There are many ways to manage permissions in SharePoint Online. Today, we’ll walk through three scenarios for controlling permission with groups in SharePoint Online. I’ll be covering a few ideas utilizing Entra ID (formerly known as Azure Active Directory), Dynamic Groups, and SharePoint Groups.
SharePoint Groups
SharePoint Groups are a container for individual users or groups that can be assigned permissions in SharePoint. The biggest flaw here is that they are only usable within the Site Collection, where they are created. This limitation means they cannot cross and be used in other Site Collections or outside of SharePoint.
Each Site and SubSite has three default SharePoint Groups: Owners (Full Control), Members (Edit), and Visitors (Read-Only). These default groups should be utilized first over creating new custom groups. You can add users individually to these groups – but it can be hard to manage, and users tend not to be updated when moving around or leaving the organization.
Pros:
- Managed by the Site Owners
Cons:
- Only available for use in that individual Site Collection
- Hard to keep up to date
Security Groups
There are two ways to utilize Security Groups in SharePoint Online: you can use groups that are synced from on-prem via Azure AD Connect, or you can create new groups directly in Azure AD. These groups can then have the users added to them and be used in SharePoint or other applications for Permissions. You would add these Azure AD Groups to whichever Default SharePoint Group matches the permissions needed.
Pros:
- Reusable throughout your SharePoint environment and organization
- Controlled by IT
- Can be an O365 Group so Group Owners can manage users as well
Cons:
- Management is done by IT
- Site Owners may not have visibility to see who is in these groups
- Still manually updated by IT as users move around your organization
Dynamic Groups
I’ll just come right out and say it: I think this is the best option for most organizations because it requires the least amount of overhead for the IT Staff and Site Owners.
Azure AD has a system known as Dynamic Groups – which allows you to create a Security Group where membership is based on the AD Attributes of the users. In other words, if a user’s location on their AD Account is listed as “Green Bay, WI,” then you can have them automatically added to the “All-Employees-GreenBay” Security Group.
You can use any attribute available in Azure AD for this functionality, which makes it very flexible. As users move throughout the organization and their AD Attributes are updated, their group membership will also be automatically updated in Azure AD. These Azure AD Dynamic Security Groups can then be used in SharePoint Groups on your various sites to assign site permissions.
Pros:
- Same Pros as Azure AD Security Groups
- Automatically updated when user accounts are updated
- Minimal IT management needed
- Can be used in conjunction with O365 Groups for dynamic Teams
Cons:
- Groups need to be set up by IT
- Site Owners don’t have control of who is in these groups
- Requires Azure Premium P1 licensing
Wrap-Up
All three of the above scenarios work for permissions management and have their own sets of Pros and Cons. Utilizing Azure AD Dynamic Groups over the other options gives you the best opportunity for keeping your groups up to date with the least amount of administrative work. One big hurdle with Dynamic groups is the need for Azure Premium P1 licensing, but a licensing expert has told me that it can be added to your tenant license with little to no financial impact.
If you would like to learn more, please feel free to contact us.
Resources:
- https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-create-rule
- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/use-dynamic-groups
- https://azure.microsoft.com/en-us/pricing/details/active-directory/