Access denied while processing pending access requests in SharePoint online for users with full control

Site owner or a user with full control gets access denied while processing pending access requests in SharePoint online. Even if the user is part of Owners group for the site and Owners group is set to receive & process access requests.

Issue :

This issue arises if we do not properly assign default access groups to SharePoint online site. If default site groups are deleted, the association between default Visitor, Member & Owners group will be lost to the site. Every site should have a default Owner, Member and Visitor group assigned to function properly. Now i understand why experts suggest not to delete default SharePoint groups.

Resolution:

Luckily, even after deleting default groups, you can still set custom groups as defaults to site by browsing to this URL

https://domain.sharepoint.com/sites/sitename/_layouts/15/permsetup.aspx

Default SharePoint groups - permsetup.aspx

You can either pick one of the existing groups or create new group to set as defaults.

Note: Default Members group will be assigned ‘Edit‘ permission level which is Contribute + Delete list permission. This kind of sounds scary. I usually update the Members group to have just Contribute access and not Edit.

Now you have default groups setup and everything is set to work, but it doesn’t yet, here is the catch, even though you assign defaults group later, your custom Owners group will not be provided access to ‘Access requests’ list. You have to manually add Owners group to have access to access requests list. Unfortunately there is no easy way to get to permissions screen for access requests list. You need to put of your developer hat and press F12 to fire up the Developer tools window.

  1. Browse to the Access requests list. You need to be site collection admin to open this page as our Site owners are struggling to access this list now, which we eventually are going to fix.
  2. Select Network tab, start tracking by clicking on green triangle. Refresh the page to capture traffic. Stop tracking by selecting red square button.Developer tools
  3. In the network tab, select the first URL that contains pendingreq.aspx.pending access requests
  4. Click on body and select response body.network trace response body
  5. Search for pageListId and capture the GUID.

We use this GUID to access ‘Access request’ list. You will be done with using developer tools now. Open up a new browser and browse this URL

https://domain.sharepoint.com/sites/sitename/_layout/15/ListEdit.aspx?List=GUID

Use the GUID you copied earlier. Replace this domain and site name with your domain and site name.

This should open the list settings page where you can update the permissions for this list and add Site owners to have full control on this list. That should solve the problem and let Owners approve/deny permission requests. All of this can be avoided if you do not delete default groups and just use them!