Forum Discussion
Access Requests impacting permissions granted to Azure AD group?
We have a site where we're managing permissions via Azure AD groups (well, local AD groups that sync to Azure). This has been working fine, but recently a couple of users who were going to be added to the AAD group jumped the gun and submitted "access requests" for the site. One was declined, the other is still sitting there. When I go to the Site Permissions and run Check Permissions for their usernames, both come up as "None", despite the fact that they are now in that AAD group; others who were added to that group at the same time DO have access to the site.
So, it seems like the "access request" process has some kind of impact on the users' access to the site when it is granted via an AAD group. In other words if a user requests access and it's declined, does that put some kind of block in place that interferes with permissions being "inherited" from the AAD group? If this is the case, how can I fix this (since it seems access requests can't be deleted, which I kind of understand from an audit trail standpoint)? Can I delete them from the Site Collection Users? Well, I know I can, but will that fix this problem?
6 Replies
- Them being in there as None isn't a Deny, so it shouldn't have an affect on their permissions if you add them to a group later manually it'll use the group permission level.
ChrisWebbTech wrote:
Them being in there as None isn't a Deny, so it shouldn't have an affect on their permissions if you add them to a group later manually it'll use the group permission level.When you say "group", you're talking Azure AD group, or SharePoint group? If I add them to the SP group, then, yes, they have access, but I'm using Azure AD groups because we're also using them to manage access to PowerApps used in the site. To keep things coordinated, we want to ONLY populate the AAD groups and put those groups into the appropriate SP groups.
- Either one, it's not a deny so it's going to use whatever they do have access too over that. So if they are in or added to an AAD group they will be added.
However, the problem is, if you're noticing that not working, when you add someone to a AD group after they have tried to access the site there used to be a group caching mechinism on-prem that you would have to recycle the app pool to force it to recheck the group for new members. Not 100% sure if it still does this in Cloud, I think it does, so if you're having issues it's related to that and not so much the request access issue.
