SharePoint and Groups

%3CLINGO-SUB%20id%3D%22lingo-sub-1628933%22%20slang%3D%22en-US%22%3ESharePoint%20and%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1628933%22%20slang%3D%22en-US%22%3E%3CP%3ETeam%2C%3C%2FP%3E%3CP%3EIs%20there%20any%20place%20to%20see%20all%20SharePoint%20sites%20that%20a%20O365%20group%20is%20assigned%20or%20associated%20with%3F%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3EThere%20are%20multiple%20reason%20for%20this%20question.%3C%2FP%3E%3COL%3E%3CLI%3EWe%20are%20migrating%20over%20from%20Windows%20AD%20to%20AAD%20and%20there%20are%201000's%20of%20AD%20groups%20and%20we%20want%20to%20only%20move%20forward%20only%20the%20ones%20that%20are%20currently%20active%20but%20these%20groups%20have%20been%20used%20to%20grant%20access%20to%20SP%20sites.%3C%2FLI%3E%3CLI%3EJust%20for%20security%20sake.%26nbsp%3B%20I%20am%20looking%20to%20see%20what%20SP%20sites%20any%20given%20group%20has%20access%20to%20and%20haven't%20found%20an%20direct%20view%20of%20this%20anywhere%26nbsp%3B%3C%2FLI%3E%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1628933%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1629263%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20and%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1629263%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F359925%22%20target%3D%22_blank%22%3E%40JamesRV%3C%2FA%3E%26nbsp%3B%20Not%20out%20of%20the%20box.%20But%20with%20PnP%20PowerShell%20it%20should%20be%20possible.%3C%2FP%3E%3CUL%3E%3CLI%3EReceive%20all%20sites%20from%20your%20tenant.%3C%2FLI%3E%3CLI%3ELoop%20through%20all%20sites%20and%20check%20the%20HiddenUserList%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fsharepoint-pnp%2Fget-pnpuser%3Fview%3Dsharepoint-ps%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EGet-PnPUser%3C%2FA%3E).%20If%20the%20AD%20group%20is%20listed%20you%20know%20the%20group%20was%20added%20in%20the%20past.%20Don't%20forget%2C%20if%20permissions%20are%20removed%20from%20a%20site%20the%20item%20in%20the%26nbsp%3BHiddenUserList%20is%20not%20deleted.%20So%20you%20have%20to%20double%20check%20whether%20the%20item%20still%20has%20permissions.%26nbsp%3B%3C%2FLI%3E%3CLI%3EThe%20result%20includes%20also%20information%20whether%20the%20item%20has%20permissions%20on%20the%20site.%26nbsp%3B%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Team,

Is there any place to see all SharePoint sites that a O365 group is assigned or associated with?  
There are multiple reason for this question.

  1. We are migrating over from Windows AD to AAD and there are 1000's of AD groups and we want to only move forward only the ones that are currently active but these groups have been used to grant access to SP sites.
  2. Just for security sake.  I am looking to see what SP sites any given group has access to and haven't found an direct view of this anywhere 
2 Replies
Highlighted

@JamesRV  Not out of the box. But with PnP PowerShell it should be possible.

  • Receive all sites from your tenant.
  • Loop through all sites and check the HiddenUserList (Get-PnPUser). If the AD group is listed you know the group was added in the past. Don't forget, if permissions are removed from a site the item in the HiddenUserList is not deleted. So you have to double check whether the item still has permissions. 
  • The result includes also information whether the item has permissions on the site. 
Highlighted

@Tobias Asböck 

Thank you this is helpful and we are currently working on a similar approach with PS scripts. Your input will be valuable too.

 

We have 1000's SP sites and the script is going to spin for a while.  I will post back on the result.

 

I was hoping there is a hidden capability :( as this could a key information on where are all a group is used without this a key component of Security access review is missing.  Someone from SP or AAD security team can take this as a feature request?