Aug 20 2017 04:21 AM
Hi,
I've got an odd one today. SharePoint Online team site that has 2 custom SharePoint groups created. Within in each of these groups there is a single AAD security group. This AAD secuirty group has a number of users as memebers. From SharePoint you can do a permissions check on a user that is a member of the AAD security group and they resolove and show the permission they have on the site and that they are a member of the SharePoint group that the AAD security group is a member of. Happy days.
Now, if I remove a user from the AAD security group and then check the permission for that removed user in SharePoint using the permission check they still show as a memeber of the SharePoint group. I hoped this might be a timing thing but after a number of hours the user still appears to have access to SharePoint.
Just to be sure I added a new user to the AAD security group and after a minute of so I could run a permission check against their user name in SharePoint.
So it appears that adding users is working fine but the sync isn't detecting users that have been removed.
Aug 20 2017 05:27 AM
Ok, looks like I've been fall foul of the caching on the "Check Permission" button. It appears this info is about as reliable as a chocloate fireguard and although the info I've found suggests it updated when a user logs in this doesn't seem to be the case. It is a pain because you have to "trust" the permissions are right that have been set, knowing how complicated SharePoint permissions can be this is a bit of a leap of faith.