SOLVED

Need help with SharePoint and Security Groups

%3CLINGO-SUB%20id%3D%22lingo-sub-1291763%22%20slang%3D%22en-US%22%3ENeed%20help%20with%20SharePoint%20and%20Security%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1291763%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20currently%20working%20on%20a%20case%20for%20a%20customer%20that%20is%20using%20Office%20365%20and%20SharePoint.%20He%20wants%20to%20be%20able%20to%20add%20and%20remove%20users%20to%20SharePoint%20sites%20with%20as%20less%20hassle%20as%20possible.%20So%20i%20came%20up%20with%20the%20following%20idea.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20thinking%20of%20adding%20users%20in%20separate%20Security%20groups%20in%20the%20Office%20365%20admin%20center.%20Then%2C%20I'd%20make%20custom%20SharePoint%20groups%20on%20the%20team%20site.%20Instead%20of%20adding%20user%20accounts%20to%20those%20SharePoint%20groups%2C%20I'd%20like%20to%20add%20the%20Security%20group.%20That%20way%2C%20whenever%20a%20user%20is%20added%2Fremoved%20from%20the%20Security%20group%2C%20the%20access%20and%20permissions%20on%20that%20site%20would%20be%20added%2Fremoved%20without%20adding%2Fremoving%20the%20individual%20user%20from%20the%20different%20sites.%20This%2C%20in%20my%20opinion%2C%20would%20be%20much%20easier%20to%20manage%20than%20to%20manually%20add%20the%20user%20to%20the%20site%20and%20manually%20assign%20permissions%20on%20folders%20and%20files.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20that%20seems%20to%20give%20some%20problems.%20After%20removing%20a%20user%2C%20the%20user%20still%20has%20access%20to%20the%20site%2C%20and%20vice%20versa.%20Even%20if%20a%20user%20is%20added%20to%20the%20Security%20group%20and%20the%20Security%20group%20is%20a%20member%20of%20the%20SharePoint%20group%2C%20the%20user%20still%20doesn't%20have%20access%20to%20the%20team%20site.%20I%20don't%20know%20how%20I%20could%20solve%20the%20issue%20without%20using%20Security%20groups%20for%20management.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%2C%20tips%20or%20insights%20would%20be%20very%20much%20appreciated!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1291763%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1291933%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20help%20with%20SharePoint%20and%20Security%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1291933%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20best%20approach%20I%20have%20seen%20includes%20a%20two%20tier%20level%3A%20creating%20AD%20security%20groups%20then%20adding%20these%20groups%20to%20SP%20groups%20that%20make%20more%20sense%20to%20the%20structure%20of%20your%20site.%26nbsp%3B%20That%20way%2C%20when%20someone%20gets%20turned%20off%20in%20AD%2C%20they%20are%20removed%20from%20all%20SP%20groups%20you%20created.%26nbsp%3B%20It%20is%20a%20bit%20abstract%2C%20but%20seems%20to%20work.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1292096%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20help%20with%20SharePoint%20and%20Security%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1292096%22%20slang%3D%22en-US%22%3ESince%20they%20are%20not%20using%20AD%2C%20will%20it%20work%20with%20Office%20365%20security%20groups%3F%20Or%20are%20AD%20and%20O365%20groups%20the%20same%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1292103%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20help%20with%20SharePoint%20and%20Security%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1292103%22%20slang%3D%22en-US%22%3EIt%20seems%20to%20work%20after%20logging%20out%20and%20logging%20in%20again%20with%20the%20user%20that%20is%20being%20added%2Fremoved.%20Didn't%20know%20that%20would%20be%20an%20issue.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1292340%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20help%20with%20SharePoint%20and%20Security%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1292340%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F614246%22%20target%3D%22_blank%22%3E%40WarreVlieghe%3C%2FA%3E%26nbsp%3BHmmm.%26nbsp%3B%20I%20think%20you%20could%20do%20it%20with%20the%20365%20level%20instead.%26nbsp%3B%20But%20honestly%20I%20do%20not%20know.%26nbsp%3B%20I%20think%20the%20best%20way%20for%20an%20org%20to%20do%20this%20is%20to%20figure%20out%20what%20the%20requirements%20are%20(you%20have%20the%20basics).%26nbsp%3B%20I%20do%20suggest%20abstracting%20it%20though%20at%20least%20one%20level%20so%20that%20it%20is%20easy%20for%20someone%20to%20be%20joined%20to%20a%20group%20and%20have%20all%20access%20and%20permissions%20that%20group%20has.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi all!

 

I'm currently working on a case for a customer that is using Office 365 and SharePoint. He wants to be able to add and remove users to SharePoint sites with as less hassle as possible. So i came up with the following idea.

 

I was thinking of adding users in separate Security groups in the Office 365 admin center. Then, I'd make custom SharePoint groups on the team site. Instead of adding user accounts to those SharePoint groups, I'd like to add the Security group. That way, whenever a user is added/removed from the Security group, the access and permissions on that site would be added/removed without adding/removing the individual user from the different sites. This, in my opinion, would be much easier to manage than to manually add the user to the site and manually assign permissions on folders and files.

 

But that seems to give some problems. After removing a user, the user still has access to the site, and vice versa. Even if a user is added to the Security group and the Security group is a member of the SharePoint group, the user still doesn't have access to the team site. I don't know how I could solve the issue without using Security groups for management.

 

Any ideas, tips or insights would be very much appreciated!

4 Replies
Highlighted
Best Response confirmed by WarreVlieghe (New Contributor)
Solution

The best approach I have seen includes a two tier level: creating AD security groups then adding these groups to SP groups that make more sense to the structure of your site.  That way, when someone gets turned off in AD, they are removed from all SP groups you created.  It is a bit abstract, but seems to work.

Highlighted
Since they are not using AD, will it work with Office 365 security groups? Or are AD and O365 groups the same?
Highlighted
It seems to work after logging out and logging in again with the user that is being added/removed. Didn't know that would be an issue.
Highlighted

@WarreVlieghe Hmmm.  I think you could do it with the 365 level instead.  But honestly I do not know.  I think the best way for an org to do this is to figure out what the requirements are (you have the basics).  I do suggest abstracting it though at least one level so that it is easy for someone to be joined to a group and have all access and permissions that group has.