Skip to main content

Configuring Secure SharePoint Site Permissions

Audience: Site owners, departmental IT staff, SharePoint administrators

Purpose: Configure SharePoint permissions for security, governance, and usability

Quick Reference

TL;DR
  • Use Scope Groups — Always use CSG (site access) and FSG (folder access) instead of individual accounts
  • Start Private & Verify Defaults — Create sites as "Private" and remove broad groups like Everyone except external users
  • Share Wisely — Use "Specific people" links; avoid "Anyone" or organization-wide links

Key Principles Checklist

Before configuring permissions:

  • Use Scope Groups — CSG for site access, FSG for folder/library access
  • Start Private — Explicitly grant access rather than starting public
  • Review Defaults Immediately — Remove Everyone except external users from site groups
  • Understand Site Types — Team Sites vs. Communication Sites have different models
  • Share Wisely — Use "Specific people" links for sensitive content
  • Regularly Review Access — Periodically audit who has access
  • Least Privilege — Grant minimum permissions needed

Permission Levels Reference

LevelAbilities
ReadView pages, list items, download documents
ContributeView, add, update, delete list items and documents
EditContribute + add, edit, delete lists
Full ControlComplete control over site, content, settings, and permissions
DesignEdit + approve items, customize site design

SharePoint Groups vs. Entra ID Groups

SharePoint Groups

  • Exist only within a specific SharePoint site
  • Examples: [Site Name] Owners, [Site Name] Members, [Site Name] Visitors
  • Act as containers assigned a permission level
  • You add users or Entra ID groups into these groups

Entra ID Groups (CSG/FSG)

  • Centrally managed in Microsoft Entra ID
  • CSG — Cloud Scope Groups for site-level access
  • FSG — File Scope Groups for folder/library access
  • Security groups used for granting resource access
Best Practice

Populate SharePoint Groups with Entra ID Security Groups (CSG/FSG) rather than adding individual user accounts.

Prerequisites

RequirementDetails
RoleSharePoint Site Owner or Site Manager
CredentialsUniversity NetID
Data ClassificationUnderstanding of site data sensitivity
Scope GroupsCSGs/FSGs created in Entra ID

Configuration Procedure

Step 1: Define Site Purpose and Data Sensitivity

Before configuring permissions:

  1. Determine Site Type

    • Team Site — For collaborative group work
    • Communication Site — To broadcast information

  2. Identify Audience Roles

    • Owners — Site administrators (2-3 people)
    • Members/Contributors — Create and edit content
    • Visitors/Readers — View content only

  3. Assess Data Sensitivity

    • Public, Internal, Confidential, FERPA-protected
    • Classification dictates security level required
Step 2: Utilize Scope Groups (CSGs & FSGs)

Do not add individual user accounts directly to SharePoint site groups.

For Site-Level Access

Use CSG (Cloud Scope Groups):

CSG - [FAMIS Code] - [Site Purpose] - [Access Level]
Example: CSG - VPOP - ResearchAlpha - Collaborators

For Granular Access

Use FSG (File Scope Groups) only when breaking inheritance:

FSG - [FAMIS Code] - [Descriptive Purpose]
Example: FSG - VPOP - ResearchAlphaSensitiveData - EditRestricted

Document where inheritance is broken and which FSGs are used.

Step 3: Configure SharePoint Site Group Permissions

Navigate to Settings → Site permissions → Advanced permissions settings

Configure Owners Group

  1. Click on [Site Name] Owners
  2. Remove individuals and non-approved groups
  3. Remove Everyone and Everyone except external users
  4. Add your CSG - ... - Owners group
  5. Verify Full Control permission level

Configure Members Group

  1. Click on [Site Name] Members
  2. Remove Everyone except external users
  3. Add your CSG - ... - Members group
  4. Assign Edit or Contribute permission level

Configure Visitors Group

  1. Click on [Site Name] Visitors
  2. Remove Everyone except external users
  3. Add your CSG - ... - Visitors group
  4. Verify Read permission level
Critical Step

Always check Advanced permissions settings to remove broad system groups from Owners, Members, and Visitors SharePoint groups.

Step 4: Configure External Sharing

In SharePoint Admin Center, configure site sharing:

SettingUse Case
Only people in your organizationMost secure; no external sharing
New and existing guestsControlled external collaboration
Anyone (Anonymous links)Strongly discouraged — only for public data

Set default sharing link type to "Specific people".

Step 5: Educate Users

Pair technical controls with user education:

  • Share Specific Items — Share individual files/folders, not entire sites
  • Use "Specific people" Links — Most secure link type
  • Explain Risks — "People in Organization" links can be forwarded; "Anyone" links are unauthenticated
  • Review Access — Use "Manage access" panel to see who has access
Step 6: Ongoing Reviews and Audits

Site Owner Reviews

  • Periodically review CSG memberships
  • Use Site usage → Shared with external users report

Administrative Monitoring

  • Use SharePoint Admin Center → Reports → Data access governance
  • Find overexposed content from "Anyone" or org-wide links

Audit Log Searching

Search Microsoft Purview audit log for:

  • SharingLinkCreated
  • AnonymousLinkUsed
  • Added user or group to SharePoint group

Access Reviews

For sensitive CSGs, implement formal Entra ID Access Reviews.

Troubleshooting

IssueResolution
User can't access contentVerify user is in correct CSG; check CSG is in correct SharePoint Group; check for broken inheritance
"Private" site appears oversharedCheck for Everyone or Everyone except external users in site groups; remove from Advanced permissions settings
Copilot surfaces unexpected dataInvestigate oversharing; check for broad groups and permissive sharing links