How to (and not to) Manage Group Permissions in SharePoint Online

By: Modern Workplace Team | June 23, 2020

There are many ways to manage permissions in SharePoint Online. Today, we’ll walk through three scenarios for controlling permission with groups in SharePoint Online. I’ll be covering a few ideas utilizing Entra ID (formerly known as Azure Active Directory), Dynamic Groups, and SharePoint Groups.

SharePoint Groups

SharePoint Groups are a container for individual users or groups that can be assigned permissions in SharePoint. The biggest flaw here is that they are only usable within the Site Collection, where they are created. This limitation means they cannot cross and be used in other Site Collections or outside of SharePoint.

Each Site and SubSite has three default SharePoint Groups: Owners (Full Control), Members (Edit), and Visitors (Read-Only). These default groups should be utilized first over creating new custom groups. You can add users individually to these groups – but it can be hard to manage, and users tend not to be updated when moving around or leaving the organization.

Pros:

  • Managed by the Site Owners

Cons:

  • Only available for use in that individual Site Collection
  • Hard to keep up to date

Security Groups

There are two ways to utilize Security Groups in SharePoint Online: you can use groups that are synced from on-prem via Azure AD Connect, or you can create new groups directly in Azure AD. These groups can then have the users added to them and be used in SharePoint or other applications for Permissions. You would add these Azure AD Groups to whichever Default SharePoint Group matches the permissions needed.

Pros:

  • Reusable throughout your SharePoint environment and organization
  • Controlled by IT
  • Can be an O365 Group so Group Owners can manage users as well

Cons:

  • Management is done by IT
  • Site Owners may not have visibility to see who is in these groups
  • Still manually updated by IT as users move around your organization

Dynamic Groups

I’ll just come right out and say it: I think this is the best option for most organizations because it requires the least amount of overhead for the IT Staff and Site Owners.

Azure AD has a system known as Dynamic Groups – which allows you to create a Security Group where membership is based on the AD Attributes of the users. In other words, if a user’s location on their AD Account is listed as “Green Bay, WI,” then you can have them automatically added to the “All-Employees-GreenBay” Security Group.

You can use any attribute available in Azure AD for this functionality, which makes it very flexible. As users move throughout the organization and their AD Attributes are updated, their group membership will also be automatically updated in Azure AD. These Azure AD Dynamic Security Groups can then be used in SharePoint Groups on your various sites to assign site permissions.

Pros:

  • Same Pros as Azure AD Security Groups
  • Automatically updated when user accounts are updated
  • Minimal IT management needed
  • Can be used in conjunction with O365 Groups for dynamic Teams

Cons:

  • Groups need to be set up by IT
  • Site Owners don’t have control of who is in these groups
  • Requires Azure Premium P1 licensing

Wrap-Up

All three of the above scenarios work for permissions management and have their own sets of Pros and Cons. Utilizing Azure AD Dynamic Groups over the other options gives you the best opportunity for keeping your groups up to date with the least amount of administrative work. One big hurdle with Dynamic groups is the need for Azure Premium P1 licensing, but a licensing expert has told me that it can be added to your tenant license with little to no financial impact.

If you would like to learn more, please feel free to contact us.

Resources:

New call-to-action
Core's Modern Workplace team is skilled at helping organizations implement holistic workplace solutions that enable employees to securely work from anywhere.

Subscribe to our Newsletter

Stay informed on the latest technology news and trends

Relevant Insights

Building a Corporate AI Governance Policy

Here are ways to govern your use of AI so it aligns with corporate goals and minimizes risk Artificial intelligence...
Read More about Building a Corporate AI Governance Policy

The Data Center and Cloud Checklist for M&A and Divestiture Projects

Discover the essential components of a comprehensive data center assessment and how to ensure your new infrastructure meets current and...
Read More about The Data Center and Cloud Checklist for M&A and Divestiture Projects

How To Assess Your IT Infrastructure

Take these steps to ensure that your IT infrastructure meets the expectations of your board or leadership team Regular assessments...
Read More about How To Assess Your IT Infrastructure