Can i manage Sharepoint Online Permissions with AD?

Question

Morning.We use Office 365 with a hybrid set up. We create our Security / distribution gruops in our On prem Exchange which then syncs to O365. I want to use Security groups in our On prem AD to control security groups in SharePoint online.When i try to add people to SPO groups (members, owner, visitor o a new created group) i can only see individual users, or already existing SharePoint sites.I read in different forums people is able to do it but haven't been able to find how to do it.If anybody has any information please...&nbsp;thank you

kevinmckeown8 · Answer

The Sharing functionality in SharePoint/OneDrive/Teams uses SharePoint Security Groups to give people access to items that have been shared. It creates a new SharePoint Security Group every time a new Sharing link is created for an item. You might want to consider that before you spend too much time worrying about SharePoint permissions in the first place.

However, if you are going to try using AD security groups to manage access and permissions to SharePoint sites, one good approach is to use a combination of SharePoint Security Groups plus AD Security Groups inside of those SharePoint Security Groups.

For example, every SharePoint site comes with three SharePoint Security Groups - Owners (Full Control), Members (Edit), and Visitors (Read). You should put your AD Security groups inside one of these default SharePoint Security Groups.

kevinmckeown8 · Answer

I would again suggest understanding the Share functionality in SharePoint before getting too far into trying to control access and permissions via groups.However, if your situation calls for using AD Security Groups and SharePoint Security Groups, I don't see a problem in using them. I have created SharePoint Security Groups for a specific List or Library if I needed to give people a different level of permissions to that particular list or library.For example, if our HR department has Read access to most of a SharePoint site, they will be in the SharePoint Visitors group to give them that access. But then if I need the HR department to have Edit access to a specific HR Document Library, I would probably create a SharePoint Security Group specifically for assigning Edit permissions on that HR Document library and then add the HR department to that group.SharePoint Online has made it a little more difficult to get to the Groups page in site settings to create a new SharePoint Security Group, but you can still get there when needed.

jcgonzalezmartin · Answer

Yes, but you need to sync your local AD with Azure AD through Azure AD Connect

mvc_user · Answer

Thank you for the info. that is what we expected.
Can you recommed any literature or pages with information on how to best manage security / access / permission groups in sharepoint? there are some many different opinions that i am getting a bit confuse (to create my onw user groups or use Member / owner groups in sharepoint for example) thank you

mvc_user · Answer

That is great thank you very much for your reply.We were thinking of using the existing AD groups and as you said, add them to the security groups in SP.Regarding Security Groups in SP, is it still not recommended to create customised Security Groups? (for example, if i want somebody to have visitor permissions for most things but want them to be able add items to a list)?Thanks again

Forum Discussion

Can i manage Sharepoint Online Permissions with AD?

5 Replies

Resources