Active Directory security groups migration from SharePoint 2013 to SharePoint Online

%3CLINGO-SUB%20id%3D%22lingo-sub-960506%22%20slang%3D%22en-US%22%3EActive%20Directory%20security%20groups%20migration%20from%20SharePoint%202013%20to%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-960506%22%20slang%3D%22en-US%22%3E%3CP%3ESites%20which%20has%20Active%20Directory%20security%20groups%20in%20their%20SharePoint%20permission%20groups%20cannot%20be%20migrated%20from%20SharePoint%202013%20to%20SharePoint%20Online.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20are%20the%20alternative%20options%20for%20AD%20Security%20Groups%20%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-960506%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-960852%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20security%20groups%20migration%20from%20SharePoint%202013%20to%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-960852%22%20slang%3D%22en-US%22%3EYou%20should%20be%20able%20to%20replicate%20those%20security%20groups%20to%20Azure%20AD%20and%20migrate%20the%20site%20as-is.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20use%20Azure%20AD%20Security%20groups%2C%20but%20keep%20in%20mind%20this%20will%20increase%20the%20burden%20on%20IT%20to%20manage%20them%20versus%20allowing%20specified%20site%20owners%20to%20manage%20their%20own%20access.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-961359%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20security%20groups%20migration%20from%20SharePoint%202013%20to%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-961359%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F130%22%20target%3D%22_blank%22%3E%40Trevor%20Seward%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20did%20a%20migration%20from%20On%20Premise%20to%20SharePoint%20Online%20using%20the%20ShareGate%20Desktop%20Migration%20tool%2C%20these%20security%20groups%20did%20not%20added%20in%20the%20People%20and%26nbsp%3B%20Groups%20of%20SharePoint%20Online%20Site.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20the%20first%20step%20is%26nbsp%3B%26nbsp%3B%3CSPAN%3Ereplicate%20the%20AD%20security%20groups%20to%20Azure%20AD.%20Then%20Migrate%20the%20site%20right.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-962213%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20security%20groups%20migration%20from%20SharePoint%202013%20to%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-962213%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113593%22%20target%3D%22_blank%22%3E%40Sajith%20G%20H%3C%2FA%3E%20%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESharegate%20will%20not%20migrate%20AD%20groups%20but%20if%20the%20AD%20group%20exists%20and%20can%20be%20resolved%20in%20SharePoint%20Online%20it%20will%20add%20it%20as%20part%20of%20the%20migration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20expert%20on%20AD%20but%20when%20requested%20in%20the%20past%20the%20AD%20group%20needs%20to%20be%20in%20an%20Organisation%20Unit%20that%20is%20synced%20to%20Azure%20AD%20for%20this%20to%20work.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20that%20helps%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAndy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-965001%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20security%20groups%20migration%20from%20SharePoint%202013%20to%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965001%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F214649%22%20target%3D%22_blank%22%3E%40Andrew%20Hodges%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20following%20are%20the%20AD%20Security%20Groups%20in%20SharePoint%202013.Does%20the%20AD%20security%20group%20name%20will%20be%20the%20same%20in%20Azure%20AD%20or%20different%20%3F%3C%2FP%3E%3CP%3EBHC%5Cdomain%20users%3CBR%20%2F%3ECORPH%5Cbcn%20group%3CBR%20%2F%3ECORPH%5Cbilling%20%26amp%3B%20network%20applications%20development%3CBR%20%2F%3ECORPH%5Cbilling%20%26amp%3B%20network%20applications%20support%3CBR%20%2F%3ECORPH%5Cbusiness%20analytics%20%26amp%3B%20automation%20development%3CBR%20%2F%3ECORPH%5Cbusiness%20analytics%20%26amp%3B%20automation%20support%3CBR%20%2F%3ECORPH%5Ccustomer%20services%20development%3CBR%20%2F%3ECORPH%5Ccustomer%20services%20support%3CBR%20%2F%3ECORPH%5Cdata%20centers%20%26amp%3B%20operations%3CBR%20%2F%3ECORPH%5Cdomain%20users%3CBR%20%2F%3ECORPH%5Centerprise%20systems%3CBR%20%2F%3ECORPH%5Cit%20security%3CBR%20%2F%3ECORPH%5Cservice%20desk%20%26amp%3B%20desktop%20services%3CBR%20%2F%3ENT%20AUTHORITY%5Cauthenticated%20users%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-965081%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20security%20groups%20migration%20from%20SharePoint%202013%20to%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965081%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F113593%22%20target%3D%22_blank%22%3E%40Sajith%20G%20H%3C%2FA%3E%20%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20domain%20users%20and%20authenticated%20users%20don't%20exist%20in%20Office%20365%20so%20you%20will%20have%20to%20use%20other%20groups%20for%20this.%20There%20is%20a%20default%20permission%20group%20called%20%22Everyone%20Except%20External%20users%22%20but%20I%20am%20not%20a%20fan%20of%20using%20this%20because%20at%20some%20point%20it%20is%20likely%20that%20external%20users%20will%20be%20given%20an%20account%20such%20as%20IT%20support%20or%20contractors.%20It%20makes%20more%20sense%20to%20create%20an%20%22All%20Company%20Users%22%20Azure%20AD%20group%20and%20add%20everyone%20or%20all%20departments%20to%20that%2C%20although%20that%20is%20a%20fair%20bit%20of%20work%20if%20your%20AD%20is%20not%20up%20to%20scratch.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20rest%20I%20would%20have%20thought%20you%20would%20be%20able%20to%20sync%20to%20Azure%20AD%20and%20then%20use%20in%20the%20migration.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20that%20helps%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAndy%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Sites which has Active Directory security groups in their SharePoint permission groups cannot be migrated from SharePoint 2013 to SharePoint Online.

 

What are the alternative options for AD Security Groups ?  

 

5 Replies
You should be able to replicate those security groups to Azure AD and migrate the site as-is.

You can use Azure AD Security groups, but keep in mind this will increase the burden on IT to manage them versus allowing specified site owners to manage their own access.

@Trevor Seward 

 

When I did a migration from On Premise to SharePoint Online using the ShareGate Desktop Migration tool, these security groups did not added in the People and  Groups of SharePoint Online Site.

 

So the first step is  replicate the AD security groups to Azure AD. Then Migrate the site right.

 

Hi @Sajith G H ,

 

Sharegate will not migrate AD groups but if the AD group exists and can be resolved in SharePoint Online it will add it as part of the migration.

 

I am not expert on AD but when requested in the past the AD group needs to be in an Organisation Unit that is synced to Azure AD for this to work. 

 

Hope that helps

 

Andy

 

 

@Andrew Hodges

 

The following are the AD Security Groups in SharePoint 2013.Does the AD security group name will be the same in Azure AD or different ?

BHC\domain users
CORPH\bcn group
CORPH\billing & network applications development
CORPH\billing & network applications support
CORPH\business analytics & automation development
CORPH\business analytics & automation support
CORPH\customer services development
CORPH\customer services support
CORPH\data centers & operations
CORPH\domain users
CORPH\enterprise systems
CORPH\it security
CORPH\service desk & desktop services
NT AUTHORITY\authenticated users

 

Hi@Sajith G H ,

 

The domain users and authenticated users don't exist in Office 365 so you will have to use other groups for this. There is a default permission group called "Everyone Except External users" but I am not a fan of using this because at some point it is likely that external users will be given an account such as IT support or contractors. It makes more sense to create an "All Company Users" Azure AD group and add everyone or all departments to that, although that is a fair bit of work if your AD is not up to scratch. 

 

The rest I would have thought you would be able to sync to Azure AD and then use in the migration. 

 

Hope that helps

 

Andy