 365 group members to be able to add, edit or delete lists and libraries you can change their permission to Contribute directly on the SharePoint site. On the other hand, if you need to give someone access to the SharePoint site but don't want them to see all of the other group resources (inbox, calendar, etc.) you also have that ability.
These different options for structuring permissions for Office 365 groups and their connected sites can initially be confusing, but in the long run, they're helpful to have.
Related Article: How SharePoint Communication Sites Impact Governance
Sharing & External Users
The "Share" button has been available for a while now in SharePoint sites and OneDrive. While a great tool for users to easily share content, it can also create permission headaches. Make sure you are clear what sharing options exist and how you can manage them.
After clicking the "Share" button, you will see the options of “People in COMPANY with the link” and “Specific people.” Note these options will break permission inheritance on an item. If you want to prevent that from happening, one recommendation is to train users to stick with the “People with existing access” option. On the Share screen you can also decide whether or not the person receiving the share link can edit the item and/or even download it.
An important consideration is what guidelines you want to create for sharing with or granting access to people who are external to your organization. This may be necessary if you have an extranet, or a site where customers or vendors need to come and collaborate with you. However, for the most part you probably want to keep this ability locked down. You can adjust the setting for external sharing on each site collection.
You can also specify whether the share button mentioned above includes the ability to share with new or existing external users. This setting can be found in the OneDrive admin center. Finally, "Security & Compliance" offers several options for monitoring what external users are doing inside of your tenant. Administrators can even put policies in place to block users from sharing certain types of data. These are all important considerations to make as you assist your users with properly securing their content
In the final article in this series we will take a look at some specific things to look out for when planning governance for tools like Teams, PowerApps, Planner and more.