SharePoint Security Group Maintenance

%3CLINGO-SUB%20id%3D%22lingo-sub-2138179%22%20slang%3D%22en-US%22%3ESharePoint%20Security%20Group%20Maintenance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2138179%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3ELooking%20to%20see%20if%20there%20is%20an%20OOTB%20or%20plug-in%20option%20that%20can%20help%20in%20keeping%20membership%20of%20SharePoint%20Groups%20clean%20and%20tidy.%3CBR%20%2F%3E%3CBR%20%2F%3EIdeally%2C%20I'd%20like%20to%20be%20able%20to%20automatically%20remove%20a%20user%20from%20SharePoint%20Security%20Groups%20(Members%2FVisitors)%2C%20if%20they%20have%20not%20logged%20in%20to%20the%20related%20site%20for%2012%20months.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20as%20much%20about%20security%20risk%20management%20as%20it%20normal%20housekeeping.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2138179%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2138395%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Security%20Group%20Maintenance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2138395%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F273749%22%20target%3D%22_blank%22%3E%40Scott-EVT%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%3C%2FP%3E%3CP%3EThere%20is%20a%20feature%20(not%20yet%20rolling%20out)%20that%20could%20meet%20your%20requirement%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Foffice%2Fmanage-guest-expiration-for-a-site-25bee24f-42ad-4ee8-8402-4186eed74dea%3Fui%3Den-us%26amp%3Brs%3Den-us%26amp%3Bad%3Dus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EManage%20guest%20expiration%20for%20a%20site%20-%20Office%20Support%20(microsoft.com)%3C%2FA%3E%3C%2FP%3E%3CP%3EAlso%2C%20if%20you%20have%20an%20azure%20P2%20licence%2C%26nbsp%3B%20you%20can%20create%20access%20review%20with%20Azure%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fgovernance%2Fcreate-access-review%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECreate%20an%20access%20review%20of%20groups%20%26amp%3B%20applications%20-%20Azure%20AD%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOtherwise%2C%20it's%20other%20tools%2C%20not%20out%20of%20the%20box%20then.%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi

Looking to see if there is an OOTB or plug-in option that can help in keeping membership of SharePoint Groups clean and tidy.

Ideally, I'd like to be able to automatically remove a user from SharePoint Security Groups (Members/Visitors), if they have not logged in to the related site for 12 months.

 

This is as much about security risk management as it normal housekeeping.

3 Replies

@Scott-EVT 

Hi

There is a feature (not yet rolling out) that could meet your requirement

Manage guest expiration for a site - Office Support (microsoft.com)

Also, if you have an azure P2 licence,  you can create access review with Azure

Create an access review of groups & applications - Azure AD | Microsoft Docs

 

Otherwise, it's other tools, not out of the box then.

Regards

@Vertebre85 Thanks for the guidance.
I will see about the Access Review however at a glance it's not offering the automation I was hoping for. We have people move around the business all the time. When they move from one department to another, it would be nice to have some automated maintenance to off-board their access to old team sites they no longer need. This has been an issue for 10+ years that I thought would have been remedied by now.

Hi @Scott-EVT 

I probably not understood correclty your question.

I can tell you how i've done it on my side to have groups to automatically adapt and grant access to sharepoint sites.

Please note that this feature require at least to have an Azure P1 for each members (not assigned, just the number of licences purchased should match the number of users concerned by that)

I create an office 365 group and modify it to be automatically populated based on several parameter ( active or not, department name...).

In my company, we have an HR tools that modify the department in active directory, then it's pushed to azure AD and therefore the department is adapted for the user.

As the group is dynamics, I don't have to modify anything and rights are granted or removed on a sharepoint site.

If you have several sharepoint sites that are concerned by the same group, you can reuse the group to grant access to other site.

In my experience, since 1 year, I only had to add 2 exeption ( 2 users that work in 2 differents departments on the same time but only allocated officialy to 1 department). As it's centralized, I don't have a lot to do.

Rules for dynamically populated groups membership - Azure AD | Microsoft Docs