All insights
ProtectMicrosoft 365How-To Guide

Structuring SharePoint and Teams for a small company: sites, security groups, and inheritance

A practical plan for laying out SharePoint and Teams the right way: sites by team, permissions set at the top and inherited down, sane external-sharing defaults, and a first sensitivity label.

Wired CIOJune 4, 2026
The short version
  • Organize by team site, not one mega-site with deep folder trees.
  • Grant access through Microsoft 365 and security groups, never individuals.
  • Set permissions at the site level and leave inheritance alone.
  • Default external sharing to existing guests and add a first sensitivity label.
Bottom line: Lay SharePoint out by team with permissions set once at the top and inherited down, and most of the usual permission chaos never happens.

When a small company moves to Microsoft 365, the most common mistake is recreating the old file server inside SharePoint: one giant site with folders nested ten deep and permissions set folder by folder. It works for a month, then nobody can find anything and nobody is sure who can see what. This guide is for the owner, office manager, or accidental admin setting up SharePoint and Microsoft Teams for a team of roughly 5 to 75 people. By the end you'll have a site layout organized by team, access controlled through groups, permissions set once at the top and inherited down, external sharing dialed to a safe default, and your first sensitivity label in place.

SharePoint permission inheritance Team site Microsoft 365 group Permissions inherited down Members get access
Set access once at the site; it flows downhill.

Before you start

  • An account with the SharePoint Administrator or Global Administrator role.
  • A rough org chart or a list of your teams and departments (Sales, Finance, Operations, and so on).
  • A decision on who genuinely needs to share files with outside people (clients, vendors, contractors).
  • 45 to 60 minutes.

Step 1: Plan sites by team, not by folder depth

The core idea: each team or department gets its own SharePoint site, and within a site you use a few document libraries and shallow folders, not a deep tree. A site is a security and sharing boundary, so organizing by team means you can grant access to a whole team's content in one place.

  1. Sketch your sites before you build anything. A typical small company lands on something like: Sales, Finance, Operations, HR, and a company-wide Intranet or All Company site.
  2. Plan to keep folders no more than two or three levels deep inside each library. If you find yourself nesting deeper, that content probably belongs in its own library or its own site.
  3. Avoid one mega-site that holds everything. It forces you to break permissions constantly, which is the exact thing you're trying to avoid.
Teams and SharePoint Are Linked

When you create a team in Microsoft Teams, Microsoft 365 automatically creates a connected SharePoint site behind it. So "create a team for Finance" and "create a Finance site" are usually the same action. Files dropped in a Teams channel live in that site.

Step 2: Use Microsoft 365 groups and security groups for access

Don't grant access to individual people. Grant it to groups, then manage who is in the group. There are two group types worth knowing.

  1. A Microsoft 365 group is created automatically with every team and team-connected site. Its members get access to the site, the team, and the shared mailbox and calendar. For most team sites, managing membership of this group is all you need.
  2. A security group (managed in the Microsoft Entra admin center) is a pure access container with no mailbox or team attached. Use security groups when you want to grant the same access across several sites, for example an "All Managers" group.
  3. To manage who is in a team's group, open the team in Microsoft Teams, click the ... next to the team name, choose Manage team, and add or remove members there.

The payoff: when someone joins or leaves a department, you change one group membership and their access follows automatically.

Step 3: Set permissions at the top and inherit down

SharePoint permissions flow downhill. A site's libraries, folders, and files inherit from the site by default, which means you set access once at the site level and everything below follows.

  1. In a site, click the gear icon (Settings) at the top right, then Site permissions.
  2. You'll see three default groups: Owners (full control, keep this tiny), Members (can edit, this is most of the team), and Visitors (read-only).
  3. Add your Microsoft 365 group or security groups to the appropriate level. Put the department's group in Members, put read-only stakeholders in Visitors, and keep Owners to one or two trusted admins.
  4. Leave libraries and folders inheriting from the site. Don't touch their individual permissions.
Don't Break Inheritance

Breaking inheritance (setting unique permissions on a single folder or file) is the number one cause of SharePoint permission chaos. Every place you break inheritance becomes a separate thing to track and audit. If you think you need unique permissions on a folder, that's usually a sign the content belongs in its own site instead.

Step 4: Set external-sharing defaults

External sharing controls whether people outside your company can be given access to files. The right setting is restrictive by default, loosened only where needed.

  1. Go to the SharePoint admin center at https://admin.microsoft.com, then open SharePoint from the admin centers list (or go directly to the SharePoint admin center).
  2. In the left navigation, choose Policies > Sharing.
  3. Set the organization-level external sharing slider to New and existing guests for most businesses. This requires outside people to sign in, so you always know who has access. Avoid Anyone (anonymous links) unless you have a specific reason.
  4. You can set individual sites to be more restrictive than the org default. A Finance site, for example, can be set to Only people in your organization even if the company default allows guests.
  5. If only certain staff should share externally, use the option to limit external sharing to specific security groups.

Step 5: Apply your first sensitivity label

Sensitivity labels let you tag a site or its content with a classification (like "Internal" or "Confidential") and attach rules, such as blocking external sharing on labeled content. Starting with one label is enough.

  1. Go to the Microsoft Purview portal at https://purview.microsoft.com and open Information Protection > Sensitivity labels.
  2. Click Create a label. Name it something plain like "Confidential."
  3. On the scope step, include Groups & sites so the label can apply to SharePoint sites and Teams, not just files.
  4. Set the protection: for a first label, configure it to block or warn on external sharing for sites that carry the label.
  5. Publish the label by adding it to a label policy that targets your users, then apply it to your Finance or HR site as a test.

Verify your setup

  • From a member's account (or a test account), open a team site and confirm they can see the files they should and can't see another department's site.
  • Try to share a file from a labeled, restricted site to an outside email address and confirm the system warns or blocks as expected.
  • In Site permissions on each site, confirm Owners is small, Members maps to the right group, and you didn't accidentally add individuals.

What to do next

With the structure in place, your next moves are tidying up any old shared drives you migrated and planning how new sites get created so the layout stays clean (consider turning off self-service site creation so things don't sprawl). If you're staring at an inherited mess of broken permissions and mystery folders, untangling it safely is a common project for us. We can map your current setup, design the site and group structure, and migrate without breaking anyone's access.

Filed under
How-To Guide
Read more insights
Free strategy session

See where you stand. Then move forward.

Book a free intro call. We'll talk through where you are today and map a strategic plan for growth, protection, automation, and alignment.

A 30-minute discovery call, no obligationA full team of specialists at a fraction of in-house costA clear next step before you spend a dollar
Loading scheduler…