Recently I asked a question on social media regarding the #SharePoint “Edit” permissions assigned by default to #MicrosoftTeams Members and I stated that I would like to change that to “Contribute” when necessary. Wowzer, did that open up a can of worms… From support on the topic, to being accused of “stifling” natural / organic growth and curbing the intended purpose of #MicrosoftTeams which is to allow end users more freedom, power and ability to do what they need.

Of course I agree that it’s time empower users to achieve more, with the tools capable of doing so.

But…

In this article I’ll share my reasons to be wary, and as always you’re allowed to comment and change my perspective – it’s my opinion after all. Not every reason is directly related to permissions, but completely supports my decisions regarding the tighter management thereof.

Update 2021/04/04 – I’ve added a “In Conclusion” section at the bottom of the blog. Some might still miss the point I’m trying to make, and yes, we should never complain and not give a clear indication of how we think this can be solved.

1. Training

I have not worked with a single company who trained their users first before rolling out Microsoft Teams. Not.One. And keep in mind that I usually get involved when they’re already struggling with adoption. And this does not only apply to Microsoft Teams training, they still don’t know how to use #OneDrive well, nevermind the Office (Excel, Word, PowerPoint, Outlook) they’ve had for years. And you know what? It’s not their fault, it’s ours! That’s IT and Management & HR.

Digital Literacy is the new superpower. It’s time we start paying attention to it. In a perfect world I want all users to be trained well so they can make decisions for themselves, and use the technology as it is intended to be used – without restrictions.

2. With great power comes great responsibility

Microsoft Teams is like the mullet of the party wigs. All business in the front and party in the back, with most people COMPLETELY unaware of what actually happens when a team is created. And no. Just because it’s easy to do, doesn’t mean people don’t have to know. Not talking about something doesn’t make it less powerful or dangerous, the terrible state this world of ours is in, is a perfect example of that.

Does your team Members and Owners know what happens when a team is created? That there’s a SharePoint Site Collection behind that team, with a library and in it a folder for each channel created? Do they know best practice for sharing from OneDrive, vs Chat, vs Group Chat and eventually sharing in a team. Do they understand how to use the apps available and how this all fits in with SharePoint in the background?

They don’t, because perhaps you don’t think they need to? Well then I suggest they rather just share everything on emails, like they did before. The app doesn’t empower them, the skill to use the app does.

So, if you didn’t allow users to create Security Groups, build SharePoint Site Collections and Apps, provisioning various services before (without some form of training / control), then I’m surprised you’re doing it now with Microsoft Teams, by allowing everyone to create Teams, before ever receiving any “admin” related training.

3. Owners and Members

I always suggest having at least 2 Owners on the Team, and the rest to be Members. Owners and Members can do the same stuff apart from adding new Members / change Members into Owners. Apart from that, everyone can edit and delete everything. Yes, read that again, slowly. (We’ll talk about this later in the article).

When Members have not had training to understand the bigger picture, I don’t allow them to add channels and tabs – because normally it leads to chaos. Some think that tabs and channels are their own, and only they can see it. And same goes for Owners, if they haven’t had some form of “Owners” training, they can’t be owners on Teams or create Teams.

4. Private Channels

This should be the exception, NOT THE RULE. If I had money for every unnecessary private channel I see in Teams I’d have more motorcycles. MUCH MORE. A private channel creates a separate SharePoint site collection with its own library. Sometimes for one document. One. OMW! you could have just shared that document in a group chat OR a separate team for that audience that always needs private channels (like management).

Also, because that channel sits between our other channels, with a NOT so obvious little lock on it, it’s easy to accidentally stand on the wrong channel and share that “People to get fired on Monday” file. My brain doesn’t apply different rules to that channel as it forms part of the channels under that Team, I’d prefer it in a separate team, where I know different business rules apply.

5. SharePoint Permissions

When the team is created, it creates a Microsoft (Office) 365 Group which is the security group with members it uses for all the resources. On the SharePoint side it has 3 SharePoint groups (Visitors, Members and Owners). This Microsoft 365 Group is added to the SharePoint Members group for permissions (that’s the Owners of the Team as well as the Members in one group on SharePoint) which has Edit rights by default.

There is a huge difference between Edit and Contribute permissions. Edit rights gives the user the ability to add, edit and delete apps (libraries and lists), as well as add, edit and delete content. It would have been better if Members on Teams could just have contribute rights, or at least if we had the ability to change that on the Member’s settings – but nope. And it’s also not easy (or advisable) to try and change this. So please Microsoft, help out a girl here.

6. Item Level Permissions

I like business rules applied to “containers”. So when it comes to a team, I know that every member and owner in the team can add, edit, delete anything in the team, on any of the channels and even on other libraries / apps, Microsoft Lists if added (behind that team / on SharePoint).

Now this is where people get creative. I’ve seen them navigate to SharePoint, then change the permissions on a specific folder (behind a channel), which of course breaks how the channel / documents works. Or to share a document out of a team with another party, not part of the team. Or, create a separate library behind the team, and then change the permissions on that. I honestly see this as very bad practice – after all, it’s called a team, not a me, or a some of us. When you share a document differently, your fellow team members don’t necessarily know this, and could be making changes to that document, unaware of the new audience. And yeah, there’s a lot of people in the industry who don’t agree with me on this one, although all the users I’ve trained, and explained this risk to them, understood and agreed to do it differently. Empower people to make better, informed decisions.

There are some instances where this makes sense to me though, imagine a list in a team where members add their grievances / innovations etc. and you don’t want people to see each others submissions, then on the app in SharePoint you can set item level permissions, just remember to grant yourself (or whoever) designer rights so they can approve or view all items.

7. Trust the technology if you don’t trust the people

It’s only human to be nervous working together with people in an environment where your content can be deleted. So before you start messing with permissions because of this, rather consider setting up alerts.

So as mentioned, I don’t think it’s a good idea to store content in a team (anywhere on the SharePoint site collection behind the team for that matter) that should not be accessible to all. High risk content should rather be in a separate team or shared through group chat / OneDrive (exceptions Private Channel). Risk vs Relevance – if not relevant it’s not an issue, as long as it’s not 80% not relevant, 20% relevant to members, then rather break up into multiple teams.

Now if you’re worried about your content, consider setting up alerts on the library behind the team’s channels. Take note that you’re on the correct level (on a channel in the team, go to Files > Open in SharePoint – remember that it will open on that folder, so you would need to navigate back to the main library if that’s where you want the alert). Here you will select the folder, or the file, or just be in the main library with nothing selected and then setup the alert.

The alert can be on modifications on files you uploaded or even just on deleted items.

In Conclusion:

Microsoft Teams & SharePoint – is for me, the ultimate platform to work, share, collaborate and store content. I do believe that business deserves more responsibility and power over their working environments and the way Microsoft Teams was built, absolutely supports that. I do not believe in over-controlled environments where IT provisions the Teams for business. I also believe that it’s the right of every single employee to receive the training and support they deserve, to make better informed decisions and use the technology supplied to be more efficient and contribute to the overall digital transformation of the company.

However, to achieve this “new way of working”, we need to train ALL employees. And as we know, most of the time, this does not happen. In many companies the platform is rolled out and a year plus later, they consider training as they then start running into issues. Sadly these same companies / users blame the product for any of their mistakes made due to inexperience / lack of training or insight.

I am asking for ways to (where identified / necessary), change the roll Teams Owners and Members have, until they’ve done their training. For example:

Someone can only create Teams, assign Members and change settings / delete or archive teams when they’ve had some form of “Owners Training” – before then teams are provisioned. This of course can be done (with great difficulty), by locking down Microsoft 365 Group creation and adding identified (trained) users in a group that can create Microsoft 365 Groups.

When necessary, Members can be given Contribute rights to SharePoint (vs Edit) and not create Channels and Tabs (which is possible to modify in settings). Again, once Members have had sufficient training, this can be changed.

If you agree with my sentiment, I have added a Feature Request to Microsoft Teams UserVoice. Please vote for it.


More Resources:


Disclaimer: I create content about Office / Microsoft 365. Content is accurate at time of publication, however updates and new additions happen daily which could change the accuracy or relevance. Please keep this in mind when using my blogs as guidelines. And yes, I change my mind all the time as well, because “The only thing that is constant, is change”. My life mission is to “Facilitate the evolution of human capabilities”: Reach out on: Website > LinkedIn > SlideShare > Twitter > Medium > YouTube > MVP Profile