Forum Discussion

Chad_V_Kealey's avatar
Chad_V_Kealey
Iron Contributor
Oct 23, 2018

Access Requests impacting permissions granted to Azure AD group?

We have a site where we're managing permissions via Azure AD groups (well, local AD groups that sync to Azure). This has been working fine, but recently a couple of users who were going to be added t...
Azure AD
Permissions
SharePoint Online
ChrisWebbTech's avatar
ChrisWebbTech
MVP
Oct 23, 2018
Them being in there as None isn't a Deny, so it shouldn't have an affect on their permissions if you add them to a group later manually it'll use the group permission level.
  • Chad_V_Kealey's avatar
    Chad_V_Kealey
    Iron Contributor
    Oct 23, 2018
    ChrisWebbTech wrote:
    Them being in there as None isn't a Deny, so it shouldn't have an affect on their permissions if you add them to a group later manually it'll use the group permission level.

    When you say "group", you're talking Azure AD group, or SharePoint group? If I add them to the SP group, then, yes, they have access, but I'm using Azure AD groups because we're also using them to manage access to PowerApps used in the site. To keep things coordinated, we want to ONLY populate the AAD groups and put those groups into the appropriate SP groups.

    • ChrisWebbTech's avatar
      ChrisWebbTech
      MVP
      Oct 23, 2018
      Either one, it's not a deny so it's going to use whatever they do have access too over that. So if they are in or added to an AAD group they will be added.

      However, the problem is, if you're noticing that not working, when you add someone to a AD group after they have tried to access the site there used to be a group caching mechinism on-prem that you would have to recycle the app pool to force it to recheck the group for new members. Not 100% sure if it still does this in Cloud, I think it does, so if you're having issues it's related to that and not so much the request access issue.
      • Chad_V_Kealey's avatar
        Chad_V_Kealey
        Iron Contributor
        Oct 23, 2018
        ChrisWebbTech wrote:
        However, the problem is, if you're noticing that not working, when you add someone to a AD group after they have tried to access the site there used to be a group caching mechinism on-prem that you would have to recycle the app pool to force it to recheck the group for new members. Not 100% sure if it still does this in Cloud, I think it does, so if you're having issues it's related to that and not so much the request access issue.

        This sounds like the case (the group caching mechanism part). The question is how do I recycle the app pool in SPO? Or, if that's not possible/practical, how do I get the same effect (e.g.: remove them from the site collection users to "flush" them from the site)? I have tried removing the AAD group from the site and re-adding it. Also, if I add it to another site collection, those two users show up with the appropriate access, so it's something specific to that site collection (leading me to suspect removing from the site collection users may do the trick, but I've always used that as a solution of last resort).

Resources