Modern SharePoint sites include the option to ‘Share site’ or ‘Share site only’ (for sites linked with Microsoft 365 Groups). This option is found under ‘Site Permissions’.
When the option to share site is selected, a note states the following: ‘Add users, Microsoft 365 (M365) Groups, or security groups’. The notes omits to mention that sites may also be shared with mail-enabled security groups that appear to be distribution lists, or shared mailboxes.
This post describes what happens when a site is shared with each of the above and why it is important to understand what happens if a site is shared with a M365 Group, Security Group, mail-enabled Security Group, or a shared mailbox. The following is a brief explanation of each of these ‘groups’:
- Microsoft 365 groups. These are connected with and provide access to multiple resources. Every M365 group has an Exchange Online mailbox and a SharePoint site (both used by Teams to store messages and ‘files’). Every Team in MS Teams is linked with a M365 Group. Team/Group owners are usually responsible for managing the membership of the Group/Team (not IT).
- Distribution Lists (DLs). These are used to send an email to multiple people at the same time. They cannot be used to control access to IT resources and are not relevant to this post except that they can be confused easily with mail-enabled Security Groups (see below). End users in business areas are usually responsible for managing the membership of the list.
- Security Groups (SGs). These are commonly used to restrict access to IT resources and membership is usually managed by IT. All organisations have multiple SGs that may be added to SharePoint site permission groups.
- Mail-enabled Security Groups. These are Security Groups that can be used to control access to IT resources AND, just like a DL, can be used to send an email to multiple people. The membership of these Groups may be controlled by IT or end users.
- NOTE: A shared mailbox, is NOT a Group but an Exchange object. The ways these can be used to share SharePoint sites is discussed below.
You can see all four group types in the ‘Active teams and Groups’ section of the M365 admin center.
Sharing with users (including via Group membership)
Sharing the site with users is a simple process. There are two options: (a) add them to the site members or visitors permission groups; (b) add them to the M365 Group for group-based sites.
Adding users to site permission groups
Click on the ‘Share site’ or ‘Share site only’ option (show above).
Type in the name and, if it exists in the directory, it will appear. If it doesn’t, and you have the ability to add new external users, they will be added here. Select whether the user/s will have read or edit rights and if you need to send an email with or without a message.
New users added in this way will be added to either the members (Edit) or visitors (Read) permission group for the site. If you make a mistake and select the wrong person, just click the ‘X’ to the right of their name. To add multiple people, copy their email addresses (e.g., from a distribution list) and paste them in.
You can also go ‘old school’ and click on ‘Advanced permission settings’ at the bottom of the Site Permissions section and add the people directly to the relevant permission group.
- Click on the name of the permission group
- Click on the drop down arrow to the right of ‘New’ and click on ‘Add Users’.
Adding users to the M365 Group (Group-based sites only)
Every M365 Group has a SharePoint site (and an Exchange Online mailbox). Every Team in MS Teams has an associated M365 Group. This means the M365 Group Owners and Members become the Teams Owners and Members. On M365 Group-based SharePoint sites, the Group/Team Owners group and Members group are added to the site’s Owners and Members permission groups respectively. That is, a (M365) group within the (SharePoint permission) group.
Adding users to an M365 Group via SharePoint gives those users access to whatever other resources are connected to the M365 Group, including the Team.
To add users, click on the option to ‘Add members to group’. This will open the following dialogue box showing who currently is an Owner or Member of the M365 Group. Users can be changed to Owners or Members, or removed, by clicking on the drop down option.
Click on ‘Add members’ to add owners or members to the group and add them by name as shown below.
SharePoint site owners are expected to update and maintain the membership of their sites and/or M365 Group (=Team if one is connected) membership. If there are more than 15 to 20 names users this may become an onerous task. Consider instead asking IT to create a new Security Group, especially if the Group is likely to be required for a period of time.
Sharing with other M365 Groups
Sharing a site with a M365 Group is similar to adding Security Groups. In both cases, it is a good idea to know who is a member of the Group first as the membership of the Group may change without the site owner knowing.
Follow the same instructions above for adding users to permission groups. Enter the name of the group then decide if the Group should have read or edit rights. As noted above, this action places the M365 Group ‘within’ the SharePoint permission group.
Remember that the owner/s of the M365 group are responsible for maintaining the membership of the group. If you add the group, how will you know who is in that group?
Sharing with security groups
Adding security groups is the same process as adding M365 groups. Enter the name of the group then decide what rights the members should have – edit or read.
Again, keep in mind that the members of the Security Group are not visible to the site owner, so it’s a good idea to check with IT.
Sharing with mail-enabled security groups
A mail-enabled Security Group is a distribution list that can be used to control access to OneDrive and SharePoint.
There are at least two problems with adding mail-enabled Security Groups to SharePoint sites:
- They look and behave like Distribution Lists (and, in some cases, actually state they are), giving the false idea that end users can add actual distribution lists to SharePoint (which is not possible).
- Because they behave like Distribution Lists, membership of which is usually managed by a business area, it is difficult to know who the members are at any time.
As much as possible, avoid adding mail-enabled Security Groups to SharePoint sites especially where there may be any concerns about who can access to the content of the site. Add users by name or use actual Security Groups managed centrally by IT instead.
Sharing with shared mailboxes
This option is perhaps the oddest of all the sharing options.
A shared mailbox is NOT an active directory group, it is an Exchange object. To quote the Microsoft page below ‘Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function that might be shared by multiple people.’
- Learn more about shared mailboxes in this Microsoft page ‘About shared mailboxes‘.
So, what happens if you share a SharePoint site with a shared mailbox? Not what you think!
When a shared mailbox is added to a SharePoint site, it appears to add the mailbox and assign it either Read or Edit rights by default (which can be changed). The option to send email may be left or unticked.
At this point the people who can access the mailbox CANNOT access the SharePoint site (unless they already have access).
The process above sends an invitation to users who have access to the shared mailbox, to the shared mailbox, copied to their personal mailboxes (depending on how the mailbox was set up).
If the end user who receives this email via the shared mailbox or directly clicks on the site name (link) they will receive the following error message, inviting them to request access.
Once they submit the request, the above message changes to ‘Awaiting approval. We’ll let you know about any updates.’
The SharePoint site owner/s will receive an email from each shared mailbox user who requests access, giving them the ability to accept or decline the request.
If the site default settings have not been configured to disallow access requests (in other words, if they are allowed), the ‘Accept or decline this request’ link takes the site owner (who received the email) to the Access Requests page on the site, allow them to approve or decline the request.
The ‘Approve’ option opens the following dialog box where the requestor can be added to a permission group or given other permissions separate from those groups (which is not good practice).
If approved, the shared mailbox user will be added to the site permissions. This process has to happen for each shared mailbox users, they are not added ‘globally’.
Final comments
Sharing SharePoint sites is not a straightforward process unless they are added to an existing M365 or Security Group that already has access. Careful thought needs to be given to who is being added, how, and why. There is potential to inadvertently add someone especially via a pre-defined Group.
Mail-enabled Security Groups should not be used to give access to SharePoint sites.
Adding a shared mailbox to a SharePoint site is not as simple as it looks. It is much easier just to add the users by name or via a Security Group. Keep in mind that M365 Groups have an Exchange Online mailbox that may and may not be visible under the ‘Groups’ section of Outlook. If it’s not visible, this is probably because the Team was created first; contact IT if you want the mailbox to become visible.
Feature image: Pexels
Records about the world 