Users get ‘Access Denied’ trying to browse a new Team Site.

Office 365 Community Blog

Users get ‘Access Denied’ trying to browse a new Team Site.

Are they added in SharePoint groups?


When you first setup Office 365, certain web sites and management pages are created for you. For example, you’ll automatically see the Admin Overview page that appears on the Office 365 Portal – it’s one of many pages and sites automatically made during setup. Likewise, when SharePoint Online finishes setup, you’ll automatically see a Team Site created for your use.


Most Administrators will begin on the Admin Overview page of the Office 365 Portal by adding users to Office 365. However, many do not know that this does not add those users into SharePoint Online and its security model. If you have added users in Office 365, it is a first important step, but you’ll need to begin adding users to SharePoint groups for them to access your site collections.


 There are three decisions to make:


1.    Who do I want to administer to the entire site collection (that is, the site, and all of the subsites) as my site collection administrator?

2.    Does my site collection administrator need a back-up or ‘secondary’ site collection administrator?

3.    What SharePoint permissions should the majority of my users have to the site (should most be able to read the content of the site, or should most be able to contribute to the content)? 


In other words, once you’ve finished adding users into Office 365 itself, you should determine who the primary and secondary site collection administrators will be, and consider what kind of SharePoint access the bulk of your SharePoint users will need. This latter point – user security and SharePoint group membership – must be refined as you develop your site.


Site collection administrator is a powerful role inside of SharePoint Online. The person given this right has powers from the topmost site in the site collection, right down to every item in the furthest subsite of the site collection. Give this access to only a few of your users.


1.    Log in to the portal ( by using an account that has SharePoint Online Administrator, or Global Administrator (of Office 365) permissions for your organization.

2.    Click the Admin tab, and then click the Manage link under SharePoint Online. This opens the SharePoint Online Administration Center.

3.    Click Manage site collections. When you do this, you will see the full list of site collections.

4.    Click to select the check box next to the Team Site (or whatever site is causing you the ‘Access Denied’). For example, the Team Site, which has a URL like, where YourDomain represents the domain that you use for your tenant.

5.    Click Owners in the Ribbon at the top of the list of site collections, and then click Manage Administrators.




6.    In the dialog box that appears, add the account or accounts you chose for primary and secondary site collection administrator. When the accounts are successfully validated, click OK to save the changes.




Once the Global Administrator, or SharePoint Online Administrator, has completed those steps, they can either choose to:


1.    Set permissions for the remaining users on the Team Site themselves (they simply have to list themselves among the site collection administrators and gain access to the site in order to do this).

2.    Allow the site collection administrator to add the remaining users to SharePoint groups on the Team Site (this is part of the site collection administrator’s role, in fact).


Here are the steps you’ll need to give all the other users in your company access to the new site:


1.    Browse to your Team Site, which is located at

2.    On the Team Site, click Site Actions, click Site Settings, and then click People and Groups.

3.    On the left hand side of the page, you’ll see a list of Groups. Find the link for the Team Site Members group or the Team Site Visitors group.  If you want your users to contribute to Content, click and add them to a group like Team Site Members. If you want them to read, click Team Site Visitors. Click New, and then click Add Users.



NOTE  Just so you know, the menu on the left of the screen marked ‘Groups’ is in an area that’s known as the ‘Quick Launch’. If you look at the bottom of the groups listed on the Quick Launch, you’ll see ‘More…’. Click on this item if you’d like to see all the groups available, along with descriptions that outline the difference between them. I’ll paste a sample graphic below.

In most cases, administrators will want to add batches of users to the SharePoint groups and rely on a plan that incorporates the list of SharePoint groups, what they do, and what they need specific users to access on the site. However, if you wanted to open the Team Site to collaboration by all your users, you could click to choose Team Site Members and do the following:


1.    Click New in the menu and then Add Users.

2.    Type All Users in the text box, and then click Check Names (that’s the small icon of the person and blue check mark you will see at the bottom right of the Users/Groups text box – it’s right next to the book icon for ‘Browse’). 




3.    Clicking on Check Names allows you to validate that the entry you made is a group name SharePoint Online recognizes. A valid group will show an underline. Click OK at the bottom of this dialog box.



To test permissions, ask anyone in your organization to log on to the site from the Microsoft Office 365 portal page to confirm that they have access. If you have added them as a Team Site Member, they should be able to upload a document into a library, add an item to a list, or update existing items. They can also delete, so remember to plan your user permissions accordingly.



    "However, many do not know that this does not add those users into SharePoint Online and its security model."

    This is a fracking huge bombshell that needs to be clearly told to people.

    I created a throwaway user when I signed up for the service. Imported / migrated my email and users over. Then assigned admin rights to two of those users. Never was it explained to me that only the original user would have complete admin rights and that the two I elevated to admin would be gutted to only admin non sharepoint items. Had I known this piece of very important information, I would have kept that original account around.

    Fix this quickly as I am paying for a service that I am not able to fully utilize. How do I fix my blown account?

  • 対象: Office 365 for Professional and Small Business , Office 365 for Enterprise

    【Office 365 のユーザー設定だけでなく

  • M.E. thanks for your reply.

    If you've deleted the original account with which you setup your SharePoint Online site and are having issues with your new Global Administrators right now, you shouldn't hesitate to file a service request, for sure. This is commonly a problem handled through support. I also agree that more people should be told about the fact adding users into Office 365 doesn't add them to SharePoint Online in the Enterprise version; it's more like the equivalent of adding users to Directory Services in the Cloud, in fact. Some information on the permissions differences and similarities between workloads had been published prior to this in a FAQ ( but I feel like the more we spread this knowledge around, the better.

    This is a community blog link with information specific to deleting the original Global Administrator:

    Just to be sure you've tried everything, remember that new Global Administrators will be able to reach the SharePoint Online Administration pages in Office 365 for Enterprises. From here, they can add themselves as site collection administrators using the Owners button. This will give them administrator access to a site collection (it's called 'taking ownership of a site collection'). However, if you're having severe problems after deleting the original account, I would head straight to service request!

    This link talks more about how to add a site collection owner, which you can do if a global administrator needs to look at the content of a site collection, for example, but it also goes into how to add users to a standard SharePoint group:

    I'd also like to make it known that, in terms of SharePoint Online for Small Businesses, there are a couple of built-in Directory Groups that help to tackle this issue:

    One group is called Tenant_Users and it contains all users you add into the directory in Office 365. Tenant_Users is granted the Enhanced Contribute permission level. If this permission level is just too high/gives too much access by default, you should go to your site collection and change the permission level of the group to better suit your needs (remember, you can also make custom permission levels).

    There's also a Company Administrator domain group in SPO for Small Businesses. If you make a Global Administrator in Office 365, for example, you can expect that user to be added into this group by default. This domain group is added to the Owners SharePoint group in your team site collection.

    Finally, here's some useful video-information on permissions in SPO that I hope will be helpful to you:

Page 1 of 1 (3 items)