M365 groups, Azure AD groups, and SharePoint permissions
Before we talk about the implications of M365 groups on SharePoint permissions, let’s outline some definition around how permissions work in our sites. SharePoint manages access by groups defined within the service itself. These groups are mapped to a granular set of permissions that indicate what can or can’t be done by someone who is part of that group. While it is possible for a person to be granted direct permissions to a site, adding them to a group with defined access is preferred and best practice.
These groups are maintained at the site level. This means that when we used subsites, it was really the site collection where all our groups were actually kept, even if a group was only used on one subsite. With hub sites, each site maintains its own unique set of permissions so that there is no dependency on a site needing a hub to keep track of its access lists. The boundaries of permission groups are site...
