How to use AD groups in Sharepoint Online

%3CLINGO-SUB%20id%3D%22lingo-sub-1213373%22%20slang%3D%22en-US%22%3EHow%20to%20use%20AD%20groups%20in%20Sharepoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1213373%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EIn%20my%20company%20we%20created%20a%20Sharepoint%20online%20site%20to%20manage%20our%20procedure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20manage%20security%2C%20we%20think%20about%20to%20use%20the%20existed%20groups%20in%20our%20on-premise%20active%20directory.%3C%2FP%3E%3CP%3ESo%2C%20we%20started%20by%20add%20our%20key%20users%20to%20the%20site%20with%20a%20specific%20AD%20group.%20But%2C%20these%20people%20don't%20have%20any%20access.%20But%2C%20if%20we%20create%20a%20Sharepoint%20group%20and%20add%20user%20in%20this%20group%2C%20it%20works.%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20fact%2C%20we%20can't%20use%20our%20on-premise%20AD%20security%20groups...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20using%20Azure%20AD%20Connect%20for%20sync.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20we%20do%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1213373%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1213405%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20AD%20groups%20in%20Sharepoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1213405%22%20slang%3D%22en-US%22%3EOf%20course%20you%20can%20use%20Security%20Groups%20in%20SPO%20Sites%2C%20but%20you%20have%20to%20differentiate%20between%20Group%20Sites%20and%20Communication%20Sites.%20In%20Group%20Sites%2C%20you%20have%20an%20Office%20365%20Group%20that%20rules%20the%20membership%20of%20the%20Group%20Site%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1213413%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20AD%20groups%20in%20Sharepoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1213413%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F274988%22%20target%3D%22_blank%22%3E%40t_brejon%3C%2FA%3E%20%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGenerally%20you%20won't%20be%20syncing%20everything%20in%20your%20On-Prem%20AD%20to%20Azure%20AD.%20What%20you%20need%20to%20do%20is%20make%20sure%20that%20the%20on%20Prem%20AD%20Groups%20are%20in%20the%20right%20Organisational%20Unit%20(OU)%20that%20is%20being%20synced%20to%20Azure%20AD.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20maybe%20that%20the%20AD%20group%20you%20tried%20to%20use%20wasn't%20the%20correct%20one%3F%26nbsp%3B%20Have%20a%20look%20in%20Azure%20AD%20and%20see%20the%20membership%20of%20the%20AD%20Groups%20you%20are%20trying%20to%20use.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1213420%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20AD%20groups%20in%20Sharepoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1213420%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F60%22%20target%3D%22_blank%22%3E%40Juan%20Carlos%20Gonz%C3%A1lez%20Mart%C3%ADn%3C%2FA%3E%26nbsp%3BWe%20created%20a%20Team%20site%20with%20the%20Sharepoint%20administrator%20panel.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F214649%22%20target%3D%22_blank%22%3E%40Andrew%20Hodges%3C%2FA%3E%26nbsp%3BYes%2C%20I%20used%20a%20group%20which%20is%20sync%20by%20AADC%2C%20and%20in%20the%20administrator%20panel%20and%20Azure%20AD%20panel%2C%20I'm%20able%20to%20see%20the%20users%20in%20the%20group.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1617673%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20AD%20groups%20in%20Sharepoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1617673%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F274988%22%20target%3D%22_blank%22%3E%40t_brejon%3C%2FA%3E%26nbsp%3BI%20have%20a%20similar%20issue.%26nbsp%3B%20I%20have%20been%20doing%20some%20troubleshooting%20and%20it%20looks%20like%20everything%20works%20fine%20IF%20you%20add%20the%20AD%20group%20to%20one%20of%20those%20default%20group%20that%20come%20on%20SharePoint%20(visitors%2C%20members%20or%20owners).%26nbsp%3B%20%26nbsp%3BIf%20I%20add%20the%20AD%20group%20to%20a%20newly%20created%20SharePoint%20group%20I%20got%20access%20denied.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20someone%20have%20any%20suggestion%2C%20it%20will%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEddie%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1617906%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20AD%20groups%20in%20Sharepoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1617906%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F774041%22%20target%3D%22_blank%22%3E%40EdsOnline%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20long%20as%20you%20have%20given%20the%20new%20SharePoint%20Group%20the%20right%20permission%20level%20there%20shouldn't%20be%20an%20issue.%20Sounds%20like%20one%20for%20a%20support%20ticket.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1618854%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20AD%20groups%20in%20Sharepoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1618854%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F214649%22%20target%3D%22_blank%22%3E%40Andrew%20Hodges%3C%2FA%3E%26nbsp%3BI%20think%20you're%20right%20on%20the%20money!%26nbsp%3B%20Last%20night%20I%20kept%20troubleshooting%20and%20I%20realized%20that%20when%20I%20originally%20created%20the%20group%20I%20did%20not%20gave%20any%20permissions%20at%20the%20time%20of%20creation.%20I%20gave%20the%20permission%20later%20when%20I%20was%20assigning%20it%20to%20the%20site%20and%20library%20permissions.%26nbsp%3B%20Yesterday%20I%20created%20a%20new%20group%20and%20assigned%20READ%20at%20the%20time%20of%20creation.%26nbsp%3B%20%26nbsp%3BThen%20I%20compare%20both%20groups%20against%20a%20user%20(using%20the%20check%20permission%20options)%2C%26nbsp%3B%20I%20noticed%20that%20the%20first%20group%20gave%20READ%2CLimited%20Access.%26nbsp%3B%20And%20the%20second%20group%20only%20have%26nbsp%3B%20READ.%26nbsp%3B%20%26nbsp%3B%3CBR%20%2F%3EI'm%20not%20sure%20why%20that%20Limited%20Access%20appeared%2C%20but%20it%20was%20creating%20the%20issues.%26nbsp%3B%20My%20guest%20it%20was%20the%20fact%20of%20not%20check%20in%20the%20option%20for%20READ%20at%20time%20of%20creation.%26nbsp%3B%20I%20does%20not%20make%20much%20sense%2C%20but%20it%20is%20what%20it%20is.%20Later%20today%20or%20next%20week%20I%20will%20run%20a%20full%20test%20on%20this%20and%20I%20will%20come%20back%20here%20to%20update%20the%20community.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

In my company we created a Sharepoint online site to manage our procedure.

 

To manage security, we think about to use the existed groups in our on-premise active directory.

So, we started by add our key users to the site with a specific AD group. But, these people don't have any access. But, if we create a Sharepoint group and add user in this group, it works. 

In fact, we can't use our on-premise AD security groups...

 

We are using Azure AD Connect for sync.

 

How can we do that?

6 Replies
Of course you can use Security Groups in SPO Sites, but you have to differentiate between Group Sites and Communication Sites. In Group Sites, you have an Office 365 Group that rules the membership of the Group Site

Hi @t_brejon ,

 

Generally you won't be syncing everything in your On-Prem AD to Azure AD. What you need to do is make sure that the on Prem AD Groups are in the right Organisational Unit (OU) that is being synced to Azure AD. 

 

It maybe that the AD group you tried to use wasn't the correct one?  Have a look in Azure AD and see the membership of the AD Groups you are trying to use. 

@Juan Carlos González Martín We created a Team site with the Sharepoint administrator panel.

@Andrew Hodges Yes, I used a group which is sync by AADC, and in the administrator panel and Azure AD panel, I'm able to see the users in the group.

@t_brejon I have a similar issue.  I have been doing some troubleshooting and it looks like everything works fine IF you add the AD group to one of those default group that come on SharePoint (visitors, members or owners).   If I add the AD group to a newly created SharePoint group I got access denied.

 

If someone have any suggestion, it will be appreciated.

 

Eddie

@EdsOnline 

 

As long as you have given the new SharePoint Group the right permission level there shouldn't be an issue. Sounds like one for a support ticket. 

@Andrew Hodges I think you're right on the money!  Last night I kept troubleshooting and I realized that when I originally created the group I did not gave any permissions at the time of creation. I gave the permission later when I was assigning it to the site and library permissions.  Yesterday I created a new group and assigned READ at the time of creation.   Then I compare both groups against a user (using the check permission options),  I noticed that the first group gave READ,Limited Access.  And the second group only have  READ.   
I'm not sure why that Limited Access appeared, but it was creating the issues.  My guest it was the fact of not check in the option for READ at time of creation.  I does not make much sense, but it is what it is. Later today or next week I will run a full test on this and I will come back here to update the community.