When you click “Create site” in SharePoint, it feels simple. A few fields, a site name, maybe a description… and voila, a sleek new site appears. But behind the scenes, Microsoft 365 is spinning up multiple connected services that all influence how your permissions work.

Understanding this is the difference between running a clean, controlled workspace… and accidentally giving half your organization access to sensitive content.

Let's dive into it!

What Actually Gets Created When You Spin Up a New SharePoint Site?

One of the things we love (or hate...) about Microsoft 365 is how much it takes care of for you behind the scenes. Creating a Team SharePoint Site (not to be confused with a Communication SharePoint Site!) isn’t just making a new SharePoint space, you’re actually creating an entire collaboration hub in one click.

Here’s what’s quietly created in the background:

• A SharePoint Team Site: for storing and collaborating on files (Your primary intention)

• A Microsoft 365 Group: the “container” that controls membership and permissions

• A distribution list: for group communication / blasting

• A Shared Inbox: to receive or send emails on behalf of the group

• A Shared Calendar: to see when the group is busy in meetings

• A Shared OneNote notebook: to capture group notes

  
  

All of this is created automatically so your team can start working together without any extra setup. And because everything is tied back to the Microsoft 365 Group, the same list of people (Owners and Members) have consistent access across every connected tool.

Now Depending on Your Setup, You Might Also Get:

• A Microsoft Teams workspace: connected to the new SharePoint Site so you can access your group files as you chat with each other.

• A Planner board: linked to the group, so you can assign each other tasks and track how close you are to accomplishing your goals.

• Loop components: for real-time collaboration on EVERYTHING!

  
  

These optional add-ons plug right into the same Microsoft 365 Group, keeping permissions and membership perfectly in sync.

This is exactly why understanding the difference between Group roles and SharePoint roles becomes so important. The choices you make when managing access can impact more than just the site...

The Big Permission Distinction: Group Roles vs. SharePoint Roles

This is where most administrators get tripped up. There are two layers of permissions:

Layer 1: Microsoft 365 Group Roles

These are managed in:

• Microsoft 365 admin center

• Azure AD admin center

• SharePoint admin center (when editing site permissions)

There are only two role types:

• Owners: full control

• Members: edit

  
  

Layer 2: SharePoint Site Roles

These apply inside the SharePoint site itself and nothing else:

• Site Admins: full admin control + restore deleted content

• Site Owners: full control

• Site Members: edit

• Site Visitors: read only

This flexibility is powerful… and dangerous if you don’t understand who controls what.

Real-Life Scenarios Where This Difference Matters

Scenario 1: A department user gets removed from the Group Permissions but still has access to the SharePoint site

You removed them from Group Owners thinking it removes access everywhere. But unfortunately, someone added them directly as a Site Owner. Therefore, they still have full control over the SharePoint site and you wonder why your confidential folders aren’t secure...

Scenario 2: A project site gets too many members because someone added “All Staff” to the Microsoft 365 Group

This one happens a lot. An employee thinks “All Staff” is a distribution list (which it is....) But doesn’t realize adding it to Group Members gives the entire company edit access. Everything in the SharePoint site is suddenly editable by 400 people... Try adding them to the Site Visitors instead.

Scenario 3: You want someone to view and approve documents but not edit the site

You want them to view and approve documents, without changing your site's configuration and settings. If you add them to the Group, they become Site Members with edit rights. The correct approach? Add them as Site Visitors or share the specific document instead of the entire site...

How to Choose the Right Permission Model

Use Microsoft 365 Group Membership if:

• Everyone needs the same level of access

• You want the group to access Teams, Planner, shared inbox, etc.

• You prefer simple membership management

  
  

Use SharePoint-only Permissions if:

• You need read-only users

• You need unique permissions for different folders

• You want granular control

• You don’t want edit access tied to Group membership

Practical Recommendations

1. Always decide the permission strategy before creating the site

• Communication site: allows controlled publishing

• Team site: collaboration and much more

• Pick wrong: permission soup inbound

  
  

2. Assign Group Owners intentionally

Group Owners control:

• Membership

• Team settings

• Planner

• Pages and permissions

Choose wisely.

3. For most organizations:

• Use Group membership for the core team

  • Assign super users to Group Owners

  • Assign everyone else in the team to Group Members

• Use SharePoint Site Visitors for people who only need to see content on SharePoint

This gives the best blend of control and flexibility.

Still reading this? You must be looking for more! Check out our Best Practice Guide for SharePoint Permissions, it has even more tips for you.

Why Understanding This Matters More Than Ever

Microsoft keeps integrating services across the platform: SharePoint, Outlook, OneNote, Teams, Planner, Loop, Approvals.

The moment you add someone to a Group, you aren’t just giving them access to a SharePoint site: You’re giving them access to an entire Microsoft 365 workspace.

Clarity on roles prevents:

• Oversharing

• Accidental edits

• Broken pages

• Security risks

• Governance headaches

  
  

And in the long run, this leads to better collaboration and cleaner systems without unnecessary complexity and overhead!