Memberships not updating from Azure AD (security) groups to SharePoint Online Sites

%3CLINGO-SUB%20id%3D%22lingo-sub-1152531%22%20slang%3D%22en-US%22%3EMemberships%20not%20updating%20from%20Azure%20AD%20(security)%20groups%20to%20SharePoint%20Online%20Sites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1152531%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20several%20SharePoint%20Online%20sites%20(site%20collections)%20in%20which%20we%20have%20added%20Azure%20AD%20security%20groups%20as%20members%20to%20local%20(SharePoint%20site)%20groups.%20For%20example%2C%20in%20one%20site%20(Athlete%20Grades)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20AD%20security%20group%3A%20student-athlete-faculty-exceptions%3C%2FP%3E%3CP%3E%26gt%3B%26gt%3B%20is%20a%20member%20of%20%26gt%3B%26gt%3B%3C%2FP%3E%3CP%3ESharePoint%20site%20group%3A%20Grade%20Submitters%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGrade%20Submitters%20has%20Contribute%20permission%20to%20a%20list%20called%20%22Grade%20Reports%22.%20The%20security%20group%20was%20empty%20when%20I%20added%20it%20to%20the%20SharePoint%20group.%20I%20then%20added%20members%20to%20the%20security%20group.%20When%20I%20do%20a%20%22Check%20Permissions%22%20on%20the%20Grade%20Reports%20list%20for%20any%20member%20of%20the%20security%20group%2C%20the%20response%20is%20%22None%22.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20a%20test%2C%20I%20added%20the%20security%20group%20(after%20populating%20it)%20to%20the%20Visitors%20group%20in%20another%20SharePoint%20site.%20When%20I%20Check%20Permissions%20on%20that%20site%20for%20one%20of%20the%20security%20group%20members%2C%20the%20response%20is%20%22Read%20given%20through%20%3CSITE%3E%20Visitors%22.%20So%2C%20the%20problem%20is%20site-specific.%3C%2FSITE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20this%20happened%20in%20our%20on-prem%20SP2010%20environment%2C%20it%20was%20usually%20because%20the%20User%20Profile%20Service%20had%20either%20crashed%20or%20was%20otherwise%20not%20running.%20When%20the%20admin%20started%2Frestarted%20the%20service%20and%20it's%20sync%20interval%20hit%2C%20everything%20was%20fine.%20Usually.%20There%20were%20a%20few%20occasions%20where%20(to%20expedite%20the%20process)%20we%20would%20go%20to%20the%20Site%20Collection%20Users%20list%20(%3CSITE_URL%3E%2F_layouts%2F15%2Fpeople.aspx%3FMembershipGroupId%3D0)%20to%20delete%20the%20group%20from%20there%2C%20then%20re-add%20it%20to%20the%20appropriate%20SharePoint%20groups.%20That%20nearly%20always%20worked.%20I've%20tried%20that%20here%20and%20no%20dice.%3C%2FSITE_URL%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20does%20anyone%20know%20what%20the%20sync%20interval%20is%20for%20the%20SharePoint%20Online%20User%20Profile%20Service%3F%20I'm%20assuming%20it's%20a%20fixed%20value%2C%20not%20something%20configurable%20by%20tenant.%20Also%2C%20if%20I%20suspect%20a%20problem%20with%20that%20service%2C%20who%20should%20I%20contact%20about%20it%3F%20I%20could%20open%20a%20service%20ticket%2C%20but%20when%20I've%20done%20that%20in%20the%20past%20for%20issues%20spanning%20multiple%20site%20collections%2C%20the%20experience%20has%20not%20been%20great.%20The%20technicians%20are%20always%20polite%20and%20helpful%2C%20but%20seem%20to%20treat%20every%20issue%20as%20a%20specific%20instance%20rather%20than%20as%20part%20of%20a%20larger%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20bottom%20line%20is%20that%20for%20the%20permissioning%20work%20I%20do%20every%20day%20(which%20includes%20granting%20access%20to%20Power%20Apps%2C%20flows%20and%20SharePoint%20Online%20sites)%2C%20the%20single-point-of-contact%20solution%20of%20the%20AD%20security%20group%20is%20great.%20When%20it%20works.%20When%20it%20doesn't%2C%20then%20I%20need%20to%20start%20going%20and%20sharing%20Apps%20or%20sites%20with%20individual%20users%2C%20which%20becomes%20a%20maintenance%20nightmare%20down%20the%20road.%20I%20really%20just%20need%20to%20be%20able%20to%20rely%20on%20this%20process.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1152531%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1542499%22%20slang%3D%22en-US%22%3ERe%3A%20Memberships%20not%20updating%20from%20Azure%20AD%20(security)%20groups%20to%20SharePoint%20Online%20Sites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1542499%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F86417%22%20target%3D%22_blank%22%3E%40ChadKealey%3C%2FA%3E%26nbsp%3BHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20having%20the%20same%20issue%20you're%20having%2C%20also%20with%20the%20particular%20site.%20So%20far%20with%20only%20one%2C%20but%20wanted%20to%20double%20check%20with%20you%20if%20you%20perhaps%20have%20more%20insight%20into%20what%20was%20the%20problem%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWarm%20regards%2C%3C%2FP%3E%3CP%3EOleg%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1542531%22%20slang%3D%22en-US%22%3ERe%3A%20Memberships%20not%20updating%20from%20Azure%20AD%20(security)%20groups%20to%20SharePoint%20Online%20Sites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1542531%22%20slang%3D%22en-US%22%3EI%20think%20early%20on%20(when%20I%20posted%20this)%2C%20there%20was%20some%20mismatch%20of%20data.%20That%20is%2C%20the%20users%20actually%20did%20have%20permission%2C%20but%20the%20%22Check%20Permissions%22%20tool%20was%20reporting%20a%20false%20negative.%20This%20led%20to%20a%20lot%20of%20confusion.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20seems%20like%20that%20problem%20has%20been%20sorted%20out%20and%20the%20process%20works%20more%20reliably.%20When%20I%20add%20users%20to%20a%20group%20in%20our%20local%20AD%2C%20the%20enrollments%20seem%20to%20process%20at%20the%20next%20dirsync%20and%20the%20Check%20Permissions%20tool%20confirms%20that%20they%20have%20access%20via%20that%20group.%3C%2FLINGO-BODY%3E
Frequent Contributor

We have several SharePoint Online sites (site collections) in which we have added Azure AD security groups as members to local (SharePoint site) groups. For example, in one site (Athlete Grades):

 

Azure AD security group: student-athlete-faculty-exceptions

>> is a member of >>

SharePoint site group: Grade Submitters

 

Grade Submitters has Contribute permission to a list called "Grade Reports". The security group was empty when I added it to the SharePoint group. I then added members to the security group. When I do a "Check Permissions" on the Grade Reports list for any member of the security group, the response is "None". 

 

As a test, I added the security group (after populating it) to the Visitors group in another SharePoint site. When I Check Permissions on that site for one of the security group members, the response is "Read given through <site> Visitors". So, the problem is site-specific.

 

When this happened in our on-prem SP2010 environment, it was usually because the User Profile Service had either crashed or was otherwise not running. When the admin started/restarted the service and it's sync interval hit, everything was fine. Usually. There were a few occasions where (to expedite the process) we would go to the Site Collection Users list (<site_url>/_layouts/15/people.aspx?MembershipGroupId=0) to delete the group from there, then re-add it to the appropriate SharePoint groups. That nearly always worked. I've tried that here and no dice.

 

So, does anyone know what the sync interval is for the SharePoint Online User Profile Service? I'm assuming it's a fixed value, not something configurable by tenant. Also, if I suspect a problem with that service, who should I contact about it? I could open a service ticket, but when I've done that in the past for issues spanning multiple site collections, the experience has not been great. The technicians are always polite and helpful, but seem to treat every issue as a specific instance rather than as part of a larger problem.

 

The bottom line is that for the permissioning work I do every day (which includes granting access to Power Apps, flows and SharePoint Online sites), the single-point-of-contact solution of the AD security group is great. When it works. When it doesn't, then I need to start going and sharing Apps or sites with individual users, which becomes a maintenance nightmare down the road. I really just need to be able to rely on this process.

2 Replies

@ChadKealey Hello,

 

We are having the same issue you're having, also with the particular site. So far with only one, but wanted to double check with you if you perhaps have more insight into what was the problem?

 

Warm regards,

Oleg

I think early on (when I posted this), there was some mismatch of data. That is, the users actually did have permission, but the "Check Permissions" tool was reporting a false negative. This led to a lot of confusion.

It seems like that problem has been sorted out and the process works more reliably. When I add users to a group in our local AD, the enrollments seem to process at the next dirsync and the Check Permissions tool confirms that they have access via that group.