cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Permission Groups for Universal Print break SharePoint Online

tusdshaun
Copper Contributor

‎Jun 13 2022 02:00 PM

‎Jun 13 2022 02:00 PM

Permission Groups for Universal Print break SharePoint Online

We recently created a few thousand printers in Universal Print and we use a security group that allows users to connect to any printer for IT staff and for itinerant staff that migrate between sites. We just found out that it resulted in users being unable to properly authentication to SharePoint online because of the built-in limitation for that application of being in a maximum of 2,049 direct and indirect group memberships. Service limits and restrictions - Azure Active Directory - Microsoft Entra | Microsoft Docs

 

This resulted in users getting errors saying the could not edit or create documents in OneDrive, Office for the Web, and SharePoint. It also resulted in all the visitor memberships rights to our internal SharePoint communications being lost in the shuffle. It led to a lot of crazy issues with some users being able to authenticate and some not. We had a SEV A ticket open for two weeks with Microsoft Premiere Support with 0 help on this issue and just happened to figure it out myself one evening while poking around in Graph where I discovered all the indirect memberships. I had never connected the two as we had been adding Universal Print shares without issue over several weeks before we crossed the threshold. 

 

Could y'all please update the Universal Print documentation to make sure people are aware of this limitation? I'm not sure if there is a better way to handle printer permissions without having to re-engineer it, but it means we had to go backwards and delete the Universal Print shares we have been adding the last several weeks to get the group memberships down to a level where SharePoint Online starts functioning again.

1,172 Views
2 Likes
3 Replies
Reply
3 Replies
Saurabh_Bansal

‎Jun 14 2022 03:12 PM

‎Jun 14 2022 03:12 PM

Re: Permission Groups for Universal Print break SharePoint Online

@tusdshaun - Thanks for the feedback and we will work on the documentation. 

 

This would happen if you add one person to many printers' access list.

 

Can you help us understand your configuration a bit more?

  1. Are your printers available to all users or only a given set of users?
  2. If to a given set of users, then are they part of a security group?
  3. Do you add security group to printer's permissions or each user individually?
  4. If security group - then do you add the same security group to each printer?

We typically recommend using "Allow All" toggle in printer access if printer needs to be availalbe to all the Universal Print enabled users. Is that an option for you?

 

Thanks

Saurabh

0 Likes
Reply
tusdshaun

‎Jun 14 2022 03:25 PM

‎Jun 14 2022 03:25 PM

Re: Permission Groups for Universal Print break SharePoint Online

@Saurabh_Bansal 

 

  1. Are your printers available to all users or only a given set of users?
    Sadly, as we are an education institution we cannot utilize the allow all users function. Students are not allowed to print as part of our paperless efforts. 
  2. If to a given set of users, then are they part of a security group?
    Yes, we added our OrganizationalWidePrintUsers security group to every print share we created which is why users ended up having indirect membership in every single UniversalPrint security group associated with those shares.
  3. Do you add security group to printer's permissions or each user individually?
    To the printer's permissions as we created the shares. 
  4. If security group - then do you add the same security group to each printer?
    Yes, we did not want to micromanage printer permissions for each staff member that transferred between sites or working at multiple sites so we utilized the same security group. 

Thanks for the response, it's appreciated. 


1 Like
Reply
best response confirmed by Saurabh_Bansal (Microsoft)
tusdshaun

‎Jun 16 2022 02:32 PM

‎Jun 16 2022 02:32 PM

Solution

Re: Permission Groups for Universal Print break SharePoint Online

Thanks @Saurabh_Bansal 

 

We were able to utilize the option of  "Allow access to everyone in my organization" when creating printer shares to reduce the number of Security Groups that would be needed. Since not all printers need granular permissions, we were able to sell leadership on this being the default option. The number of printers specifically needing different permissions because of prior complaints or being in sensitive areas where people may complain about stray print jobs, really only numbers in the few hundreds. 

tusdshaun_1-1655415125708.png

 

tusdshaun_0-1655415026494.png

 

To still restrict printing, we were able to utilize licensing to removed the Universal Print feature from our Dynamic Group that manages our licensing so that students are still not able to print, even with the "everyone in my organization" toggled on. We created a new licensing group with just Universal Print enabled for student helpers that will be allowed to print.

 

Not ideal as having those fine-tuned granular permissions, but at least it allows us to continue with Universal Print without breaking SharePoint, which was the main objective. 

 

Thanks for your help and prompt feedback. 

 

Shaun

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Saurabh_Bansal (Microsoft)
tusdshaun

‎Jun 16 2022 02:32 PM

‎Jun 16 2022 02:32 PM

Solution

Re: Permission Groups for Universal Print break SharePoint Online

Thanks @Saurabh_Bansal 

 

We were able to utilize the option of  "Allow access to everyone in my organization" when creating printer shares to reduce the number of Security Groups that would be needed. Since not all printers need granular permissions, we were able to sell leadership on this being the default option. The number of printers specifically needing different permissions because of prior complaints or being in sensitive areas where people may complain about stray print jobs, really only numbers in the few hundreds. 

tusdshaun_1-1655415125708.png

 

tusdshaun_0-1655415026494.png

 

To still restrict printing, we were able to utilize licensing to removed the Universal Print feature from our Dynamic Group that manages our licensing so that students are still not able to print, even with the "everyone in my organization" toggled on. We created a new licensing group with just Universal Print enabled for student helpers that will be allowed to print.

 

Not ideal as having those fine-tuned granular permissions, but at least it allows us to continue with Universal Print without breaking SharePoint, which was the main objective. 

 

Thanks for your help and prompt feedback. 

 

Shaun

View solution in original post

1 Like
Reply