Does this sound right to you? I’m still trying to wrap my head around it and to understand exactly what the reasoning behind such “functionality” is.
First, a short intro I guess. I run across this issue yesterday while browsing the Office 365 community forums and in particular this thread. Now, working in a small company with a strong focus on SharePoint means that I rarely get to use Groups in my work activities, as we stick to the good old SP document libraries instead. So initially I assumed that I’ve just overlooked this tiny little detail, but as I was able to reproduce this behavior and wasn’t able to quite get the use case for it, I started asking around. Apparently, this wasn’t a surprise only to me, as others on the Yammer network expressed the same concern against the “feature”.
Here are the technical bits as well. Seems that once a Public group is provisioned, the “Everyone except external users” group/claim is added to the “Members” group, in effect granting every person in the company Edit permissions to every single file stored in the group’s library. That’s right, Edit permissions level. So every single user in the company can just browse the group list and select a random Public group, click the Files link in the Group card then do as he pleases with all the content stored in the group library. And repeat the process for every other public group. I can only imagine the sort of havoc a determined user can create with this 🙂
Personally, I think the “Everyone except external users” claim should’ve been added to the Group Visitors group instead, at least this is the approach that actually makes sense to me. In this way people would still be able to access files from public groups they don’t belong to, and should they need to edit such a file, they could ask the relevant group owners to either add them to the group or give them explicit permissions. Microsoft’s representatives on the other hand seem to disagree with this, and have confirmed that everyone being granted Edit access is the expected behavior. You can join the discussion in this Yammer thread. For what it’s worth, I’ve created a UserVoice item for this as well.
Note, this applies only to Public groups, Private groups are ACL-ed to only the direct group members.