Need help with SharePoint and Security Groups

Occasional Contributor

Hi all!


I'm currently working on a case for a customer that is using Office 365 and SharePoint. He wants to be able to add and remove users to SharePoint sites with as less hassle as possible. So i came up with the following idea.


I was thinking of adding users in separate Security groups in the Office 365 admin center. Then, I'd make custom SharePoint groups on the team site. Instead of adding user accounts to those SharePoint groups, I'd like to add the Security group. That way, whenever a user is added/removed from the Security group, the access and permissions on that site would be added/removed without adding/removing the individual user from the different sites. This, in my opinion, would be much easier to manage than to manually add the user to the site and manually assign permissions on folders and files.


But that seems to give some problems. After removing a user, the user still has access to the site, and vice versa. Even if a user is added to the Security group and the Security group is a member of the SharePoint group, the user still doesn't have access to the team site. I don't know how I could solve the issue without using Security groups for management.


Any ideas, tips or insights would be very much appreciated!

5 Replies
best response confirmed by WarreVlieghe (Occasional Contributor)

The best approach I have seen includes a two tier level: creating AD security groups then adding these groups to SP groups that make more sense to the structure of your site.  That way, when someone gets turned off in AD, they are removed from all SP groups you created.  It is a bit abstract, but seems to work.

Since they are not using AD, will it work with Office 365 security groups? Or are AD and O365 groups the same?
It seems to work after logging out and logging in again with the user that is being added/removed. Didn't know that would be an issue.

@WarreVlieghe Hmmm.  I think you could do it with the 365 level instead.  But honestly I do not know.  I think the best way for an org to do this is to figure out what the requirements are (you have the basics).  I do suggest abstracting it though at least one level so that it is easy for someone to be joined to a group and have all access and permissions that group has.  


@shawn_fieldinghave you encountered issues wherein a user is a member of a security group in AD and that security group is a member of a SharePoint group yet adding a member to that security group does not grant them membership to that SharePoint group?


It used to be simple to grant a user membership to a particular SharePoint group. We would simply add them to the membership security group in AD and wait for it to replicate from AD to SharePoint online. Now, for some reason, that practice is becoming more hit and miss with regards to a successful outcome. We have several employees that have been added to the security group but that is not replicating out to SharePoint online.