TEXAS A&M UNIVERSITY
Secure SharePoint Permissions with Scope Groups
This guide provides IT administrators and SharePoint site owners with procedures for configuring SharePoint Online permissions using Cloud Scope Groups (CSGs) and File Scope Groups (FSGs). The goal is a secure, modular permissions model that adheres to least privilege and enhances Copilot readiness.
Who Should Use This Guide
- SharePoint Site Owners — Responsible for site content and access
- Departmental IT Staff — Create, configure, and support SharePoint sites
- Entra ID Groups Administrators — Create and manage scope groups within AUs
- Technology Services SharePoint Administrators — Enforce standardized approach
Why This Matters
| Benefit | Description |
|---|---|
| Data Security | Protect sensitive data from unauthorized access |
| Governance | Easier to audit who has access |
| Compliance | Support FERPA, HIPAA, and other regulations |
| Scalability | Reduce complexity as sites and users grow |
| Copilot Readiness | AI tools only access appropriately permissioned data |
This guide promotes a Zero Trust mindset: always verify, grant least privilege.
Prerequisites
| Requirement | Details |
|---|---|
| Entra ID Role | Groups Administrator for your Administrative Unit (AU) |
| Understanding of AUs | CSGs/FSGs must be created within the correct unit AU |
| Naming Conventions | Follow University standards for scope groups |
Core Concepts
SharePoint Permission Levels
| Level | Capabilities |
|---|---|
| Read | View pages, items, download documents |
| Contribute | View, add, update, delete items |
| Edit | Add, edit, delete lists; manage list permissions |
| Full Control | All permissions |
SharePoint Groups vs. Entra ID Scope Groups
| Type | Scope | Usage |
|---|---|---|
| SharePoint Groups | Exist only within a specific site | Container for permission level assignment |
| CSG/FSG (Entra ID) | Exist across the organization | Members added to SharePoint groups |
Our standard: Add CSGs/FSGs as members of SharePoint groups instead of individual users.
Scope Group Types
| Type | Purpose | Naming Convention |
|---|---|---|
| ☁️ CSG | Grants access to entire sites | CSG - [FAMIS] - [Site] - [Access Level] |
| 🗂️ FSG | Manages granular file/folder permissions | FSG - [FAMIS] - [Library/Folder] |
Examples:
CSG - VPOP - ResearchHub - OwnersFSG - VPOP - ResearchHubDocs - SensitiveContracts - Edit
Avoid "Everyone except external users"
This built-in group grants access to ALL internal users. Never add this group to site Members or Visitors for departmental/team sites.
Procedure
Step 1 – Create Scope Groups (AU Groups Administrator)
The Delegated Model
- IT creates the container — AU Groups Admin creates CSG/FSG in correct AU
- IT assigns ownership — Customer representative becomes group owner
- Customer manages membership — Owner adds/removes users
- Site Owner uses the group — Adds CSG/FSG to SharePoint groups
Creation Process
-
Receive Request: Customer contacts Unit IT with:
- Group Type (CSG/FSG)
- FAMIS Code
- Purpose/Name
- SharePoint URL (for CSGs)
- Designated owner(s)
-
Create in Entra Admin Center:
- Navigate to your Administrative Unit
- Groups > + New group
- Type: Security
- Name: Follow naming convention
- Description: Include SharePoint URL (for CSGs)
- Membership type: Assigned
-
Assign Customer Ownership:
- Navigate to new group
- Owners > + Add owners
- Add designated customer representative(s)
- Notify owners they can manage membership via My Groups portal
Step 2 – Configure SharePoint Site (Site Owner)
Site Type Considerations
| Site Type | Access Control |
|---|---|
| Private Team Site | Only M365 group members have access |
| Public Team Site | ⚠️ Auto-adds "Everyone except external users" — must remediate |
| Communication Site | Standalone; controlled by SharePoint groups only |
For Public Team Sites
Immediately go to Advanced permissions settings → Site Members → Remove "Everyone except external users"
Configuration Steps
-
Access Advanced Permissions:
- Settings gear > Site permissions > Advanced permissions settings
-
Configure Each SharePoint Group:
- For
[SiteName] Owners,[SiteName] Members,[SiteName] Visitors:- Click on the group
- Remove all default members (especially "Everyone except external users")
- Add your pre-created CSG for that role
- Verify correct permission level
- For
-
Configure External Sharing:
- Set via SharePoint Admin Center
- Use "New and existing guests" (controlled) or "Only people in your organization"
- Avoid "Anyone" links
-
Implement FSGs (Only If Needed):
- Navigate to library/folder requiring unique permissions
- Stop Inheriting Permissions
- Remove inherited groups as needed
- Grant Permissions → Add FSG with appropriate level
Document Broken Inheritance
Track where inheritance is broken and which FSGs are in use for ongoing management.
Step 3 – Ongoing Management
Regular Reviews
| Role | Review Task | Frequency |
|---|---|---|
| Site Owner | Review SharePoint group memberships | Quarterly |
| CSG/FSG Owner | Review group membership | Quarterly |
| Security Team | Audit broad sharing links | Ongoing |
User Training Topics
- Managing CSG/FSG membership via My Groups portal
- Requesting new scope groups from Unit IT
- Using "Specific people" links for secure sharing
- Risks of "Anyone" links
Troubleshooting
| Issue | Solution |
|---|---|
| User can't access site | Verify user is in correct CSG; verify CSG is in SharePoint group; allow sync time |
| Site is "too open" / Copilot surfaces unexpected data | Check for "Everyone except external users" in SharePoint groups; remove and replace with specific CSG |
| User needs temporary access | CSG owner adds user temporarily, then removes |