SharePoint Permission for guest users through security groups

Brass Contributor

I noticed something strange in SharePoint Online and would like to get your confirmation for this behaviour or your comment if I am doing anything wrong.

 

We have many guest users in our organisation and some of them need access to SharePoint. This access can be given if I add those users in the library settings explicitly:

David_Elsner_0-1642153260832.png

 

- The site has guest sharing enabled
- The guests are already added in our AD (existing guest users)
- The library has unique permissions

This works as expected and guests can access. 

But if I add those guest users to an AAD security group (not a SharePoint group) and add the group in this list, they always get this screen here:

David_Elsner_1-1642153324000.png

This is an issue, because we are using security groups in many libraries and adding users manually is a huge pain... do you have any suggestions?
Are guest users from security groups not synced in the corresponding SharePoint groups?

 

 

 

12 Replies

@David_Elsner I am running into the same issues now. Were you able to find a solution?

No, I could not find a solution.. maybe just not supported to allow external users access via groups 😞
Do you add the AAD group inside an existing sharepoint group or directly in root site permissions? This procedure you are describing we're using a lot since we also use dynamic group membership to populate those guest accounts and then add those dynamic groups to sharepoint. So from what I can understand this should work as you want.
Sorry for the late reply. I didn't see the notification.
I am adding the AAD group in the site visitors group.
The site visitors group is a SharePoint group, but I do not use dynamic groups.

However, an external user does not get access to the site through a group. Only throug a direct user assignement. Any further idea? That is an important issue for us...
Also: When I "check permission" I receive none as a result 😞

@David_Elsner this is indeed pretty strange yes. I cannot understand why it is like this. As I use this for multiple hundreds of users in dynamic groups but that shouldn’t matter.

testing some things to clarify

- if you add a tenant user in the same aad group do you see in check access that the user receives the sp group access? To verify internal users work

- if you have a teams group with internal and external guest users can you add that team aad group to sharepoint and see if you check access and get info about the normal and guest users then?

 

depending on the above results one can investigate further. Are you a tenant admin or at least site collection admin on that site?

 

Thanks for your reply.

- Yes internal users work instantly. Also the check permission does what it should.
- Yes, Microsoft 365 groups (thats what you mean by "teams group", right?) also work as intended.

So: Only normal Security groups have this issue.

I am a global admin 😉

@David_Elsner Have you every had any luck getting this to work? I am running in the exact same issue here with external users. 

@sfroehlich_aza , @David_Elsner I have run into the same issue, what I have narrowed it down to is that if users are 'members' in Azure, it works as expected, if users are 'guests' in Azure, SharePoint does not see them in the AD Group and they have to be added manually.
I currently have a ticket with Microsoft to investigate.

I have a back up plan using Power Automate to 'get all members' from a dynamic AD group in Azure and 'add them' to a Scurity group in SharePoint, messy, but it does seem to work.

@carlsmith Did you ever get anywhere with Microsoft?

Cant get it to work myself 

@poom212421412412 

Yes, I did !

In short having someone as a 'Guest' in AD does not allow you to add them to a, AD Group!
You need to either add them as a 'Member' in Azure, or manually add them as individual users

Hi @carlsmith

I have a similar issue by adding a "guest" to a SharePoint security group. A guest is not able to access the contents of a shared folder where the guest is a member of a SharePoint security group that has read access to that shared folder.

Would that be the same behavior as with the AD Groups?
Does adding guests as Members in Azure means convert them (from guest) to "internal users"?

Regards.