Forum Discussion
Rob-CTL
Aug 20, 2017Iron Contributor
SharePoint Online with AAD Security Groups - Broken?
Hi,
I've got an odd one today. SharePoint Online team site that has 2 custom SharePoint groups created. Within in each of these groups there is a single AAD security group. This AAD secuirty group has a number of users as memebers. From SharePoint you can do a permissions check on a user that is a member of the AAD security group and they resolove and show the permission they have on the site and that they are a member of the SharePoint group that the AAD security group is a member of. Happy days.
Now, if I remove a user from the AAD security group and then check the permission for that removed user in SharePoint using the permission check they still show as a memeber of the SharePoint group. I hoped this might be a timing thing but after a number of hours the user still appears to have access to SharePoint.
Just to be sure I added a new user to the AAD security group and after a minute of so I could run a permission check against their user name in SharePoint.
So it appears that adding users is working fine but the sync isn't detecting users that have been removed.
- Rob-CTLIron Contributor
Ok, looks like I've been fall foul of the caching on the "Check Permission" button. It appears this info is about as reliable as a chocloate fireguard and although the info I've found suggests it updated when a user logs in this doesn't seem to be the case. It is a pain because you have to "trust" the permissions are right that have been set, knowing how complicated SharePoint permissions can be this is a bit of a leap of faith.