How to customize permissions in Teams

Okay, I admit: the title of this post was a bit of trickery on my part. But it is based on the fact that I run into this question constantly. Customers or readers who write to me will phrase it in different ways, but it always boils down to this: “How can I customize permissions in Teams?”

Sure, you can have a private channel, but that structure is limited to subsets of people within the existing Team, and it is not capable of including outside members, or presenting “Read-Only” content for certain members, etc. The core problem these folks are running into is simple: Teams is not, as some would have you believe, the answer to every collaboration problem.

I struggle to communicate this even in my own organization; it is rather amusing to watch because our company has such a pre-occupation with Teams right now–like Frank’s Red-Hot, it’s supposed to be the Everything Sauce! But the truth of the matter is, Teams has a specific place within the Microsoft 365 collaboration universe, and the headaches come when people try to start smashing its square peg into a round hole.

The real answer to this question, then, is to use the right tool for the right job. The infographic here is an attempt to help people understand each tool’s unique role, and to demonstrate that Teams is only one piece of a larger puzzle. I call this diagram the Spheres of Collaboration.

Basically it says the following:

• OneDrive = Your stuff
• Teams = Your team’s stuff
• SharePoint = Company’s stuff
• Extranet = Public’s stuff

As you move through the spheres from smallest to largest, your audience is shifting and growing wider, and your purpose fundamentally changes as you cross the dotted line. Teams and OneDrive is where the preparation work happens “behind the curtain.” SharePoint (and the Extranet beyond it) is the stage, where the performance takes place, and the content is ultimately consumed.

This framework closely mirrors how you approach a migration of data from a traditional network file server, and it has significant implications on things like permissions and governance as well; decisions around governance for the wider spheres are going to be made at a business or corporate level, not an individual level. As well, far fewer people will have “modify” permissions in the outer spheres: more read-only viewers, less owners and contributors.

Individuals are responsible for their own data in OneDrive, and for self-organizing and assembling into Teams to get the initial work done. But eventually that work is pressed and ready for consumption by a wider audience. That means some people are merely read-only “viewers” of the data. At this point it should be published into SharePoint–not Teams.

The content in the outer rings tends to be more polished, and to remain static for longer periods of time–it may even be a PDF by the time it reaches its intended audience (but not always). Your Extranet could include SharePoint-hosted content, certainly, but it may also include other platforms such as WordPress or even social media (Yammer, anyone?).

Teams = Co-Creators, always

Every member of a Team is a co-creator; there is no such thing as a “Read-only” member. And that is because membership in a Team is tied to an Office 365 Group, so the permission structure here is very simple:

• Owners = full modify permissions and ability to manage membership and govern certain settings
• Members = full modify permissions to all content

Therefore, Teams is a tool for collaboration–activity behind the curtain–it is not meant for publishing. SharePoint on the other hand can come to your rescue in situations where custom permissions is a requirement, and you need to publish data to a wider audience. Specifically I would suggest a Communication site vs. a Team site (the latter is Office 365 Group-connected–that is in fact what you get when you create a Team).

Once you have created a Communications site, editing permissions is a snap. Find Settings > Site permissions.

Then just invite the groups and/or individuals that you want to each role: Owners, Site Members (edit) and Site Visitors (view/read-only).

Now it is also very easy to add the document library associated with this new site into any channel, or even multiple channels. Just grab the URL of the site’s document library so that you can add it in Teams as a tab on whichever channels you like.

The only downside to this arrangement is that as of today, the “Search” bar in Teams does not return results from these other locations outside of Teams, the way that Microsoft Search gathers content from everywhere in places like Office.com or from Bing. I would like to see the new “universal” Search brought into the Teams app, to be consistent with the rest of Microsoft 365. Fingers crossed.

Aside: One other possibility we will have in the future is to use Sensitivity labels to mark certain content within Teams and other locations in 365, and apply encryption so that the contents are protected and visible only by those members defined in the label. While there is a preview available now that will allow some online editing and so forth, it’s not ready for prime time yet.

Let the legacy structures die

“Can Johnny have access to these channels but not others, and have read-only rights in these two folders but read-write in all the others?” Or, “Can Suzie be allowed to see these folders in the Marketing channel, but not others?“

Permissions requests like this are almost always based around legacy file and folder structures. Getting people out of the old mentality can be challenging–they have to embrace the fact that Microsoft 365 is not just your “new file server.” It is not based on deep nested folder structures with broken inheritance and custom permissions, like your crappy old network drives.

With modern sites in SharePoint Online, users have the flexibility to create as many unique sites as we could ever want (the limit is now 2 million site collections so you never have to worry about running out). When you’re talking about custom permissions, you’re automatically looking toward a new site. And if the customer wants to break inheritance further within that–while it is possible to do–it is better avoided. You just say, “Nope, that means another new site!“

If you require navigation between multiple sites, you can link those via a hub site. The navigation on a hub site can (soon) be security trimmed using a feature called audience targeting–announced at Ignite 2019 and scheduled for release March 2020–so if users should not have access to specific sites underneath the hub site, then have no fear: they won’t have to show up!

Must I have an intranet though?

Of course, many small and mid-sized orgs never really “got” the concept of an intranet–so you can continue to interact with your shared files primarily via OneDrive and Teams if you prefer–simply publish the relevant Communication sites’ content into various channels within Teams as we have described.

For those rare SMB orgs that came from the SharePoint world, they tend to make this adjustment more easily, and appreciate the flexibility and fluidity of modern sites with a flatter structure. Nevertheless, an intranet is not 100% necessary for every business–so don’t feel pressured to go all out with it, just because you need to present some document libraries with custom permissions.

So there you have it, the answer to your question is simple: you don’t customize permissions “in” Teams. You use the right tool for the right job. The next time someone asks you to design a Team where some people can only read certain data or to have some sub-folders hidden from certain members, whip out the Spheres of Collaboration, explain “the bigger picture” and how you would get them to the right solution, but differently.