Who can add members, view shared resources, or take part in group conversations? We break down the permissions for each role in Office 365 Groups.
Don’t be fooled: Office 365 Groups is not another product.
Groups is actually similar to your security groups in SharePoint classic. The only difference is that Groups lives in your Azure Directory in modern SharePoint and has a provisioning robot.
For IT admins, Groups is key for modern workplace governance because it has a sense of centralized management. But to create an effective governance strategy, you first need to understand who has what permissions—as well as why it matters.
By default, anyone in your organization can create an Office 365 Group. Also by default, the user who creates a group becomes that group’s designated owner.
These users have unique permissions, like the ability to:
- Add or remove members from the group
- Delete conversations from the shared inbox
- Change different settings about the group
- Rename the group
- Update the description or picture
- And more!
Group owners are the moderators. If you’re familiar with SharePoint roles, then you can think of a group owner as the site collection admin.
It’s worth noting that the role of group owner isn’t set in stone: members can later be promoted to owner status, and owners can also be demoted.
These are regular users within your organization who have been added to an Office 365 Group by the group owner.
Members using a group to collaborate have access to everything—they just can’t change settings. In the SharePoint world, group members would be the site members.
Office 365 Group Permissions
|Create a group||✔||✔*|
|Join a group||✔||✔||✔|
|Delete a group||✔|
|Add/remove group members||✔|
|Access group site||✔||✔|
|Start/reply to a conversation||✔||✔||✔|
|Delete conversations from shared inbox||✔|
|View/modify group calendar||✔||✔|
|View/edit group files||✔||✔||✔**|
|Access group OneNote notebook||✔||✔||✔|
|Change group settings||✔|
|Rename the group||✔|
|Update the group description or picture||✔|
*Members are users within your organization—meaning that if self-service functionality is enabled, they can create a new group where they would then become the owner.
**Guests can view and edit group files if the admin has enabled external sharing.
With the switch from a technology-driven to an intent-driven approach, it’s easier than ever for teams to collaborate with the right people, regardless of location.
Guest access lets your end users collaborate with experts, partners, vendors, suppliers, and consultants outside of your organization.
Any group owner of an Office 365 Group can grant access to their group’s conversations, files, calendar invitations, and the group notebook—although as an admin, you can also control that setting.
All of a guest’s interactions with the rest of the group take place through their email, since guests don’t have access to the group site. But they can still receive calendar invitations to their inbox, and—if the admin has turned on the setting—links to shared files and attachments.
Read step-by-step directions for how to add guests in the official Microsoft support documentation.
Why roles are so important
If group members have access to all the same resources as group owners, then why should IT admins bother keeping track of who has what role?
Let’s imagine that a group only has one owner; and that owner later leaves the company—as employees frequently do. That group could suddenly find itself ownerless, transformed into what Microsoft calls an “orphaned group”. You can read how to assign a new owner to an orphaned group in the Microsoft support documentation.
Because group owners have control over all of the settings and functionality of an Office 365 Group, it’s a real problem when a group finds itself without an owner because that means there’s nobody with the proper permissions to manage it.
To avoid a situation like that from happening, some organizations implement a policy requiring a minimum number of owners per group.
"What happens if/when a user is deleted and they are the ONLY owner of that Office 365 Group? I assume the Global Administrator can assist? And/or run a report to see who is ownerless in a group?"@MLCarter1976
If a group ends up ownerless—because a user left the company, or their Office 365 account is no longer valid—the Global Administrator can assign a new owner to that orphaned group by using:
- The web portal
- The Office 365 Admin mobile app
You can read step-by-step instructions for the three methods above in the official Microsoft support documentation.
To answer the second part of your question: Office 365 unfortunately doesn't include any feature to scan for or report on orphaned groups.
Currently, you can use PowerShell to track group changes, or scan the ownership information for each group to check if it's empty. Otherwise, you might consider using a third-party tool.
Want to learn more about governance in Office 365? Download our curated guide, Office 365 Groups Governance, for practical tips on achieving a balanced approach to Office 365.