Learn about Microsoft 365 group owner roles. We walk through who can add members to a group, view shared resources, or take part in group conversations? Read on for a thorough explanation of the permissions for each role in Microsoft 365 Groups.
So, what are Microsoft 365 Groups exactly?
Groups is actually similar to your security groups in SharePoint classic. The only difference is that Groups lives in your Azure Directory in modern SharePoint and has a provisioning robot.
For IT admins, Microsoft 365 Groups is key for modern workplace governance because it has a sense of centralized management. But to create an effective governance strategy, you first need to understand who has what permissions—as well as why it matters.
You need to understand the different permissions for each of the following roles in Microsoft 365 Groups…
Table of contents
Microsoft 365 group owners
By default, anyone in your organization can create a Microsoft 365 Group. Also by default, the user who creates a group becomes that group’s designated owner.
These users have unique permissions, like the ability to:
- Add or remove members from the group
- Delete conversations from the shared inbox
- Change different settings about the group
- Rename the group
- Update the description or picture
- And more!
Group owners are the moderators. If you’re familiar with SharePoint roles, then you can think of a group owner as the site collection admin.
It’s worth noting that the role of group owner isn’t set in stone: members can later be promoted to owner status, and owners can also be demoted.
Microsoft 365 group members
These are regular users within your organization who have been added to a Microsoft 365 Group by the group owner.
Members using a group to collaborate have access to everything—they just can’t change settings. In the SharePoint world, group members would be the site members.
To maximize teamwork and productivity, controlling who can create Microsoft 365 groups is crucial so your organization’s digital workspace is optimized to boost efficiency and collaboration.
Office 365 Group Permissions
Permission | Owner | Member | Guest |
---|---|---|---|
Create a group | ✔ | ✔* | |
Join a group | ✔ | ✔ | ✔ |
Delete a group | ✔ | ||
Add/remove group members | ✔ | ||
Access group site | ✔ | ✔ | |
Start/reply to a conversation | ✔ | ✔ | ✔ |
Delete conversations from shared inbox | ✔ | ||
Manage meetings | ✔ | ✔ | |
View/modify group calendar | ✔ | ✔ | |
View/edit group files | ✔ | ✔ | ✔** |
Access group OneNote notebook | ✔ | ✔ | ✔ |
Change group settings | ✔ | ||
Rename the group | ✔ | ||
Update the group description or picture | ✔ |
*Members are users within your organization—meaning that if self-service functionality is enabled, they can create a new group where they would then become the owner.
**Guests can view and edit group files if the admin has enabled external sharing.
Microsoft 365 group guests
With the switch from a technology-driven to an intent-driven approach, it’s easier than ever for teams to collaborate with the right people, regardless of location.
Guest access lets your end users collaborate with experts, partners, vendors, suppliers, and consultants outside of your organization.
Any group owner of a Microsoft 365 Group can grant access to their group’s conversations, files, calendar invitations, and the group notebook—although as an admin, you can also control that setting.
All of a guest’s interactions with the rest of the group take place through their email since guests don’t have access to the group site. But they can still receive calendar invitations to their inbox, and—if the admin has turned on the setting—links to shared files and attachments.
Read step-by-step directions for how to add guests in the official Microsoft support documentation.
MVP tips: How to handle group roles and permissions
In this short clip from his ShareGate webinar, Microsoft MVP Vlad Catrinescu (@vladcatrinescu) discusses who should be able to create groups, how to empower end users to create groups, and managing ownerless teams. Check it out:
Why roles are so important
If group members have access to all the same resources as group owners, then why should IT admins bother keeping track of who has what role?
Let’s imagine that a group only has one owner, and that owner later leaves the company—as employees frequently do. That group could suddenly find itself ownerless, transformed into what Microsoft calls an “orphaned group”. You can read how to assign a new owner to an orphaned group in the Microsoft support documentation.
Because group owners have control over all of the settings and functionality of a Microsoft 365 Group, it’s a real problem when a group finds itself without an owner because that means there’s nobody with the proper permissions to manage it.
To avoid a situation like that from happening, some organizations implement a policy requiring a minimum number of owners per group.
“What happens if/when a user is deleted and they are the ONLY owner of that Microsoft 365 group? I assume the Global Administrator can assist? And/or run a report to see who is ownerless in a group?”
@MLCarter1976
If a group ends up ownerless—because a user left the company, or their Microsoft 365 account is no longer valid—the Global Administrator can assign a new owner to that orphaned group by using:
- The web portal
- PowerShell
- The Microsoft 365 Admin mobile app
You can read step-by-step instructions for the three methods above in the official Microsoft support documentation.
To answer the second part of your question: Microsoft 365, unfortunately, doesn’t include any feature to scan for or report on orphaned groups.
Currently, you can use PowerShell to track group changes or scan the ownership information for each group to check if it’s empty. Otherwise, you might consider using a third-party tool.