Apr 08 2020 06:02 AM
Hi all!
I'm currently working on a case for a customer that is using Office 365 and SharePoint. He wants to be able to add and remove users to SharePoint sites with as less hassle as possible. So i came up with the following idea.
I was thinking of adding users in separate Security groups in the Office 365 admin center. Then, I'd make custom SharePoint groups on the team site. Instead of adding user accounts to those SharePoint groups, I'd like to add the Security group. That way, whenever a user is added/removed from the Security group, the access and permissions on that site would be added/removed without adding/removing the individual user from the different sites. This, in my opinion, would be much easier to manage than to manually add the user to the site and manually assign permissions on folders and files.
But that seems to give some problems. After removing a user, the user still has access to the site, and vice versa. Even if a user is added to the Security group and the Security group is a member of the SharePoint group, the user still doesn't have access to the team site. I don't know how I could solve the issue without using Security groups for management.
Any ideas, tips or insights would be very much appreciated!
Apr 08 2020 06:57 AM
SolutionThe best approach I have seen includes a two tier level: creating AD security groups then adding these groups to SP groups that make more sense to the structure of your site. That way, when someone gets turned off in AD, they are removed from all SP groups you created. It is a bit abstract, but seems to work.
Apr 08 2020 07:35 AM
Apr 08 2020 07:36 AM
Apr 08 2020 08:30 AM
@WarreVlieghe Hmmm. I think you could do it with the 365 level instead. But honestly I do not know. I think the best way for an org to do this is to figure out what the requirements are (you have the basics). I do suggest abstracting it though at least one level so that it is easy for someone to be joined to a group and have all access and permissions that group has.
Apr 16 2021 09:14 AM - edited Apr 16 2021 09:16 AM
@shawn_fieldinghave you encountered issues wherein a user is a member of a security group in AD and that security group is a member of a SharePoint group yet adding a member to that security group does not grant them membership to that SharePoint group?
It used to be simple to grant a user membership to a particular SharePoint group. We would simply add them to the membership security group in AD and wait for it to replicate from AD to SharePoint online. Now, for some reason, that practice is becoming more hit and miss with regards to a successful outcome. We have several employees that have been added to the security group but that is not replicating out to SharePoint online.
Apr 08 2020 06:57 AM
SolutionThe best approach I have seen includes a two tier level: creating AD security groups then adding these groups to SP groups that make more sense to the structure of your site. That way, when someone gets turned off in AD, they are removed from all SP groups you created. It is a bit abstract, but seems to work.