Understanding SharePoint Online Security for the non-IT Worker

Published by David on

We are now at the point where RTO (Return to Office) policies are in full swing.  The concept of a hybrid work environment is the new norm for businesses around the world.  One of the things that many non-IT professionals find themselves having to deal with now is understanding how SharePoint Online security works.  You do not want to accidentally have everyone in your company see a document that should be for your Senior Leadership’s eyes only.  It is recommended to use the share feature built into SharePoint/OneDrive primarily, but in some cases, it may not be the correct solution.  This post is to help you understand, (at least a little bit better) how SharePoint Online security works and how to make changes that you understand.

High Level SharePoint Security Understanding

Each SharePoint site has its own Security Schema, created by Microsoft Teams, Viva Engage (f.k.a. Yammer), M365 Planner, or a standard security schema with a lone standing classic SharePoint site. Each site has three primary security groups on creation that you should know along with the permissions they are given. (See Table 1) When the site is first created, every part of the site will have the same security. Every library, list, page, and item will inherit the same security of the site.

SharePoint Security Group Permissions Initially Given
<team name> Owners Full Control Permissions
<team name> Members Contributor Permissions
<team name> Visitors Read Only Permissions

Table 1

When a business case requires for you to share the site, library, list, or item with everyone in the organization, you can use the group Everyone except external users. You must be cautious about using this group as it will allow all employees in your tenant to be able to view/contribute to every object that falls under the level you give the permission at. (See Image 1) If you give permission at the site level, every other square within the Site square will also get the same permissions. Use this image to understand how your giving permission to a SharePoint object at different levels can also unlock many other areas for one person or everyone in your tenant. Everything inside the object you give permission to will also get the same permissions.  Be cautious when breaking inheritance as it will make your job maintaining the security schema more difficult by N + 1 (N = number of inheritance breaks).


Image 1

How to Add/Remove a User to SharePoint Site Directly

If you want to add/remove people from a Microsoft Team, do so through Microsoft Teams. These instructions are specific to adding/removing users who interact with just your SharePoint site, whether based off a Microsoft Team or a classic SharePoint site. Getting to the appropriate page will depend if you are on a Modern Team Site or Classic. I will provide instructions for both.

  1. Go to Advanced Site Permissions.
    1. On a Modern Site (i.e., Microsoft Teams SharePoint site, Communication site)
      1. Click on the gear in the top right corner of the page near your profile picture (See Image 2)
        Gear found in top right of SharePoint Online
        Image 2
      2. In the drop-down menu, select “Site Permissions.”  If you do not see this, you may not have the right permission to go further.
      3. At the bottom of slide out, click the Advanced permissions settings Link (See Image 3)
        Advanced Permissions Setting Link
        Image 3
    2. On a Classic Site
      1. Click on the gear in the top right corner of the page near your profile picture (See Image 4)Gear found in top right of SharePoint Online
        Image 4
      2. In the drop-down menu, select “Site Settings” If you do not see this, you may not have the right permission to go further.
      3. Under the Users and Permissions group, select Site Permissions (See Image 5)
        Site permissions link
        Image 5
  2. Click on the appropriate Group you want to add the individual(s) you want to add them to. (Note: It is good to have 2-3 owners)
  3. Click on New and add the individual(s) to the group by finding them with name or email address. (See Image 6)
    Share pop up to give permissions
    Image 6
  4. Once selected, decide if you want to send an email to the site you are sharing or click show options and uncheck the email checkbox.
  5. Click the Share button.

How to Add/Remove Users to a List or Library

Giving a user(s) access to a list or library should be done using the Share button when possible. These instructions are used to give direct access to the list or library instead. To get to the appropriate page will depend if you are on a Modern Team Site or Classic. I will provide instructions for both.

  1. Go to List/Library Settings
    1. On a Modern List/Libraries (i.e., Microsoft Teams SharePoint site, Communication site)
      1. Click on the gear in the top right corner of the page near your profile picture (See Image 7)

        Gear found in top right of SharePoint Online
        Image 7

      2. Select List/Library Settings in the flyout menu.
    2. On a Classic List/Library
      1. Click on the List/Library Tab in the top left of the page (See Image 8 #1)
      2. Click on List/Library Settings button to the far right of the ribbon (See Image 8 #2)
        Image of a list or library ribbon in SPO.
        Image 8
  2. Under Permissions and Management -> Click Permissions for this document library (See Image 9)

    Image 9
  3. Click the Stop Inheriting Permissions button in the ribbon at the top of the page (See Image 10)

    List or Library ribbon button to break inheritance.
    Image 10

  4. Click on the appropriate Group link you want to add the individual(s) to.
  5. Click on New and add the individual(s) to the group by finding them with name or email address. (See Image 11)
    Share pop up to give permissions
    Image 11
  6. Once selected, decide if you want to send an email to the site you are sharing or click show options and uncheck the email checkbox.
  7. Click the Share button.

How to Add/Remove Users to a Folder, Document, Item

Giving a user(s) access to a folder, document, or item should be done using the Share button when possible. These instructions are used to give direct access directly to a folder, document, or item instead. To get to the appropriate page will depend if you are on a Modern Team Site or Classic. I will provide instructions for both.

  1. In a Modern Library/List
    1. Select the folder, document, or item you want to give direct permission to (See Image 12)
      Image of a document selected in a SPO doc library.
      Image 12
    2. Click the ellipses (…) just to the right of the document/item Name/Title
    3. Click Manage Access in the drop-down menu (See Image 13)
      Manage Access choice in pop down menu.
      Image 13
    4. In the manage Access popup window, click the ellipses (…) in the upper right corner and select Advanced Settings. (See Image 14)
      Advanced Settings button in drop-down pop-up menu in SPO.
      Image 14
  2. In a Classic List/Library
    1. Select the folder, document, or item you want to give direct permission to (See Image 15)
      Document selected in Classic SPO doc library.
      Image 15
    2. Click the ellipses (…) just to the right of the document/item Name/Title
    3. Click Share in the bottom left corner of the popup (See Image 16)
      Pop-Up menu from ellipses in SPO doc library.
      Image 16
    4. Another Popup will appear, on the left click the Shared with button (See Image 17)
      Classic SPO doc library Share pop-up to get to advanced settings.
      Image 17
    5. Click Advanced in the bottom right corner of the popup window.
  3. Click the Stop Inheriting Permissions button in the ribbon at the top of the page (See Image 18)

    List or Library ribbon button to break inheritance.
    Image 18

  4. Click on the appropriate Group you want to add the individual(s) who should see the document.
  5. Click on New and add the individual(s) to the group by finding them with name or email address. (See Image 19)
    Share pop up to give permissions
    Image 19
  6. Once selected, decide if you want to send an email to the site you are sharing or click show options and uncheck the email checkbox.
  7. Click the Share button.
Categories: Theory and Thoughts

Related Posts

Best Practices

Building a SharePoint List to Capture Microsoft Forms Data

Building a SharePoint List – Why? This question is legitimate if you want to know what is beyond the current functionality of Microsoft Forms.  It’s true that capturing data is what Microsoft Forms is all Read more…

Theory and Thoughts

Imperative SharePoint Column Creation Best Practices

This post will help you whether you are building a site column, list column, or a library column.  The behavior is the same across the boards and includes some sound best practices.  We are going Read more…

Theory and Thoughts

MS SharePoint Alerts – The Most Useful Forgotten Feature

Despite the desire to be alerted to additions, changes, or deletions in Microsoft SharePoint or Microsoft SharePoint Online, I am completely surprised at the fact the alert is not used nearly as often as one Read more…