Forum Discussion
Nested AD Group synced to AAD, used for SharePoint Permissions
Hi, I need some guidance on how synced and nested AD groups work in SharePoint Online.
I have my usual onPrem organizational AD groups (Domain Global) for deparments.
Then I have target specific permissions groups, (e.g. SP_SITENAME_PERMISSIONLEVEL) which are Domain Local.
Global Groups are then members of Domain Local Groups.
All those groups are then synced to AAD (with AAD Connect).
They (e.g. the sp_sitename_permissionlevel group) are selectable within SharePoint Online Permissions, but the original members of the Domain Global group do not have the desired permissions.
When I check permissions for a specific user, I just got "Limited Access".
When I check the Domain Local Group in the Office 365 Admin Console, it properly shows the original Domain Global Groups as a member.
Is this scenario supposed to work with SharePoint Online? I know it worked back in 2013 onPrem.
4 Replies
I'm using a similar structure:
[user] - [deparment-group] - [resource-group] - [SharePoint resource]
and have similar issues. Sometimes users can access the [SharePoint resource] and a couple of hours later the same user gets an access denied.
Have you found the source of your problem?
We've seen time and again that you can't use groups in groups in Sharepoint Online... at least not reliably. So we are using synced AD Groups (that have no nested groups) and granting them the rights directly. This is definately not how we would have liked to do it, but it seems to be the only thing that works.
In some instances we have used PowerShell to automatically sync users between OnPrem AD Groups and Sharepoint Groups. In this scenario you can actually have nested groups in the AD group and just use PowerShell to resolve all the members. It's a bit extensive to do, but in a few instances with too many changes on a regular basis it seems worth the extra effort.
Is is possible that SharePoint permissions just take way longer than expected to calculate if applied through AD groups?
I have just remembered this behaviour. What's the timer job schedule on permission calcuclations in SP Online?
I'll have to check my environment, but I am pretty sure we are doing this in a couple places.
The only time restriction I have seen is waiting for the dirsync to occur, outside of that, I've always seen that level of permissions to be pretty instant.
Do your groups have actual "Display Names" in AD? I have seen where sometimes that is left out and those do not work in SPO without a Display Name field.
