Mar 03 2020
05:02 PM
- last edited on
Jul 24 2020
01:19 AM
by
TechCommunityAP
Mar 03 2020
05:02 PM
- last edited on
Jul 24 2020
01:19 AM
by
TechCommunityAP
There is a list in a SharePoint site. I want to permit a guest to create and to modify list entries (i.e., “contributor” rights). The guest person is already a guest user object in AAD. I’ve broken permissions between the list and its site.
1. When I try to give the guest user permission from the list settings/permissions page, the dialog cannot identify the person. (I could add their e-mail address here, but since SPO didn’t recognize the name or address as a guest user’s, I’m concerned that SPO wouldn’t connect the two pieces of data and so I wouldn’t be able to control the person generally from AAD.)
2. When I create a group in AAD with the guest user as a member, SPO does not recognize the group when I try to give the group permission from the list settings/permissions page.
3. I can create a group at the SPO subsite level to give that group permission from the list settings/permissions page, but I couldn’t add the AAD guest user as a member.
So:
A. How should I be giving this AAD guest user Contributor privileges to one specific SPO list?
B. How should I be giving an AAD group of AAD guest users access to one specific SPO list or document library?
Mar 03 2020 05:31 PM
Mar 04 2020 06:41 AM
1. The AAD guest user account is not recognized by SPO in the permission-granting dialog, when I enter the name or e-mail prefix. (Did you mean something else?)
2. The domain group (AAD security group) in which the guest user is a member is recognized by SPO in the permission-granting dialog. Yesterday I might not have waited long enough for the data to sync on Msft's side.
From some testing, one explanation that appears possible, if not reasonable, is that domain security groups will be recognized, but that individual guest users will be recognized only if they have already accessed SPO resources through a file or folder sharing invitation. Is that possible?
Mar 04 2020 06:47 AM
Mar 04 2020 07:04 AM
When I try to add this user by their e-mail address, SPO won't recognize it or allow me to click or tab out of the field. (I thought I had done this successfully yesterday, but perhaps not.) See the attached image.
Mar 04 2020 07:23 AM
Mar 04 2020 07:40 AM - edited Mar 04 2020 01:36 PM
In SPO: "New and Existing Guests" is the sharing setting for both the organization and the root-level site that all of the sites/lists I tested are part of. (Rambling sentence, but hopefully clear.)
In AAD: Under "External Collaboration Settings," everything seems to be toggled correctly, although this seems irrelevant to the task at hand. The specific external has already authenticated.
Mar 05 2020 07:54 AM
Mar 06 2020 08:37 AM - edited Mar 06 2020 08:37 AM
Only thing I know to try and I just did it, is use the modern interface to invite your guest to something on the site using the Share button on the list, to a individual item. Once you do this, they are added into the site's user list, then it will be available to select when sharing the entire list.
Use the "Specific people" option.
Mar 06 2020 08:38 AM
Mar 10 2020 11:02 AM
@Chris WebbIt seems to go like this:
At least this has been my experience. I'd be interested to hear anyone's views of other ways to go.