HomeMicrosoft TeamsThe Ultimate Guide to Microsoft Teams Permissions

The Ultimate Guide to Microsoft Teams Permissions

Read our Microsoft Teams Quickstart Guide for other handpicked resources for new Teams users.

With all the applications that Microsoft Teams brings together within Office 365, there really are tons of ways to collaborate on projects. Teams makes it easier than ever to hold meetings, share information, keep track of tasks, and stay up-to-date on all the projects that people have going on across their organizations! With all the capabilities that Microsoft Teams brings to the table, though, there’s a lot to keep track of, and a lot of different ways information can be shared.

Keeping track of how people can access information and who can do what within Microsoft Teams is a great place to start. So, let’s do this! Here’s a dissection of all the permissions and rights capabilities available with Microsoft Teams.

1. What Owners and Members of a Microsoft Team Can (and Can’t) Do

Owners of a Microsoft Team have:

  • Access to Teams settings and can add new members to a private Team or Group
  • Administrative access to the Group SharePoint site associated with the Team
  • The ability to “restore” files (if versioning is enabled) to previous versions and delete or archive the Team.

By default, members of a Team cannot access or change Team settings or add members. They can edit the site and make lists and libraries, but they don’t have admin access to the Group SharePoint site associated with the Team. Members can also add channels in Teams (but can’t delete them).

Both Owners and Members (by default) are able to connect external applications–including other storage and collaboration apps–to each Team via Team channel tabs. They can both also add tabs to Teams channels and delete them.

If external sharing is turned on for Microsoft Teams and the Team in question, owners may invite “Guest” users from outside the organization to Teams. Guest users  have the ability to participate in private Microsoft Teams chats (by default they cannot add or remove channels or tabs), Teams conversations (for joined Teams), and have access to files and the SharePoint information behind the Team as well (they will also be Guest users of the Office 365 Group).

2. Private vs. Public Microsoft Teams: What’s the Difference?

Private Teams require that administrators approve membership or directly add users to the Team in question, and information stored in the Team (and the Team itself) may or may not be searchable by the organization depending on SharePoint permissions and Team Settings. The information within a private Team does not show up in search results by default, but the Team name, description, and the members and owners of the Team can be seen by users in the organization.

Public Teams can be joined by any user in an organization, and the related files and chat information are visible to everyone (via searches) as well.

3. Control Access to Services and Users with Teams Admin Center

Microsoft Teams administrators can manage just about every aspect of each individual Team in an organization as well as set all available tenant-wide settings for calls, meetings, and chat collaboration features offered by Microsoft Teams. This includes the ability to allow or restrict external sharing as well as the connectors/applications available via Team channel tabs.

There are three additional levels of Microsoft Teams Administrators that have different portioned levels of organization-wide administrative access to assist in federating the management of Teams:

  • Teams Communications Administrators can manage calling and meeting features for Microsoft Teams.
  • Teams Communications Support Engineers have access to call quality, reliability information, and the tools to troubleshoot the technical aspects of Microsoft Teams.
  • Teams Communications Support Specialists can view user information and call quality analytics to assist in troubleshooting call quality.

4. The “Files” of the Team and SharePoint Permissions

It’s important to remember that the “Files” tab is available and that it’s mandatory for each channel in a Team to be connected to file storage in SharePoint. Files for each channel are stored in a folder in the document library of the SharePoint site that supports each Team.

Owners and Members have the ability to share rights to any files or pages–the entire site collection, even–to anyone in the organization. This means that any files stored or shared inside a Team are subject to the sharing and permissions rules of SharePoint.

microsoft teams

microsoft teams

In addition, the files in private chats are stored in the One Drive For Business of the users that upload them in a “Teams Chat Files” folder before being shared with others in the chat.

5. Sharing Information with Teams

Each Microsoft Team is connected with an Office 365 Group and serves (in part) as a Security Group with shared resources across many applications in Office 365. Users outside the organization can share access with Microsoft Teams and grant all of the users in that Team rights to SharePoint or OneDrive content. Conversely, you cannot add another Microsoft Team/Office 365 Group to the Members or Owners group for the Team or Group in question.

When a file is shared with the Team (or Group) from a location outside that Team in question, it will be visible as a link via the “Files” tab of the Office 365 Group (not channels within the Team).

6. Who Can See Information in Microsoft Teams — and What They Can See?

With the exception of Private Channels (coming soon), all the Owners and Members within a Team can see all the chat, “Files” tabs, and apps available to that Team. In addition, each Owner and Member can access the application information associated with the Office 365 Group behind the Team. This includes the Outlook Calendar and Exchange conversations associated with the Group.

Each channel in a Team also has its own email address, and email can be sent or forwarded to a channel in the Team.

microsoft teams

Additionally, Microsoft Teams allows the restriction of private chats among users and subsets of users, (ex. restricting who can create 1-1 chats with leadership team members etc).

With enterprise licenses, it’s also possible to add warnings and restrictions on the kind of content that can be shared within the Teams application (ex. sensitive/explicit content in chats).

I hope you enjoyed this little breakdown of how users can access information through Microsoft Teams and what different levels of users have the capabilities to do! For more detailed information, be sure to check out the links in the article. We’ve also got some great webinars and blog posts packed with tips and best practices below:


Want weekly Microsoft Teams content delivered right to your inbox? Subscribe to our blog!

Hunter W.
Hunter has been in web development, SEO and social media marketing for over a decade, and has MCSA Office 365 & Service Adoption Specialist certifications. Throughout his career, he has developed internal collaboration sites, provided technical and strategic advice, and managed solutions for small to large organizations. Hunter is the President of the Richmond SharePoint User Group and works full time as Product Marketing Manager at AvePoint. He is a top contributor to AvePoint’s blog as well as CMS Wire and has been featured in over a dozen publications, most notably the Wall Street Journal.

32 COMMENTS

  1. What about permissions per channel, we have Avepoint but are unclear about the fact Avepoint Cloud backup will backup these Custom Channels that apparently create a hole extra Teamsite in the background that you cannot see in the sharepointadmin portal. Can/will avepoint backup these channels?

    • Hey Harry! We’re currently working on support for this and expect Private Channels to be supported within the next few release cycles. Thanks!

  2. If a channel or teams group is originally public and then switched to private are the files that were already shared immediately made private. If not how do you make private?

    • Hey Kristen! No files are unshared is a Team is made private; it simply means that people in the organization cannot surface or access unshared files without requesting access or joining the Team first. Channels have to be made private when they’re created.

  3. Hi
    I am not able to screen share excel, word and some other applications during meetings, some are available but other open files/programs are not available from the choices except sharing the entire desktop or window.

    Is this a permission thing, please advise ?

    Thanks

    • Hi Kashif! This is caused not by permissions per se, but likely an org-wide setting in Teams restricting screen sharing. Hope this helps!

  4. By default,…Members can also add channels in Teams (but can’t delete them). But if you see the check boxes checked, it seems – by default “allow members to delete and restore channels” ?

  5. The Ultimate Guide – more like High Level.

    Ultimate Guide would have way more info.

    A little misleading.

    • Hey Iain, we’re sorry if you feel like this guide didn’t answer some of the questions you might’ve had on permissions. We’ll look at updating it. Hopefully our resources on other topics will serve you better in the meantime!

  6. what about the avepoint backup user, it becomes a member of a channel. Is it possible to hide the notification in the channel, when the backup user becoming a member?

    • Hey Smits, that’s unfortunately not possible at this time. We suggest connecting Cloud Backup with an account that has a neutral name like “IT Support” to lessen the impact of this instead of having an account with a person’s name.

  7. What about file permissions? I thought a member could upload a file, but now I am seeing that this might not be the case. True? False?

  8. Hunter, thanks this awesome. Is there a way i can send an email on outlook of all members (think Distribution List)? Not to be confused with the channel email id you referred to

    • You can! This would simply be the address for the Group/Team itself, typically TeamName@domain.com. This will go to the email box for the Team, and members who follow it (typically the default) will receive the message in their own inbox as well.

    • In addition to what Brent said, assuming you have outlook configured on your computer, you should be able to see the group email in a section called “groups” that should reside below your personal folders in outlook. No additional configuration would have been required for those to show up.

  9. Thanks for the excellent article Hunter. Very useful. We’d like to create a shared calendar in sharepoint to use as a Holiday/Vacation planner for the team. We’d like all team members to see it but only the team owner to be able to edit it. Is this possible?

    • We’re glad you found this useful Chris! That isn’t possible directly within the Team, but you could create a private calendar and share it with the team. The Team Calendar should reflect this, and Team members would be able to add it to their own calendars as well.

  10. Hi Hunter,
    Thanks for the article. I am not clear on the following and was wondering if you have any insight: can an IT Admin access (even just read) files that are stored in a private team channel if they are not part of the team channel?
    Thanks!

    • We’re glad this was helpful Kris! Teams Admins can add themselves or other users to Private Channels in Teams via the Teams Admin Center-> Manage Teams option.

  11. Hi there, interested to know if a Team channel was created and the owner is not longer a part of the company and no other host was provided access, does a new channel need to be created? Looking to add new members to the group, when selected, indicates add request sent, user does not receive invite. thanks in advance for your guidance.

  12. Hi! I am the original creator and owner of a Team. Since creating it, I have added 2 additional Team owners. We assumed that within the Team’s SharePoint site the other Team owners would have the ability to manage the access of the Team’s files and folders. However, when the other Team owners are in the SharePoint site, they are not actually able to make any changes when they navigate to “manage access” for any of the files or folders – they can see the options, but are not able to change any of the access for other Team members, it’s essentially greyed out for them. I seem to be the only person who is able to make any of these manage access changes even though the other people who have tried are also Team owners. I cannot find anything about this online – any help you could provide would be appreciated!

    • There are a couple of options here Caitlin. This could be the SharePoint site behind a private channel rather than the main Team. But if this is the main SharePoint site behind the Team, something is not working correctly. Either way, you can share edit/owner rights to that site directly in SharePoint. Hope this helps and thanks for reading!

  13. What about individual file permissions within the Team group? Can I have some members only have read-only access and other member full access? Standard file permissions.

    • Hi Terry,

      Yes an Owner can do this in the SharePoint site associated with the Team. You can select the file click manage access and then advanced. You can then choose between full control, design, edit, contribute, read, restricted view permission levels. You would have to provide the members of the Team read-only access and then grant the select individuals full access. This can be tedious. Its also VERY important to note that the list of people who have access is not the full list of people who can access the file. Anyone with sharing rights can create a link to share with anyone who has access to that link (unless that has been turned off by an administrator). It can be very, very difficult to understand everyone who has permission to a document and everyone who has actually accessed that document. If you are thinking about file permissions at this level of granularity you should check out this video on our Policies and Insights product that was made to solve exactly these challenges.

  14. Hello,
    I’m having to approve access for every member of this chat individually so they can access files. how can i just make sure that all members of the chat can access all files no problem? we all work within the same organization.

    • Hi Cydnee,

      It depends where those files are hosted. It sounds like those files may be stored on a SharePoint site that one member of the chat does not have access to. You can add that member of the chat to have access to that SharePoint site (or corresponding Team) if that is appropriate or keep providing access to individual documents. One of our solutions Policies and Insights can help automate and monitor access and permissions management as well and you may want to request a demo and check it out: https://www.avepoint.com/products/cloud/policies-insights-microsoft-365

  15. Hello,
    I am trying to create a “private” channel where only the “owner” can share files (in the “files” tab) beyond the private channel “members” or “guests” associated with that channel. I don’t want anyone to be able to re-share anything unless it’s the “owner”.
    I heard that the Sharepoint structure that comes with the MS Teams application cannot be configured like this and a full SPO instance would have to be installed and linked separately to make this work. I can’t believe Microsoft would be this shortsighted as sensitive files on a private channel inherently are meant for ONLY that channel. Is my IT Team missing something or are they correct about this configuration?

    • Hi Chris, thanks for reaching out! I believe your IT team is correct. The concept behind Private is that anyone in that private channel has access to those documents and has control. The permission set you’re trying to create would need to be created manually in Sharepoint.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

More Stories