Forum Discussion
site Members vs site Members
Hi ecflyer
If your synced AD security group was named the same as your SharePoint Online group, it would appear identical and could be confusing.
An easy way to tell is by looking at the "type" column. If it says, "SharePoint Group", that is usually the Site group from SharePoint. If it says, "Domain Group", that group is being synced from your AD environment.
The best practice for permissions is to nest AD groups in your SharePoint Online groups and it appears you've done that successfully.
If you were to add members to that SharePoint Online group from the modern menu in your screenshot, it would be adding users directly to the SharePoint Online group, not the AD group. And that's not what you want.
The correct approach is to add users to the AD group only, and then that will sync with SharePoint Online. This approach helps keep permissions clean.
Hope this helps!
-Rob
Hi ecflyer
If your synced AD security group was named the same as your SharePoint Online group, it would appear identical and could be confusing.
An easy way to tell is by looking at the "type" column. If it says, "SharePoint Group", that is usually the Site group from SharePoint. If it says, "Domain Group", that group is being synced from your AD environment.
The best practice for permissions is to nest AD groups in your SharePoint Online groups and it appears you've done that successfully.
If you were to add members to that SharePoint Online group from the modern menu in your screenshot, it would be adding users directly to the SharePoint Online group, not the AD group. And that's not what you want.
The correct approach is to add users to the AD group only, and then that will sync with SharePoint Online. This approach helps keep permissions clean.
Hope this helps!
-Rob
Thanks Rob. I inherited a messy tenant and between security for sensitive lists, list items, sites, and power apps permissions, I'm trying to move toward a more sustainable approach.