SharePoint Online Permissions/Office 365 Security Groups

Copper Contributor

Hi,

 

I'm posting to try to get an idea of how other people are approaching the problem of assigning permissions in the Modern SharePoint Online world.

 

Since we now aim to build sites composed of many site collections (rather than subsites), managing permissions needs to be centralised in Office 365, otherwise we end up managing permissions across many site collections.

 

So, the approach we've been taking is to create Office 365 security groups and add these groups to SharePoint permission groups. Sometimes, the security groups are nested. So far so good.

 

However, I'm running into real problems with the reliability of this approach. For a start, there's a long delay on adding users to the Office 365 security groups and the user getting access to SharePoint - presumably some timed sync happening behind the scenes. Secondly, the "Check Permissions" function in SharePoint is either massively unreliable or some permissions are not getting added at all. No matter how long I leave it, some users added through security groups never show up as having permissions.

 

This leads to users being temporarily dropped directly into SharePoint groups, and hence security governance takes a hit.

 

Has anyone else encountered this? Do you have any advice to give?

5 Replies
Hello Dave,
I faced the same issue. It happens for both Office 365 and Mail enabled security group and this is nothing to do with check permission. I tried to find the root cause for the reason. Unfortunately, there is no Microsoft documentation that specifies how long it takes to add user to SharePoint that are added via O365 group or Mail enabled group. In my finding, it doesn't took more than 3 hours. Adding users to SharePoint group is more effective.

@Dave Tansley 

 

All our customers use security groups in Azure AD rather than Microsoft(Office) 365 groups. Never had a problem using AD security groups as you mention. 

 

EDIT: Re-read your question, in Azure AD or Microsoft 365 Admin portal you can create a Microsoft 365 group or a security group, assume you are creating Microsoft 365 groups, if so, try Security group. 

As I understand it, Office 365 security groups (which we're using) and Azure AD security groups are the same thing under the hood.

@Dave Tansley 

 

What you talking about is the same thing, terminology Microsoft now use is Security Groups and Microsoft 365 Groups. Both of which can be created in the Microsoft 365 Admin portal or Azure AD Portal. 

 

Do you have an on-premises AD that is synced to Azure AD?  Where/how are you adding the users?

 

 

No sync'd on premise AD. Users are added directly into either Office 365 Admin (groups) or Azure AD admin.

The weirdest thing is that for two users added into a group at the same time, one user will show up as having permissions on the desired SharePoint site (after a short delay), while the other one will not.