Manage file permissions in MS Teams and SharePoint Online – This is how it works

How do file permissions work in Microsoft Teams and SharePoint? In Microsoft Teams, files can also be stored directly in the teams. This facilitates the exchange of information between team members, as they do not have to use different sources of information. Instead, all files are directly available in the team. For this purpose, the data is stored in SharePoint Online of Microsoft 365. More precisely, there is a tab called “Files” for each team. Here you can see all the files that are available for the team and that the team members have saved.

This data is available in the desktop client and also in the web interface, as well as in the smartphone app. SharePoint Online serves as the file storage location for Teams. So the permissions that can be set are relevant in Teams and in SharePoint Online. Data can also be accessed from SharePoint.

Furthermore, via the “Synchronize” menu item, team files can also be synchronized with local PCs via the OneDrive client. The options for this are available when users select the “Open in SharePoint” menu item via the menu of a folder or file.

Clean user accounts for clean permissions

In advance: Without proper maintenance of user accounts in AD and Azure AD, file management in Teams and SharePoint is hardly possible.

The basis of the permissions for files in Microsoft Teams are the accounts in Azure AD, which are also used in Microsoft 365. For this reason, it must of course be ensured that the user accounts are correctly maintained in hybrid environments. All data must be available as it is needed for assigning permissions in Teams and SharePoint. Solutions such as the FirstWare IDM-Portal from FirstAttribute help with this.

This is the only way to ensure that the fields and attributes of the user accounts are maintained correctly and consistently so that the groups and users in Azure AD can also be used correctly for Teams. In parallel, the synchronization processes between AD and Azure AD must always function perfectly, as all changed fields and attributes can also be synchronized.

User accounts in Azure AD can be bundled with groups and used as the basis for permissions. For this to work, all user account data must of course be maintained cleanly. IAM solutions such as the FirstWare IDM-Portal should be used for this purpose. This is because attributes and fields can be maintained much more conveniently here and are less susceptible to errors in the user accounts. User accounts can be maintained locally and synchronized to Azure AD via automatic processes, scripts and fields that are easy to fill out. After that, users and groups are also available in Teams and other applications in Microsoft 365.

File permissions in Microsoft Teams

For all files and folders in a team, there is a menu with three items on the right side after selecting the object. To adjust permissions, the file must be opened in SharePoint Online. The corresponding menu item for this is available via the menu of the file. To adjust the permissions of a file, an i-icon in a circle is available on the right side. The detailed settings of the file or folder can be displayed here.

The details also show who has access to the document. With the link “Manage Access” the permissions can be adjusted. At “Links giving access” it can be seen which users have been granted access to the file. With “Direct access” it is possible to give individual users direct access to a file.

Those who already have access to the file can also be seen in the window. Owners of a team normally have comprehensive rights for a file, of course, the members of a team have limited rights. By clicking on the small arrow next to the respective group, a menu opens. Here it is possible to specify that the group or user should no longer have access (Do not share).

 

 

Further menu items at this point are the rights “Can edit” and “Can view”. The corresponding icons for these can also be seen in the window. This allows owners of a file to adjust the permissions of files and also entire folders in a very granular way directly via Teams and SharePoint. If the permissions of a file, for example a document, is changed to “Can view”, the members are not allowed to edit or delete the file. However, users would be able to view the file.

 

Control advanced permissions for files in Teams and SharePoint

 

In the configuration of permissions of the team files, the menu item “Advanced” is also available. Here administrators can adjust permissions for the files directly in SharePoint. However, users of the teams can also assign extended permissions for documents. By default, a folder or library inherits the permissions of its parent object in SharePoint. This is also what the window shows at this point.

If other permissions are to apply to a team or folder, users or admins with the appropriate permission can use the menu item “Stop Inheriting Permissions” to delete the permissions from the parent object and assign their own permissions. Before ending the inheritance, SharePoint displays a warning.

Again, SharePoint uses the accounts and users from Azure AD, which must be properly maintained for this. When manually granting permissions for a document, names and user accounts can be searched for. Of course, these can only be found here if the data has been correctly maintained and, in hybrid environments, also correctly synchronized between Active Directory and Azure Active Directory. This fact cannot be repeated often enough. 

After assigning individual users or groups that are not part of the default groups in SharePoint, SharePoint Online displays that for the file when you view its permissions.

The menu item “Manage parent element” can be used to manage the rights for the object, which are ultimately inherited by the current object.

In the middle of the window you can see which permission levels the individual SharePoint groups have for the documents and files in the respective team and the associated library in SharePoint. By clicking on one of the groups, SharePoint switches to the settings of the respective group.

With “Check permissions” it is possible to search for user accounts and groups. SharePoint then checks the permissions of the user or group and displays them in the window. This allows for flexible checking of permissions when the permissions structure in the company is a bit more complicated.

Control rights in libraries

Those who have the right to control the permissions of the parent elements in SharePoint can grant additional rights via “Grant Permissions”. Here it is again possible to delete unique permissions that are not controlled centrally by groups. If there are special permissions for individual elements, SharePoint also shows this in the window.

 

If the user accounts in Active Directory and Azure AD are maintained cleanly, they can be synchronized to Azure AD using Azure AD Connect. This is an essential basis for using AD groups or grouped user accounts for permissions in Teams. We have described synchronization in more detail in the following posts:

Install Azure AD Connect

Azure AD Connect and Azure AD Connect Cloud Sync