02-05-2020 05:36 AM
02-05-2020 05:36 AM
We have several SharePoint Online sites (site collections) in which we have added Azure AD security groups as members to local (SharePoint site) groups. For example, in one site (Athlete Grades):
Azure AD security group: student-athlete-faculty-exceptions
>> is a member of >>
SharePoint site group: Grade Submitters
Grade Submitters has Contribute permission to a list called "Grade Reports". The security group was empty when I added it to the SharePoint group. I then added members to the security group. When I do a "Check Permissions" on the Grade Reports list for any member of the security group, the response is "None".
As a test, I added the security group (after populating it) to the Visitors group in another SharePoint site. When I Check Permissions on that site for one of the security group members, the response is "Read given through <site> Visitors". So, the problem is site-specific.
When this happened in our on-prem SP2010 environment, it was usually because the User Profile Service had either crashed or was otherwise not running. When the admin started/restarted the service and it's sync interval hit, everything was fine. Usually. There were a few occasions where (to expedite the process) we would go to the Site Collection Users list (<site_url>/_layouts/15/people.aspx?MembershipGroupId=0) to delete the group from there, then re-add it to the appropriate SharePoint groups. That nearly always worked. I've tried that here and no dice.
So, does anyone know what the sync interval is for the SharePoint Online User Profile Service? I'm assuming it's a fixed value, not something configurable by tenant. Also, if I suspect a problem with that service, who should I contact about it? I could open a service ticket, but when I've done that in the past for issues spanning multiple site collections, the experience has not been great. The technicians are always polite and helpful, but seem to treat every issue as a specific instance rather than as part of a larger problem.
The bottom line is that for the permissioning work I do every day (which includes granting access to Power Apps, flows and SharePoint Online sites), the single-point-of-contact solution of the AD security group is great. When it works. When it doesn't, then I need to start going and sharing Apps or sites with individual users, which becomes a maintenance nightmare down the road. I really just need to be able to rely on this process.
07-23-2020 01:25 PM
We are having the same issue you're having, also with the particular site. So far with only one, but wanted to double check with you if you perhaps have more insight into what was the problem?
07-23-2020 01:42 PM