Using AD Security Groups for SPO Access

%3CLINGO-SUB%20id%3D%22lingo-sub-1651424%22%20slang%3D%22en-US%22%3EUsing%20AD%20Security%20Groups%20for%20SPO%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1651424%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20had%20mixed%20results%20using%20Security%20Groups%20I've%20created%20in%20our%20AD%20and%20using%20them%20on%20our%20SharePoint%20Online%20environment.%20I%20can%20see%20the%20Security%20Group%20in%20AAD%20and%20the%20correct%20members.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20add%20the%20Domain%20Group%20(Security%20Group)%20into%20SPO%20and%20it%20works%20properly%2C%20I%20can%20run%20Check%20Permissions%2C%20search%20for%20the%20user%2C%20and%20it%20will%20show%20what%20Domain%20Group%20and%20what%20access%20they%20have.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20it%20doesn't%20work%2C%20the%20user%20will%20just%20have%20no%20permissions%2FLimited%20Access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20it%20take%20up%20to%2024hrs%20for%20users%20to%20gain%20access%20via%20Domain%20Groups%20or%20am%20I%20doing%20something%20wrong%3F%20I%20have%20tried%20both%20adding%20the%20Domain%20Group%20directly%20into%20permissions%2C%20and%20also%20nesting%20it%20under%20a%20SharePoint%20Group.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1651424%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1654840%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20AD%20Security%20Groups%20for%20SPO%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1654840%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F435966%22%20target%3D%22_blank%22%3E%40albertstain%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20I'm%20not%20quite%20understanding%20your%20problem%20here%20I'm%20afraid.%26nbsp%3B%20Are%20you%20saying%20that%20sometimes%20you%20can%20grant%20Security%20Groups%20permissions%20to%20SharePoint%20Sites%2C%20and%20other%20times%20you%20cannot%3F%26nbsp%3B%20Can%20you%20please%20provide%20a%20bit%20more%20information%20and%20perhaps%20some%20example%20screenshots%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1655613%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20AD%20Security%20Groups%20for%20SPO%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1655613%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3BHi%20Peter%20-%20I%20create%20a%20Security%20Group%20in%20our%20AD%20and%20I%20can%20see%20that%20it%20syncs%20up%20as%20I%20can%20see%20it%20on%20our%20Azure%20AD%20as%20well.%20When%20I%20use%20this%20Security%20Group%20and%20add%20it%20for%20Site%20permissions%20on%20our%20SPO%2C%20the%20group%20adds%20as%20a%20Domain%20Group%20but%20takes%20a%20long%20time%20for%20the%20users%20in%20that%20group%20to%20actually%20gain%20access%20via%20the%20Domain%20Group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EE.g.%20I%20add%20a%20Domain%20Group%20called%20AD-Site-Owners%20with%20John%20Doe%2C%20after%20adding%20in%20SPO%2C%20I%20use%20the%20Check%20Permissions%20function%20and%20search%20for%20John%20Doe%20-%20he%20comes%20up%20with%20Access%3A%20None%20or%20Limited%20Access.%20If%20I%20wait%20till%20the%20next%20day%2C%20I%20can%20see%20him%20granted%20access%20via%20AD-Site-Owners.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20normal%20and%20is%20there%20any%20way%20to%20speed%20up%20the%20time%20it%20takes%20for%20this%20to%20happen%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I have had mixed results using Security Groups I've created in our AD and using them on our SharePoint Online environment. I can see the Security Group in AAD and the correct members.

 

If I add the Domain Group (Security Group) into SPO and it works properly, I can run Check Permissions, search for the user, and it will show what Domain Group and what access they have.

 

If it doesn't work, the user will just have no permissions/Limited Access.

 

Does it take up to 24hrs for users to gain access via Domain Groups or am I doing something wrong? I have tried both adding the Domain Group directly into permissions, and also nesting it under a SharePoint Group.

3 Replies
Highlighted

@albertstain 

 

Hi, I'm not quite understanding your problem here I'm afraid.  Are you saying that sometimes you can grant Security Groups permissions to SharePoint Sites, and other times you cannot?  Can you please provide a bit more information and perhaps some example screenshots?

Highlighted

@PeterRising Hi Peter - I create a Security Group in our AD and I can see that it syncs up as I can see it on our Azure AD as well. When I use this Security Group and add it for Site permissions on our SPO, the group adds as a Domain Group but takes a long time for the users in that group to actually gain access via the Domain Group.

 

E.g. I add a Domain Group called AD-Site-Owners with John Doe, after adding in SPO, I use the Check Permissions function and search for John Doe - he comes up with Access: None or Limited Access. If I wait till the next day, I can see him granted access via AD-Site-Owners.

 

Is this normal and is there any way to speed up the time it takes for this to happen?

Highlighted

@albertstain 

 

Ah I see.  Yes I've had mixed results with this method in the past, and I must admit that when it comes to SP Online Sites, I favour the use of SP groups as opposed to AD synced or Azure AD Groups.  It just works a whole lot better (in my own opinion that is).