administration – Assigning “Contribute” permission instead of “Edit” to the SharePoint Modern Team site’s Site members

The blog you linked to has the correct answer. It’s not optimal, but it works.

One source of confusion is that after creating a team site, there are two groups with the same name. For example, if you create a new team site named “project 1”, the following groups will be created:

  • “project 1” – This group is visible in the list of groups in the admin console. The admin console will show that this group has an email address, and a group type of Office 365. The admin console will also show the list of owners and members. When viewing the home page of the site, it will display “x members” at the upper right. clicking on it will display the members of this group.
  • “project 1 members” – This group is visible by navigating to site permissions –> advanced. This page will show this group (plus others), and it will have a group type of “SharePoint Group”. This group will have a default permission level of edit
  • “project 1 owners” – same as above, with a permission level of full control
  • “project 1 visitors” – same as above, with a permission level of read

If you click into the project 1 members SharePoint Group, you will see that it has one member by default: “project 1 Members”, which is the members of the Office 365 Group.

If you go back to the homepage and to site permissions, you will see listings for site owners, members, and visitors. These are references to the SharePoint groups. The site members group will show one member, “project 1 Members members”. Changing the dropdown from edit to read does not change the permissions of the SharePoint group, but instead moves the Office 365 Group out of the project 1 members sharepoint group, and into the project 1 visitors sharepoint group.

Given the above:

  • navigate to the advanced permissions screen, and click on the project 1 members SharePoint group
  • click the checkbox next to the project 1 members office 365 group
  • click actions –> remove users from group
  • Go back to the advanced permissions screen, create a new SharePoint group, and give it contribute permissions. After creating the group, it should take you to the people and groups page, showing the membership of your new group. click “new”, and add the project 1 members group to your new group. (this will be the office 365 group.)

Once you’ve done the above:

  • The members of the project 1 office 365 group will have contribute access.
  • Clicking the x members link on the homepage and modifying the group membership will work fine, as that still modifies the membership of the office 365 group, which has contribute access.
  • clicking “site permissions” will still show project 1 owners with full control, but will not show anyone as a member or visitor. This is the flaw with this approach. The group has contribute access, but this screen will not display it. Instead, this panel will simply state “there are additional groups with permissions on this site”

(In my procedure, I removed the O365 Group from the SharePoint Group. In the blog post you linked to, Paul suggests to switch it to a visitor. I’m not sure which I like better. Paul’s approach still makes the group visible on the site permissions panel, but that also makes it really easy for a user to switch them back to a member, defeating the purpose of all of this).

So, not a perfect solution, as the site permissions panel doesn’t allow you to view or change the permissions for members, and any further changes will need to be done in the advanced site permissions screen. This does, however, preserve the ability to modify the list of site members via the “group membership” panel from the home page.

edit: I mentioned the other post wasn’t “optimal”. This was not a criticism of the blog post, rather that I wish MS provided a way for us to do with without all of the above.