SOLVED

transition to O365 - AAD

%3CLINGO-SUB%20id%3D%22lingo-sub-480784%22%20slang%3D%22en-US%22%3Etransition%20to%20O365%20-%20AAD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480784%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20wanted%20to%20hear%20about%20any%20recommendations%20%2F%20best%20practice%20for%20the%20following%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20company%20has%20a%20traditional%20AD%20on-prem%20-%20with%20OU's%2C%20User%20objects%2C%20Security%20Groups%2C%20Distribution%20lists%2C%20etc.%20which%20is%20Synced%20to%20AAD.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EHow%20would%20the%20%22recommendations%22%20be%20for%20them%20and%20the%20'utilization%2Fadoption'%20of%20the%20various%20workloads%2Fapps%20-%20as%20these%20are%20mostly%20O365%20groups%20%22driven%22%3F%3CBR%20%2F%3E%3CBR%20%2F%3ECompany%20may%20have%20a%20lot%20of%20security%20group%20one%20per.%20department%20-%20but%20members%20in%20this%20are%20%22static%22%20after%20they%20are%20pulled%20to%20the%20Teams%20members%20group%20when%20creating%20an%20MS%20Team%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20in%20SharePoint%20add%20a%20security%20group%20to%20the%20SP%20members%20group%20-%20however%2C%20it's%20being%20administrative%20a%20%22mess%22%20(where%20to%20do%20what%20in%20AD%20or%20AAD%20-%20or%20both%3F)%20-%20or%20am%20I%20missing%20the%20%22silver%20bullet%22%3F%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-480784%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMigration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480868%22%20slang%3D%22en-US%22%3ERe%3A%20transition%20to%20O365%20-%20AAD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480868%22%20slang%3D%22en-US%22%3EYeah%20it's%20still%20a%20mix%20and%20depends%20on%20if%20you%20still%20have%20onprem%20resources%20or%20not.%20I%20personally%20like%20to%20split%20the%20two%20up.%20Cloud%20is%20Office%20365%20groups%20which%20includes%20anything%20connected%20to%20that%20group%20and%20on-prem%20and%20Non%20SharePoint%20group%20connected%20sites%20(comm%20sites%20etc.)%20stay%20Security%20groups.%20%3CBR%20%2F%3E%3CBR%20%2F%3EReally%20isn't%20a%20best%20practice%20per%20say%20other%20than%20that.%20You%20don't%20want%20to%20use%20office%20365%20groups%20across%20other%20sites%20because%20membership%20into%20that%20group%20could%20affect%20access%20to%20other%20things%20that%20people%20may%20not%20think%20about%20and%20when%20guest%20access%20comes%20into%20play%20can%20get%20even%20worse%20that's%20why%20I%20like%20to%20try%20to%20keep%20it%20manual%20if%20possible.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480796%22%20slang%3D%22en-US%22%3ERe%3A%20transition%20to%20O365%20-%20AAD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480796%22%20slang%3D%22en-US%22%3EKinda%20figured%20out%20your%20question%20%3A)sorry!%3CBR%20%2F%3EBut%20as%20I%20said%2C%20yes!%20If%20you%E2%80%99re%20using%20using%20sharepoint%20in%20pair%20with%20teams%2C%20I%20would%20mess%20with%20sec%20groups!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480791%22%20slang%3D%22en-US%22%3ERe%3A%20transition%20to%20O365%20-%20AAD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480791%22%20slang%3D%22en-US%22%3EMs%20is%20pushing%20for%20membership%20through%20office%20365%20groups%20which%20don%E2%80%99t%20play%20very%20well%20with%20local%20Ad%20membership%20assignment!%20Modern%20pages%20work%20on%20O365%20groups%20and%20it%E2%80%99s%20the%20easiest%20to%20not%20mess%20with%20synced%20Security%20groups%20except%20if%20you%20have%20a%20sharepoint%20intranet%20or%20classic%20sites!%20You%20may%20use%20dynamic%20office%20365%20groups%20if%20you%20have%20P1%20licenses%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480790%22%20slang%3D%22en-US%22%3ERe%3A%20transition%20to%20O365%20-%20AAD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480790%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72542%22%20target%3D%22_blank%22%3E%40adam%20deltinger%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20I%20know%20the%20dynamic%20groups%20within%20Teams%20-%20and%20the%20Groups%20writeback%20-%20guess%20I'm%20asking%20'where-to-do-what'%20and%20'when-to-use-what'%20(AD%20or%20AAD%20wise)%20-%20if%20Dynamic%20groups%20are%20used%20the%20membership%20admin%20is%20turned%20off%20in%20the%20client%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EAD%20Security%20groups%20works%20fine%20in%20SharePoint%20-%20but%20not%20in%20Teams%20-%20Is%20the%20advise%20to%20create%20new%20O365%20groups%20and%20migrate%20the%20AD%20groups%20so%20company%20only%20uses%20O365%20groups%26nbsp%3B%20-%20some%20Admin%20planning%2Fstrategy%26nbsp%3B%20%3AD%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480789%22%20slang%3D%22en-US%22%3ERe%3A%20transition%20to%20O365%20-%20AAD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480789%22%20slang%3D%22en-US%22%3EI%E2%80%99m%20a%20little%20unsure%20what%20you%E2%80%99re%20asking%20for%20exactly!%20Regarding%20teams%20you%20can%20use%20dynamic%20groups%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fdynamic-memberships%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fdynamic-memberships%3C%2FA%3E%3C%2FLINGO-BODY%3E
Highlighted
Super Contributor

Hi 

 

Just wanted to hear about any recommendations / best practice for the following: 

 

A company has a traditional AD on-prem - with OU's, User objects, Security Groups, Distribution lists, etc. which is Synced to AAD.  

How would the "recommendations" be for them and the 'utilization/adoption' of the various workloads/apps - as these are mostly O365 groups "driven"?

Company may have a lot of security group one per. department - but members in this are "static" after they are pulled to the Teams members group when creating an MS Team

 

I can in SharePoint add a security group to the SP members group - however, it's being administrative a "mess" (where to do what in AD or AAD - or both?) - or am I missing the "silver bullet"?     

5 Replies
Highlighted
I’m a little unsure what you’re asking for exactly! Regarding teams you can use dynamic groups

https://docs.microsoft.com/en-us/microsoftteams/dynamic-memberships
Highlighted

Hi @adam deltinger 

 

Yes I know the dynamic groups within Teams - and the Groups writeback - guess I'm asking 'where-to-do-what' and 'when-to-use-what' (AD or AAD wise) - if Dynamic groups are used the membership admin is turned off in the client 

AD Security groups works fine in SharePoint - but not in Teams - Is the advise to create new O365 groups and migrate the AD groups so company only uses O365 groups  - some Admin planning/strategy  :D 

Highlighted
Ms is pushing for membership through office 365 groups which don’t play very well with local Ad membership assignment! Modern pages work on O365 groups and it’s the easiest to not mess with synced Security groups except if you have a sharepoint intranet or classic sites! You may use dynamic office 365 groups if you have P1 licenses
Highlighted
Kinda figured out your question :) sorry!
But as I said, yes! If you’re using using sharepoint in pair with teams, I would mess with sec groups!
Highlighted
Solution
Yeah it's still a mix and depends on if you still have onprem resources or not. I personally like to split the two up. Cloud is Office 365 groups which includes anything connected to that group and on-prem and Non SharePoint group connected sites (comm sites etc.) stay Security groups.

Really isn't a best practice per say other than that. You don't want to use office 365 groups across other sites because membership into that group could affect access to other things that people may not think about and when guest access comes into play can get even worse that's why I like to try to keep it manual if possible.