How do we avoid Office 365 group based Team channel or SharePoint Team guests/members from editing the SharePoint UI side of things (pages, navigation) while still participating in document library etc? I'm more worried about guests, but team members can cause havoc too.
Example 1: Guests are included in Azure AD. You create a new SharePoint Team site, which creates a new O365 group. When you add Azure AD members and guests to this group, they can all edit the navigation / pages etc. But we just want them to use the site as is.
Example 2: Guest access is on for Microsoft Teams. You create a new Team, guests in Azure AD are included. They use the web app, open the General Team channel and choose "Open in SharePoint". At this point top navigation has the gear for Office 365 to add a page, site contents, site settings, etc. They can do a lot of damage.
What step is necessary to add this restriction? This looks to be the solution: https://sharepointmaven.com/how-to-prevent-team-site-members-from-editing-sharepoint-pages/ But this is from a while back, and not part of the new Microsoft 365 admin UI. Since these are brand new sites, I'm trying to create them as simply as possible without any artifacts or messing up new integration features.
If you have any ideas or have dealt with a similar situation, please advise.
thanks!!
[Edit - here's what worked for me based on alphaz18 suggested answer]:
1) Directly on the entire site collection level eg tenant.sharepoint.com/sites/teamname/ edit site permission levels
2) Remove some list permissions from "Edit": [Manage, add, edit, delete]. Submit.
3) Go back into "Edit" permission, at the bottom of this cloned permission, choose "Copy Permission Level", call new version (e.g.) "EditLists". RE-check the [add, edit, delete] options for this cloned permission level. Submit.
4) Go to a page you want edits to occur in (e.g.) Documents view (/Shared%20Documents/Forms/AllItems.aspx). Click top right gear, choose "Library settings". Click "Permissions for this document library".
5) Break inheritance.
6) For Members group edit user permissions, set to cloned permission (eg) "EditItems"
