Jun 13 2022 02:00 PM
We recently created a few thousand printers in Universal Print and we use a security group that allows users to connect to any printer for IT staff and for itinerant staff that migrate between sites. We just found out that it resulted in users being unable to properly authentication to SharePoint online because of the built-in limitation for that application of being in a maximum of 2,049 direct and indirect group memberships. Service limits and restrictions - Azure Active Directory - Microsoft Entra | Microsoft Docs
This resulted in users getting errors saying the could not edit or create documents in OneDrive, Office for the Web, and SharePoint. It also resulted in all the visitor memberships rights to our internal SharePoint communications being lost in the shuffle. It led to a lot of crazy issues with some users being able to authenticate and some not. We had a SEV A ticket open for two weeks with Microsoft Premiere Support with 0 help on this issue and just happened to figure it out myself one evening while poking around in Graph where I discovered all the indirect memberships. I had never connected the two as we had been adding Universal Print shares without issue over several weeks before we crossed the threshold.
Could y'all please update the Universal Print documentation to make sure people are aware of this limitation? I'm not sure if there is a better way to handle printer permissions without having to re-engineer it, but it means we had to go backwards and delete the Universal Print shares we have been adding the last several weeks to get the group memberships down to a level where SharePoint Online starts functioning again.
Jun 14 2022 03:12 PM
@tusdshaun - Thanks for the feedback and we will work on the documentation.
This would happen if you add one person to many printers' access list.
Can you help us understand your configuration a bit more?
We typically recommend using "Allow All" toggle in printer access if printer needs to be availalbe to all the Universal Print enabled users. Is that an option for you?
Thanks
Saurabh
Jun 14 2022 03:25 PM
Thanks for the response, it's appreciated.
Jun 16 2022 02:32 PM
SolutionThanks @Saurabh_Bansal
We were able to utilize the option of "Allow access to everyone in my organization" when creating printer shares to reduce the number of Security Groups that would be needed. Since not all printers need granular permissions, we were able to sell leadership on this being the default option. The number of printers specifically needing different permissions because of prior complaints or being in sensitive areas where people may complain about stray print jobs, really only numbers in the few hundreds.
To still restrict printing, we were able to utilize licensing to removed the Universal Print feature from our Dynamic Group that manages our licensing so that students are still not able to print, even with the "everyone in my organization" toggled on. We created a new licensing group with just Universal Print enabled for student helpers that will be allowed to print.
Not ideal as having those fine-tuned granular permissions, but at least it allows us to continue with Universal Print without breaking SharePoint, which was the main objective.
Thanks for your help and prompt feedback.
Shaun
Jun 16 2022 02:32 PM
SolutionThanks @Saurabh_Bansal
We were able to utilize the option of "Allow access to everyone in my organization" when creating printer shares to reduce the number of Security Groups that would be needed. Since not all printers need granular permissions, we were able to sell leadership on this being the default option. The number of printers specifically needing different permissions because of prior complaints or being in sensitive areas where people may complain about stray print jobs, really only numbers in the few hundreds.
To still restrict printing, we were able to utilize licensing to removed the Universal Print feature from our Dynamic Group that manages our licensing so that students are still not able to print, even with the "everyone in my organization" toggled on. We created a new licensing group with just Universal Print enabled for student helpers that will be allowed to print.
Not ideal as having those fine-tuned granular permissions, but at least it allows us to continue with Universal Print without breaking SharePoint, which was the main objective.
Thanks for your help and prompt feedback.
Shaun