As part of the Unite Migration, permissions for SharePoint sites and Microsoft Teams will be migrated at the root level, and permissions to folders and files on the site/Team will be inherited from these root level permissions i.e.
| Content in legacy environment | Migrated Content in NHS.net |
|---|---|
 |  |
 |  |
We will not be migrating unique permissions set on specific folders or files in SharePoint sites and Microsoft Teams.
Any folders that are locked-down to a specific audience in the current SharePoint site will be accessible to site-level members after migration, unless they are re-secured. This introduces an Information Governance risk, as sensitive content could become visible to unintended users.
Sub-sites and private channels will be migrated with their individual “top-level” permissions, separate from the root site.
Why this happens ?
Many migration tools do not carry over granular permissions at the folder-level. Instead, permissions default to those set at the site level in the destination environment. This is in line with Microsoft’s best practice of keeping sensitive documents in a separate location or document library.
This means if a folder was previously restricted to a small group, those restrictions must be manually reapplied post-migration — or the content should be moved to a more appropriate solution before migration.
What Organisations will need to do ?
We understand that this may cause concern, however this approach will not be a barrier to your organisation joining the Unite Programme. Before migration, we recommend site owners follow of the following three options to secure sensitive files:
- Create private channels within Teams and/or separate SharePoint sub-sites for sensitive or restricted documents, which offer built in restricted access. Private channels and sub-sites will be migrated with their individual site level permissions, separate from the root site or team.
- Create separate Teams or SharePoint sites entirely and move sensitive content to these private spaces ahead of the migration.
- Agree to move content with site-level permissions. Post switchover, reconstruct permissions as needed at the root level. This is not a recommended approach as it requires additional time and effort and may introduce an IG risk.