Office 365 Groups: Advanced Permissions

Overview

By default when you create an Office 365 group, you have pre-set permissions for group Owners and group Members.  There are times you need to have more custom permissions.  One example use case for this is to restrict editing or even access of a folder within your group to a subset of members.  The following is an example of how to do this.

There are two steps - creating the group, and restricting that folder to that group

Create a restricted access group

  1. Go to the file library for the group.
  2. Click the Gear icon at the top right and choose Site permissions then choose Advanced permissions settings on the right
  3. Click Create Group at the top.  Set a name, and Permission Level of the group.  If you are creating a group to give a higher level of access to certain folders - we recommend Edit is the permission you give (and what is being used in this example).  Click Create at the bottom right when done.
  4. You will then have to add people to this group (the group creator is added by default).  To add people to an access group, make sure you are in that group and click New and choose Add Members.
  5. Enter the names or email addresses of the people you want to share with and click Share.
  6. You can return back to the normal group view by clicking Documents on the left.

 

Restricting a folder to an access group

Now that you've created an access group, it is time to restrict access to a folder to that group.

  1. Mark the folder you want to restrict (via the check box on the left next to the folder name), and click the button at the top right to open the details pane.
  2. Click Manage access to open the permissions window.
  3. If you want to make it so only group owners, and your new group can view the documents in this folder - then click on the other groups and change "Can Edit" to "Stop Sharing".  In the example below, I am doing this for the "Members" group.  If you instead just wanted this folder to be read-only for members of the restricted group, then click Change to view only instead.
    Screenshot showing how to remove the Edit privilege for the Members group.

Special Warning

These advanced permissions can be very useful and allow you to have a single department group - with restricted sub-folders.  Unfortunately managing group permissions at a per-folder level can risky if not well thought-out and managed.  There are a few things you need to commit to if you are going to rely on the advanced permissions here:

  • It is the responsibility of the group owners to manage membership.  If people leave your department, are no longer involved in a committee/project/whatever - you should remove them.  You will have to remove them from the Office 365 group - as well as the custom access groups you have created.
  • If you create new access groups - they will, by default, have access to all folders, even ones you previously restricted.  If you have existing restricted folders when you create a new access group (that should NOT have access to your existing restricted folders) - make sure to set the permissions on those existing folders to remove access for this new group.

Details

Article ID: 46382
Created
Tue 1/16/18 1:28 PM
Modified
Tue 7/16/19 3:11 PM