SharePoint Online with AAD Security Groups - Broken?

Iron Contributor

Hi,


I've got an odd one today.  SharePoint Online team site that has 2 custom SharePoint groups created.  Within in each of these groups there is a single AAD security group.    This AAD secuirty group has a number of users as memebers.  From SharePoint you can do a permissions check on a user that is a member of the AAD security group and they resolove and show the permission they have on the site and that they are a member of the SharePoint group that the AAD security group is a member of.  Happy days.

 

Now, if I remove a user from the AAD security group and then check the permission for that removed user in SharePoint using the permission check they still show as a memeber of the SharePoint group.  I hoped this might be a timing thing but after a number of hours the user still appears to have access to SharePoint.

 

 

Just to be sure I added a new user to the AAD security group and after a minute of so I could run a permission check against their user name in SharePoint.

 

So it appears  that adding users is working fine but the sync isn't detecting users that have been removed.

 

 

1 Reply

Ok, looks like I've been fall foul of the caching on the "Check Permission" button.  It appears this info is about as reliable as a chocloate fireguard and although the info I've found suggests it updated when a user logs in this doesn't seem to be the case.  It is a pain because you have to "trust" the permissions are right that have been set, knowing how complicated SharePoint permissions can be this is a bit of a leap of faith.