Get in control of file permissions in Teams/SharePoint
Understand how it all fits together – do it the right way – and avoid common pitfalls
November 5, 2025 / Ejner Jensen
Background
This post is for everyone struggling with file permissions in Teams/SharePoint – or just want to know more:
Here you can read about:
- Teams and SharePoint
- Balance Between Security and Collaboration
- Create the Right Teams
- Two Very Different Models for Access Control
- The Five Ways to Manage Permissions for Files
- Additional recommendations
- Recommendation for a simple permissions model
And after that, I hope, that you understand how it all fits together, how to manage permissions the right way, and avoid common pitfalls. 😊
The Five Ways to Manage File Permissions
Teams and SharePoint
When you create a Team in Microsoft Teams, a SharePoint site is created for all the files – i.e. documents, videos, loops, etc.
In Teams, you can create channels to organize posts and related files.
In SharePoint, the files are stored in the “Documents” library, in a folder for each channel.
If you upload a file to a channel post, it will automatically be saved here.
You can see the channels files, via the tab “Shared” in Teams.
You can create additional folders, libraries, and lists in SharePoint.
As a starting point, you control access to files by adding owners, members, and guests to your Teams. But often, this is not enough, and then it’s important to know, how you can manage permissions in SharePoint. And since Copilot has arrived, it’s even more important to ensure you know, who has access to your files.
Unfortunately, permissions in SharePoint can easily become very complicated.
Balance Between Security and Collaboration
A “Best practice” from Microsoft for permissions is:
Follow the Principle of Least Privilege:
Give people the lowest permission levels they need to perform their assigned tasks.
⚖️
But – you need to balance this against the need for easy collaboration and keeping permissions simple and manageable!
Finding the right balance is not easy. 
On top of that, Microsoft has optimized the default permission setup in a Team to support collaboration as much as possible – but unfortunately at the expense of security!
This post helps you correct that – see places marked with 
Note: It’s not certain you need to tighten security everywhere!
It’s a balancing act depending on your specific needs in your Team and your organization!
Create the Right Teams
The best way to get simple permissions in Teams is to create the right Teams!
But this requires balancing different considerations – and that’s not easy.
Here are some tips:
- Don’t make Teams too large
There should be a common purpose for a Team
Large Teams might increase the need for complex file permissions - Don’t make Teams too small
There should be a basis for regular activity in posts
Too many Teams can become overwhelming for users - Don’t mix short-lived and longer-term topics in the same Team
E.g. organization(changes frequently)
and products (more permanent – and responsibility may change) - Consider future needs
Do the Teams you’re creating also fit known future needs?
Are your Teams robust against organizational changes?
In my next blog post, I will go deeper into this topic. 😊
Note: Once a Team is created and in use, it’s difficult to split it into more Teams – or merge it with other Teams!
Two Very Different Models for Access Control
Teams and SharePoint uses two very different models for controlling permissions.
Here is the first overview diagram for the basic access management via Teams.
Throughout this post, the diagram will be expanded, as additional elements are explained.
Tip: Click the images for a larger version.
Teams: Uses a simple model – designed for regular users
- There’s an associated M365 group with built-in roles, where you can add users
- You can create private (confidential) and shared channels if needed
- The M365 group also gives access to the Team’s Planner, Mailbox and Calendar
SharePoint: Uses an advanced model – designed for expert users
- There are built-in SharePoint groups for each role (Owners, Members and Visitors) where you can add users, M365 groups and other security groups
- You can change permissions for a SharePoint group
- You can create your own SharePoint groups – if needed
- There are built-in permission levels – e.g., Full control, Edit and Read
- You can create your own permission levels – if needed
When these two models are combined, things can get complicated.
Places to be especially aware of, are marked with in this post.
ℹ️ More About this Post
I hope it can help you:
- Understand how file permissions work
- Choose the right ways to grant permissions
- Avoid mistakes that can lead to unintended access to files and extra administrative work.
This post describes file permissions for the most common type of Teams:
- Private Teams
Scope of this Post
The following types of Teams are not fully covered here, although much also applies:
- Public Teams
Anyone can join without approval. Note: By default, anyone in your organization can edit all files in a Public Team – unless you change this!Tip: You are often better off with an Engage group instead of a Public Team. - Org-wide Teams
Everyone in the organization is automatically a member.
This post does not cover Sensitivity Labels, which are a way to classify data for extra protection of the most critical data in the organization.
This post also covers SharePoint sites, created as a team site – i.e. with a M365 Group – but without a Microsoft Team.
Be aware, that while much of what is described here also applies to Communication sites and Classic SharePoint sites, there are some differences.
Change Log
- Link added to this new page: Permissions after Moving Files in Teams/SharePoint
- Image added: Broken inheritance
- Now readable on mobile devices
- Danish version published
- Image added: The Five Ways…
- Restructured for better readability
- Minor adjustments
- Published
Guide to File Permissions in Teams/SharePoint
The Five Ways to Manage Permissions for Files
There are four ways to manage file permissions across a site:
- Membership in Teams
– basic control in Teams - Private and Shared Channels
– extended control in Teams - Site Permissions in SharePoint (Modern UI)
– more options – for SP content only - Advanced Permissions in SharePoint (Classic UI)
– for complex requirements
Additionally, you can grant:
- Unique permissions for individual items in a site
– e.g. a folder or a file.
The Five Ways to Manage File Permissions
1. Membership in Teams
This is the primary way to control access to Teams and files.
People you add here, will – as a starting point – have access to everything on the SharePoint site.
Scope: Site
Who can: Only Teams owners can do this.
You use the roles in the Team’s M365 group to control access:
- Owners: Manage who has access to the Team, manage Team settings, and always have full access to all files – except in private and shared channels they’re not members of
- Members: Can view, add, update, and delete all files by default
– and grant others access, unless you’ve blocked this (see: Recommendations for Site) - Guests: External users – have the same permissions as members
Team Owners are placed in the SharePoint Owner group – and Team Members and Team Guests are placed in the SharePoint Member group.
Note: Even though you can “add” a group to a Team, the members of the group are actually added individually, so later changes in the “added” group are not transferred to your M365 group.
Note: When you change Team membership, it can take a while (typically a few minutes), before it takes effect in SharePoint!
2. Private and Shared Channels
Access to Private and Shared channels can be adjusted, compared to other Teams channels – i.e. you can restrict access to a Private channel – and expand access to a Shared channel.
With this you can avoid complicated permissions in your Team – or avoid creating new Teams.
Examples:
- Create a Private confidential channel for the management group in a Team
- Create a Shared channel for external vendors – possibly one Shared channel per vendor
Who can: By default all Team members can do this! You can limit to Team owners.PS: This default could have been changed in your tenant.
Private channel
You can only add people already in the Team to a Private channel – e.g., the managers in a team.
Shared channel
You can add anyone – i.e. individuals or Microsoft Teams – from inside or from outside the organization – so they have access to the channel and its associated files.
Channel members, who are not members of the Team, will not see other channels in the Team.
In practice, an individual SharePoint site is created for each private or shared channel in a Team.
Note: Once a channel has been created, you can’t change type – e.g. from Standard to Private!
Note: File permissions for Private and Shared Channels can only be changed in Teams via channel membership – or via Unique Permissions for Individual Items of the channel’s site!
Note: Shared channels may be fully or partially blocked in your organization!
See: Recommendations for Admins
Private and Shared Channels – Limitations
There were, from the outset, many limitations on private and shared channels compared to regular channels.
Fortunately, Microsoft has removed some of these limitations and is working on removing more – for example, the number of private channels in a Team will be soon increased from 30 to 1000.
Read more here:
3. Site Permissions in SharePoint (Modern UI)
Site permissions in SharePoint give you more granular control over files – without affecting Team membership.
Example: Grant read access to the whole site, to selected users or groups outside of the Team.
Scope: Site
Who can: By default only owners can do this. You can grant access to more people.
You can manage these SharePoint groups:
- Site Owners: Full control over the SharePoint site – but no rights in Teams. This group always includes the owners from the Teams M365 group (cannot be changed/removed). Can be used if you want file administrators, who should not be able to manage in Teams.
PS: In this group, it is perfectly fine to add individuals rather than groups. - Site Members: Edit access – can add, view, update, and delete files – and
grant others access unless you’ve blocked this (see: Recommendations for Site).
Includes both members and guests (external users) from the Teams M365 group. - Site Visitors: Read access – can view files.
This SharePoint group is empty by default – you can add new visitors. Note: “Visitors” have no connection to the “Guests” role in Teams!
You can add both users and security groups to a SharePoint group and/or change access for current members.
Note: Changing access for someone here (in Modern UI) in reality moves them to another SharePoint group!
Note: It’s possible to change access for Team members from “Edit” to “Read”
– but you should not do this, because then they can’t use Loop or attach files to posts in Teams!
Note: If you(/someone) have granted access to the site via a custom SharePoint group, this does not show in Modern UI! To see these permissions, you need to go to advanced permissions.
🪚 Site Permissions (Modern UI) – How to | Click to learn more
To change these permissions:
- Click the gear icon at the top right of the screen
- Click “Site Permissions”
- Change settings – e.g., who can share (“Site sharing”)
……Or- Click “Add members”
- Click “Share site only” Note: If you choose “Add members to the group,” you grant access to Teams!
- Add users/groups and choose access (Read, Edit, or Full Control), and they will be placed in the corresponding SharePoint group
Note: You cannot use this method for Private and Shared channels!
Microsoft documentation:
4. Advanced Permissions in SharePoint (Classic UI)
For most Teams, you don’t need to use this method.
Example: Grant access to some users, to update but not delete files.
Scope: Site
Who can: By default only owners can do this. You can grant access to more people.
Note: This is the classic (old) SharePoint interface – with lots of options – Be careful!
Use these settings only if you really need them!
Here you can manage:
- Site Collection Administrators:
Has ultimate control over the site and all content
Includes the owners in the Teams M365 group – but you can add more - SharePoint Group: Site Owners:
Has full control (almost at admin level)
This group looks empty but actually Team owners are also included here – but hidden!
See: 3. Site Permissions in SharePoint (Modern UI) - SharePoint Group: Site Members:
See: 3. Site Permissions in SharePoint (Modern UI) - SharePoint Group: Site Visitors:
See: 3. Site Permissions in SharePoint (Modern UI) - Standard Permission Levels: Note: Should not be changed, as it will cause confusion!
Instead, create new permission levels!
- Custom Permission Levels: Create/edit your own permission levels.
For example, you can create a level for “Edit without delete,” which you can assign to users who should only make corrections. Tip: In Modern UI, you can grant a “Can review” permission on Word documents, which allows users to suggest changes to the document. Note: If a user needs to create site pages in the “Site Pages Library,” they must also be able to delete pages in the “Site Pages Library,” because the creation process involves a temporary page, that is deleted afterward! Tip: Make sure to give permission levels logical names, that are easy for everyone to understand. - Custom SharePoint Groups:
Create/edit your own SharePoint groups and assign permission levels.
For example, you can create a group for “Authors” with “Contribute” access, so they can update files, but not delete libraries and lists. Tip: Make sure to give groups logical names, that are easy for everyone to understand. Note: If you create a new SharePoint group, it can only be seen in Advanced settings! - Change permissions on standard SharePoint groups: Not possible any longer.
Instead, create custom SharePoint groups for special permission levels. - Rename or delete standard SharePoint groups: Not recommended!
Note: Be aware, that some changes you make here can only be fully seen in Classic UI!
Note: Use advanced permissions with care – it is a powerful tool!
ℹ️ Edit or Contribute Permission? | Click to learn more
There are two permission levels that allow updating:
- Contribute: Can view, add, update, and delete files and list items.
- Edit: Can view, add, update, and delete files and list items.
Plus: Can add, edit, and delete libraries and lists!
As you can see, the “Edit” permission is much stronger! And it is the default for Members in SharePoint!
If you don’t create extra libraries or lists in SharePoint, this is usually not a problem, as the only important library will be “Documents” – and it cannot be deleted – not even by Team owners.
However, members can also change the setup of libraries – such as metadata fields and list views on the “Documents” library – which can be unfortunate, as there is no roll-back-option!
How to Restrict Members’ Editing Rights
If you have important libraries, lists, or settings, that you want to ensure a member can’t accidentally change/delete, you can change “Edit” to “Contribute” in several ways:
1. On the individual library – the simple way – but not the best: Note: You break inheritance! (see: Unique Permissions) Note: Will only have a partial effect on items, where inheritance is already broken!
- Go to permission settings for the library/list
- Click “Stop inheriting permissions”
- Edit user permissions for “Members”:
Change “Edit” to “Contribute”
2. On the entire site – the better – and more complicated way: Note: Will only have a partial effect on items, where inheritance is already broken!
When you have read about Unique Permissions, you should be able to figure out, what I mean by “a partial effect”😉
- Create a new SharePoint (SP) group and call it e.g., “Members-Contribute”
- Give the group “Contribute” permission
- Add the M365 group “<Site Name> Members”
to the SP group “Members-Contribute” - Remove the M365 group “<Site Name> Members”
from the SP group “<Site Name> Members”
PS: Don’t be confused by the identical names – it is two different types of groups!
3. On the permission level itself – not recommended!
- You can edit the “Edit” permission level directly
– but I advise against this, as it can have unexpected side effects.
It can also confuse support staff and others who don’t know this change has been made! This can be mitigated somewhat by changing the name and description of the permission level, so everyone can see what’s changed. Note: This does however not show in Modern UI.
Note: Each Private and Shared channel has their own separate site, which will not be affected by the above changes! Here you need to use method 1 on each library, on each site – if you need to do it for your Private and Shared channels.
PS: Previously site members only had “Contribute” access, but this changed with Modern SharePoint Sites in M365 – to the great dismay of many experienced SharePoint experts.
🪚 Advanced Permissions – How to | Click to learn more
To change these permissions:
- Click the gear icon at the top right of the screen
- Click “Site Permissions”
- Click the “Advanced permissions settings” link at the bottom of “Site Permissions.”
Note: You cannot use this method for Private and Shared channels!
Learn more here:
Modern versus Classic UI
Microsoft has been working for a long time on improving the modern user interface (UI) for managing permissions.
However, it’s not easy, and there are still some quirks/errors in the Modern UI, e.g.:
- Both permission level “Edit” and “Contribute” are shown as “Edit” in Modern UI.
- If you change the access on an item from “Read” to “Edit,” the user actually receives the “Contribute” permission, when you look it up in Classic UI.
- In Classic UI, the name of the M365 member group is exactly the same as the SharePoint member group. Quite confusing, if you’re not aware of it.
Fortunately, these things rarely matter in practice.
Write a comment if you have noted other quirks or errors in the Modern UI 
5. Unique Permissions for Individual Items in a Site
You can grant unique permissions to individual items in SharePoint!
Example: You can give a file different permissions from the other files in the same folder.
This is probably where most of your problems with permissions will come from – and unfortunately, in most Teams, you can’t avoid using unique permissions.
Scope: Individual items Who can: By default anyone with edit permission can do this – and they can do it directly in Teams! You can limit to owners.
Inheritance and Breaking Inheritance
By default, permissions are inherited from the site down to libraries, then folders, then files.
Note: When unique permissions are granted to an item, inheritance from the parent item is broken, which can cause problems later!
For example, if someone later adds a new SharePoint group at site level, this will not apply to items where inheritance is broken.
However, if members are added to an existing SharePoint group, this will apply, if the group was present, when inheritance was broken.
What you can do
You can grant unique permissions at the file, folder and library level – it can be done from both SharePoint and Teams – and you can do it, without knowing you have done it!
Note: An innocent “Copy link” can result in an item getting unique permissions! Note: By default, anyone with edit access can grant unique permissions!
…unless you’ve blocked this – see: Recommendations for Sites
It is possible to grant unique permissions to both SharePoint groups, security groups and users
– but try to avoid granting to individual users.
When you grant unique permissions to a SharePoint group, you can also change the group’s permission level for the specific item.
For example, on an item, you can change the SharePoint group “Members” from “Edit” to “Read”.
Ways to Grant Unique Permissions
- Directly on the individual item (library, folder, or file)
Via Modern UI, you can grant these permissions:
– Can edit
– Can review – i.e. suggest changes (only for Word documents – and only in Modern UI)
– Can view
– Cannot download – Can view, but not download (only in Modern UI) Note: If you (/someone) have granted access with other permission levels than the above, this does not(/only partially) show in Modern UI! For example, “Contribute” shows as “Can edit.” To see these permissions, you need to go to advanced settings for the item. Note: There is also a “panic button” for “Stop sharing”, if you are desperate.
- Via sharing (i.e. give access to others – and thus break inheritance) Note: Always check if the settings are as desired!
Is the correct access being granted?
- Via links (this can also change permissions on the item – and break inheritance!)
Note: Pay attention to the fine print under “Link copied”!
In the example above, everyone in the organization can edit, if they get the link!
Check settings via the gear icon – and change them if needed! Tip: Whenever possible, choose “Only people with existing access,” so inheritance is not broken. Note: The default setting “People in your organization” does not work for Guests/external users!
They will get an error when clicking the link – even if they have access to the item.
You must instead choose link type “Only people with existing access” or “Specific people.” Tip: For confidential/sensitive files, consider setting an expiration date on the link!
- Via advanced settings Note: This is the classic SharePoint interface – with lots of options – Be careful! Note: Everyone can get into Advanced settings (Classic UI) directly from Teams!
More about broken inheritance
Fortunately, problems with broken inheritance, due to copied links and sharing, are rare in most small Teams – but they can occur – and the larger the Team – the higher the risk!
Tip: You can avoid most of these problems if you:
- Keep a flat structure in your folder hierarchy
- Don’t add or remove permissions at library or folder level after the initial Team setup
- Before breaking inheritance, consider creating a new private/shared channel or a new Team!
- Educate your team members in correct sharing method
- Consider limiting sharing to owners – see: Recommendations for Sites
If you move a file or folder to another location in SharePoint, you will find, that the unique permissions sometimes move along with it – read more here:
If you need to clean up broken inheritance, just go into advanced settings in Classic UI and click the button: “Delete unique permissions”
– but you may have to click in several places before all broken inheritance is cleaned up…
– And some users may complain that they suddenly lost access. Note: You need to go to advanced settings in Classic UI to do this!
Note: Use unique permissions with caution – they can quickly become difficult to manage!
Note: There is no Ctrl-z regret function, when it comes to permissions – so avoid mistakes!
🪚 Unique Permissions: How to | Click to learn more
Via Modern UI, you can grant some special extra accesses compared to Classic UI:
- Can review (only for Word documents):
Allows suggesting changes
Permission level: “Review” (you cannot change this permission level) - Cannot download
Allows reading but not downloading
Permission level: “Restricted view” (not shown with other permission levels)
Unique permissions can be granted in several ways:
- On the individual item
Folder or file
– choose the three-dot menu for the item
– select “Manage access”
– select the “assign access”-icon in the top corner of the box
…or change desired permissions
Tip: To modify a user’s/group’s access:
– click on the user/group and then click on the permission
Library:
– Go to the library
– Click the gear icon at the top right of the screen
– Click “Library settings”
– Click “Media library settings”
– Click “Permissions for this document library” Note: You are now in the classic SharePoint interface – Be careful! - Via sharing
– Choose the three-dot menu for the item
– Select “Share” Note: Always check the settings! Is the desired access being granted? - Via links
– Choose the three-dot menu for the item
– Select “Copy link” Note: Pay attention to the fine print under “Link copied”!
– Check settings via the gear icon – and change them if needed!
– Is the desired access being granted?
Tip: Whenever possible, choose “Only people with existing access,” so inheritance is not broken. Note: The default setting “People in” does not work for Guests and other external users! Here you must use one of the other settings for who the link works for. - Via advanced settings
Choose the three-dot menu for the item
– Select “Manage access”
– Click the three-dot menu at the top right of the box
– Select “Advanced settings”
– Make your changes
……or use the “Check permissions” function
Learn more here:
Additional Recommendations for Permissions
Recommendations for M365 Admins
If they are not changed all ready – there are several settings that should/must be changed by an M365 admin – including:
- Anonymous links without login is enabled!
- Default permission on links is “Edit”!
- Default link type is “Only(=All) people in the organization”!
- Consider setting expiry on guest access to sites
- Set up B2B direct connect, so external users can be added to Shared channels
Also consider:
- Standards for types of Teams and their use
- Training for Team owners on setting up Teams and how permissions work
- Use of central reports on permissions and broken inheritance
- Use of Hubs and possibly Hub visitors
🪚 M365 Administrator – Details | Click to learn more
Sharing Policy: Settings that should/must be adjusted
Via: SharePoint Administration > Policies > Sharing
Note: Some of these settings may already be changed in your tenant – or default settings may be different in your tenant.
External Sharing
- Consider the settings for external sharing in your organization
- The default for “Content can be shared with:” is “Anyone without sign-in”!
This should be changed to e.g., “New and existing guests” to avoid anonymous links!
Even better is “Existing guests,” but this requires a system/procedure to manage guests. - Consider whether there should be different settings for SharePoint and OneDrive
- Optionally adjust “Allow guests to share items they don’t own” – is allowed by default!
PS: If you restrict this, external users can only share items they have created themselves! - Consider other settings in your organization
e.g., expiration on guest access to sites - Consider whether you should build or buy a system to manage guests.
It could control e.g., who is the business owner(s) of the guest, why the guest should have access, automatic review (e.g., every year), etc.
File and Folder Links
- You should change the default permission on links from “Edit” to “View” to avoid unintended edits/deletions by users who should only have had read access!
It’s incredible what users delete, when they get unintended edit/delete access.
- Consider which link type is selected as default, when users share files and folders.
The default is: “Only(=All) people in the organization” – a very broad access.
For security reasons, it’s better to change this to “Only specific people.” Note: This actually results in the link type “People with existing access” – very confusing! But also really good, as this way users don’t break permission inheritance when copying links. This will save you from many broken inheritances! 😊😊 - If you decide to keep anonymous links (Anyone-links),
you should strongly consider setting an expiration on these links!
Also consider what permissions Anyone-links should have!
Shared Channels
Note: To be able to add external users to Shared channels, admins must configure B2B direct connect. See: Collaborate with external participants in a shared channel (IT Admins).
To be considered
Types of Teams and Structure
- Consider how the structure of Teams should be built.
Should it be completely open? Or should there be guidelines for what types of Teams exist and what they are used for? - Consider what the recommendation should be for choosing to create a new channel versus creating a new Team.
- Consider when to create a Communication site instead of a Team.
User Training
Ensure that Team owners are trained in how permissions work – especially for critical files.
Reports
Use SharePoint’s built-in reports to get an overview of permissions and broken inheritance.
Via: SharePoint Administration > Reports > Data Access Management > Site permissions across the organization
Optionally use the “Start site access review” function for the most critical/sensitive sites in the organization.
Tools
Tip: If you have to clean up a mess of broken permissions, it might be a good idea to get a tool like Sharegate to help you.
Hubs
If you have many Teams/sites, you can organize them in Hubs to get a better site structure.
This also gives you the possibility to grant access at the Hub level to Hub visitors, who by default then have read access to all SharePoint sites in the Hub.
PS: Site owners can disable this.
This can, for example, be useful for organizational Teams, where you have a Team for each team in a department plus a Team for everyone in the department.
Even if all employees are only members of their own Team and the department’s Team, they will be able to read files from all Teams in the department. That is, unless hub synchronization is turned off for a site – or there are unique permissions on individual items.
Learn more here
Recommendations for Sites
When creating a Team – or making a major change
- Adjust who can share (and thus change permissions and break inheritance) on the site
– via “Site sharing” under Site Permissions in practice
Default for files and folders is: “Everyone with edit access”!
This can be OK for collaboration reasons – but you may not want it in your Team!
You can change it to: “Only site owners” – then you only need to teach you co-owners the correct sharing methods 😊 - Remember that modern SharePoint architecture is flat – both at Team/Site and folder level!
Make at most 2–3 levels of folders – and use them primarily for access control.
Logical organization of files is best done with metadata and list views. - Build the structure of channels and folders on your site, so it’s easy to grant permissions.
When you change permissions
- If you need to grant unique permissions at folder or library level:
– Consider creating a new private or shared channel – or a whole new Team!
– The answer depends on the situation – and how access needs will be in the future… - Do not break inheritance on more than one level in a branch of the library/folder hierarchy.
Note: This means, that if you break inheritance on a library, you should not break inheritance on any of the folders in the library! - Document it – including why it was done – if you change something via “Advanced Permissions” or grant unique permissions to libraries or folders.
Why you should do this:- Your colleges know what and why, if you are not around
- You can recreate permissions, if someone messes them up
Regularly
- Check regularly who has access to your files
– the frequency depends on the criticality of your files.
Use SharePoint’s built-in reports to get an overview of permissions and broken inheritance.
Via: SharePoint Settings > Site Usage > Shared with external users > Run report (Note: Shows all permissions – not just external users)
Extra Tips
- Tip: Display the front page of your SharePoint site as a tab in your Teams – and use the page to provide an overview of e.g.:
– Guidelines for sharing content – who is allowed access to what
– Documentation of any broken permission inheritance – including the purpose
– List views for the document library – for example, recently created or recently modified - Tip: If you have issues with a user’s rights to the site, a file, or a folder, try the “Check permissions” function under “Advanced settings.”
- Tip: Always have at least 2 owners on your site, so someone can grant access in case of absence or job change.
But don’t have too many owners – a maximum of 3–5 is usually appropriate.
Recommendation for a Simple Permission Model
0. Build your Teams structure for simple permissions
– Create the right Teams – not to large, not to small – and consider future needs
– Keep your structure flat – applies to both Teams and folders
1. Membership in Teams
– Use as the primary way to control access to Teams and files
2. Private and Shared Channels
– Use, if you need differentiated access to Team channels and files
– For example, for a confidential private channel for the management group in a Team
3. Site Permissions in SharePoint (Modern UI)
– Use, if you need extra control over file access
– For example, to give read access to all files for some user groups
4. Avoid using Advanced Permissions (Classic UI)
– unless absolutely necessary
5. Unique permissions for individual items in a site
– Use as little as possible!
– Only break inheritance on folders and libraries, if you are sure of the consequences
and document who has access to what – and why!
Additional advice
– Grant permissions to groups, rather than individuals, whenever possible
– Avoid adding or removing permissions at library or folder level, after the initial Team setup
– Check tenant settings – E.g., standard link type should be “Specific people”
– For links, use normally “Only people with existing access” – so inheritance isn’t broken
– Educate your team members in correct sharing methods – or stop them from sharing!
– Before breaking inheritance, consider creating a new private/shared channel or a new Team!
The Five Ways to Manage File Permissions
And last but not least – Think carefully!
Now that we have Copilot, it’s even more important, that we are in control of permissions!
If you need assistance, you are welcome to contact me for a chat and an offer for assistance.
You can also post questions in the comments below, and I will do my best to answer them.