Jul 08 2021 07:44 AM
We have a number of departments that use Azure AD groups to manage access to their SharePoint Online sites. For example: the College of Nursing has a site (/sites/CoN/) and a local/on-prem AD group (that is synced to AAD) called "CoN_Visitors". That group has read permission to the site. People who are/were members of the group when it was added have the appropriate permission, and you can verify that via the "Check permissions" tool in the Advanced permissions page on the site. Weeks go by and other users are added to the on-prem AD group. At the allotted interval, the memberships sync to AAD (we can verify that the users are members both in local AD and Azure AD). However, if we use the Check permissions tool in the site for one of those new members, it will report that they have "No access". In most cases (but not all), the user actually IS able to access the site. Re-running the Check permissions tool after they've done that will show that they have the appropriate permissions.
I believe this is because there are two other syncs that occur between AAD and the User Profile Service in SPO, and then the UPA to the site (described here: https://docs.microsoft.com/en-us/sharepoint/user-profile-sync#sync-process).
The timing of those last two sync operations is not clearly defined in that document. The fact that there does not seem to be a way (as a SharePoint service admin) to monitor them or check their status complicates the situation significantly. Our two workarounds (neither of which is 100% effective in all cases) have been
So, are others having/seeing the same sort of behavior? Is this just par for the course using AD/AAD groups to manage SharePoint permissions? I know MS is basically (or largely) "all-in" on unified groups (aka: O365/M365 groups) for permissions management, but even there we see a fair number of inconsistencies (e.g.: members are added to a Team that's in the visitors group for a site but get "access denied" when trying to visit the site). I mean, permissions management in SharePoint has never been a walk in the park, but I was hoping for a bit more reliability and consistency in moving to the cloud.