Forum Discussion
site Members vs site Members
In the advanced site permissions of a team site (not associated with a Teams team), there is an item for "site-name Members". There is also a group (SharePoint Group? Microsoft 365 Group?), "site-name Members". This group contains the members that are added to the site from the Add Members button.
I know this should be elementary, but can someone please explain what the difference is and what the first "site-name Members" represents (label, purpose) and the other? Why does there have to be two and why do I have to add "site-name Members" to the "site-name Members" permission item? Bonus, how does this differ for a communication site? Permissions are so confusing; I'm willing to read details if someone wants to share a link and tell me "you just need to read the MS documentation".
Hi ecflyer
If your synced AD security group was named the same as your SharePoint Online group, it would appear identical and could be confusing.
An easy way to tell is by looking at the "type" column. If it says, "SharePoint Group", that is usually the Site group from SharePoint. If it says, "Domain Group", that group is being synced from your AD environment.
The best practice for permissions is to nest AD groups in your SharePoint Online groups and it appears you've done that successfully.
If you were to add members to that SharePoint Online group from the modern menu in your screenshot, it would be adding users directly to the SharePoint Online group, not the AD group. And that's not what you want.
The correct approach is to add users to the AD group only, and then that will sync with SharePoint Online. This approach helps keep permissions clean.
Hope this helps!
-Rob
3 Replies
- Wouldn't it make them more secure, if at the end of them, the end user to put their own code x in you , I like a pitcher or something that you draw. That's only unique for the end user. So that if they guessed your passcode, they still wouldn't have that picture. Our drawing, or whatever to be able to access it. I'm not quite sure what I'm trying to say, but I think you understand it. Because of the computer is looking for numbers to get your code, it would never be able to do decide the last part. The pitcher, the drawing, because it's not in this bank to look for sorry about posting this on your page. I just didn't know where else to put it
Hi ecflyer
If your synced AD security group was named the same as your SharePoint Online group, it would appear identical and could be confusing.
An easy way to tell is by looking at the "type" column. If it says, "SharePoint Group", that is usually the Site group from SharePoint. If it says, "Domain Group", that group is being synced from your AD environment.
The best practice for permissions is to nest AD groups in your SharePoint Online groups and it appears you've done that successfully.
If you were to add members to that SharePoint Online group from the modern menu in your screenshot, it would be adding users directly to the SharePoint Online group, not the AD group. And that's not what you want.
The correct approach is to add users to the AD group only, and then that will sync with SharePoint Online. This approach helps keep permissions clean.
Hope this helps!
-Rob
Thanks Rob. I inherited a messy tenant and between security for sensitive lists, list items, sites, and power apps permissions, I'm trying to move toward a more sustainable approach.
