Share via

SharePoint Online - blocking access to a single folder

Maz1k3n 26 Reputation points
2022-08-03T16:27:37.13+00:00

Hi All,

I hope you're all keeping well and safe.

I have recently moved my organization's files to SharePoint Online and need some assistance.

I have a SharePoint site for the HR Team. Permission to the site are managed through a Microsoft 365 Groups. Members of the HR M365 group also have access to the SP site.
I want to prevent ONE HR member to access a single folder on SharePoint. He should have access to everything else, but this folder.
What is the cleanest way of restricting access to a single folder/document without affecting other existing and future members of the HR M365 group?

I also noticed that some SharePoint sites have the below object as a member and don't know where it came from

227801-image.png

Can someone advise what this 'Limited Access System Group For List' means and where it comes from?

Thanks in advance.

All the best.

Microsoft 365 and Office | SharePoint | For business | Windows
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dillon Silzer 60,736 Reputation points Volunteer Moderator
    2022-08-03T17:32:26.683+00:00

    Hi @Maz1k3n

    1) I want to prevent ONE HR member to access a single folder on SharePoint. He should have access to everything else, but this folder. What is the cleanest way of restricting access to a single folder/document without affecting other existing and future members of the HR M365 group?

    You can break inheritance permissions on that folder and set up permissions specifically for the folder. You can do this by:

    a) Select the folder > a menu will pop up > hit Manage access

    227729-image.png

    227778-image.png

    b) Go to Advanced in the bottom right corner.

    c) Press Stop Inheriting Permissions

    227750-image.png

    d) Create a group/add people who want to have access to the folder by hitting Grant Permissions

    227812-image.png

    You should now have a folder with specific permissions (minus the person who you don't want to see the information).

    2) Can someone advise what this 'Limited Access System Group For List' means and where it comes from?

    Limited Access System Groups are generated by SharePoint automatically when you assign a permission to a user or group (when they do not have permission to open or edit anything else on the SharePoint site).

    This level is automatically assigned by SharePoint when you provide access to one specific item. You cannot assign Limited Access permissions directly to a user or group yourself. Instead, when you assign edit or open permissions to the single item, SharePoint automatically assigns Limited Access to other required locations, such as the site or library in which the single item is located.

    227740-image.png

    Default Permission Levels (on SharePoint)

    https://learn.microsoft.com/en-us/sharepoint/understanding-permission-levels?redirectSourcePath=%252fen-us%252farticle%252fUnderstanding-permission-levels-in-SharePoint-87ecbb0e-6550-491a-8826-c075e4859848#default-permission-levels

    --------------------------------

    If this is helpful please mark as correct answer.

  2. Maz1k3n 26 Reputation points
    2022-08-04T08:21:25.383+00:00

    Hi @Dillon Silzer

    Thank you for your reply.

    For answer number 1, if I select 'stop inheriting permissions' That means permissions will no longer be managed by the Microsoft 365 group, correct? So, every new member who joins the HR M365 group will need to be grant permission to the restricted folder manually?

    0 comments
  3. Renjie Sun-MSFT 2,861 Reputation points Microsoft Employee
    2022-08-04T09:29:47.06+00:00

    Dear @Maz1k3n ,

    Thanks for your detailed explanation, I am more than willing to help you out.
    However, currently there is no permission settings in SharePoint Online to forbid single group member access to a folder. Here is a workaround to try to meet your needs, you could check it. The way is to create a new group(without him) and give unique permission to this folder.

    You could export selected users to a csv file in Azure AD. And then create a new group, add members by importing this csv.

    The following article shows the steps to copy users from one group to a new one.

    1. M365 admin center -> Azure AD -> Azure Active Directory -> Groups -> Your Group(having members you want to copy)
    2. Members -> Bulk operations -> Download members
      228020-image.png
    3. Open the downloaded csv file.
      228085-image.png
    4. You could clear the user from this csv file. Clear the table for the row where the user is located.(The user you want to move out of the group)
    5. Make the csv file to right type in order to import successfully.
      Insert these two row on the top and clear the useless data in csv.

    version:v1.0
    Member object ID or user principal name [memberObjectIdOrUpn] Required
    228046-image.png
    6. Save this csv as the new group member list.
    7. Create a new group, add member to this group by importing the csv.
    Members -> Bulk operations -> Import members.
    228029-image.png
    8. Upload your csv file.
    More information on bulk add group members in Azure Active Directory.

    Now you could set unique permission to this new group in that folder.

    Should you have any questions or concerns, please do feel free to contact me.

    Yours sincerely,
    Renjie Sun

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.