Forum Discussion

Ivan54's avatar
Ivan54
Bronze Contributor
Sep 16, 2016

Nested AD Group synced to AAD, used for SharePoint Permissions

Hi, I need some guidance on how synced and nested AD groups work in SharePoint Online.   I have my usual onPrem organizational AD groups (Domain Global) for deparments. Then I have target specific...
Permissions
SharePoint Online
Sjoerd Buurman's avatar
Sjoerd Buurman
Copper Contributor
Jan 05, 2017

I'm using a similar structure:

[user] - [deparment-group] - [resource-group] - [SharePoint resource]

and have similar issues. Sometimes users can access the [SharePoint resource] and a couple of hours later the same user gets an access denied.

 

Have you found the source of your problem?

  • Casper Frank-Stender's avatar
    Casper Frank-Stender
    Copper Contributor
    Apr 26, 2017

    We've seen time and again that you can't use groups in groups in Sharepoint Online... at least not reliably. So we are using synced AD Groups (that have no nested groups) and granting them the rights directly. This is definately not how we would have liked to do it, but it seems to be the only thing that works.

     

    In some instances we have used PowerShell to automatically sync users between OnPrem AD Groups and Sharepoint Groups. In this scenario you can actually have nested groups in the AD group and just use PowerShell to resolve all the members. It's a bit extensive to do, but in a few instances with too many changes on a regular basis it seems worth the extra effort.

Resources