June 23, 2020

How to (and not to) Manage Group Permissions in SharePoint Online

Post by: Kyle Ziber

Kyle Ziber has been working in SharePoint and the Microsoft Cloud since 2010. He holds an MCSE in both SharePoint and Productivity from Microsoft.

There are many ways to manage permissions in SharePoint Online. Today, we’ll walk through three scenarios for controlling permission with groups in SharePoint Online. I’ll be covering a few ideas utilizing Azure Active Directory (AD), Azure AD Dynamic Groups, and SharePoint Groups.

SharePoint Groups

SharePoint Groups are a container for individual users or groups that can be assigned permissions in SharePoint. The biggest flaw here is that they are only usable within the Site Collection, where they are created. This limitation means they cannot cross and be used in other Site Collections or outside of SharePoint.

Each Site and SubSite has three default SharePoint Groups: Owners (Full Control), Members (Edit), and Visitors (Read-Only). These default groups should be utilized first over creating new custom groups. You can add users individually to these groups – but it can be hard to manage, and users tend not to be updated when moving around or leaving the organization.

Pros:

  • Managed by the Site Owners

Cons:

  • Only available for use in that individual Site Collection
  • Hard to keep up to date

Active Directory Security Groups

There are two ways to utilize Active Directory Security Groups in SharePoint Online: you can use groups that are synced from on-prem via Azure AD Connect, or you can create new groups directly in Azure AD. These groups can then have the users added to them and be used in SharePoint or other applications for Permissions. You would add these Azure AD Groups to whichever Default SharePoint Group matches the permissions needed.

Pros:

  • Reusable throughout your SharePoint environment and organization
  • Controlled by IT
  • Can be an O365 Group so Group Owners can manage users as well

Cons:

  • Management is done by IT
  • Site Owners may not have visibility to see who is in these groups
  • Still manually updated by IT as users move around your organization

Azure Active Directory Dynamic Groups

I’ll just come right out and say it: I think this is the best option for most organizations because it requires the least amount of overhead for the IT Staff and Site Owners.

Azure AD has a system known as Dynamic Groups – which allows you to create a Security Group where membership is based on the AD Attributes of the users. In other words, if a user’s location on their AD Account is listed as “Green Bay, WI,” then you can have them automatically added to the “All-Employees-GreenBay” Security Group.

You can use any attribute available in Azure AD for this functionality, which makes it very flexible. As users move throughout the organization and their AD Attributes are updated, their group membership will also be automatically updated in Azure AD. These Azure AD Dynamic Security Groups can then be used in SharePoint Groups on your various sites to assign site permissions.

Pros:

  • Same Pros as Azure AD Security Groups
  • Automatically updated when user accounts are updated
  • Minimal IT management needed
  • Can be used in conjunction with O365 Groups for dynamic Teams

Cons:

  • Groups need to be set up by IT
  • Site Owners don’t have control of who is in these groups
  • Requires Azure Premium P1 licensing

Wrap-Up

All three of the above scenarios work for permissions management and have their own sets of Pros and Cons. Utilizing Azure AD Dynamic Groups over the other options gives you the best opportunity for keeping your groups up to date with the least amount of administrative work. One big hurdle with Dynamic groups is the need for Azure Premium P1 licensing, but a licensing expert has told me that it can be added to your tenant license with little to no financial impact.

If you would like to learn more, please feel free to contact us.

Resources:

Relevant Insights

5 Steps to Reduce Your Ransomware Risk

As the recent ransomware attack on the U.S.’s second-largest meat producer, JBS, made clear, cyberattacks on critical infrastructure can cause...

How to Unlock the Organizational Value of Digital Transformation

As organizations look to stay competitive in today's dynamic and unpredictable marketplace, a trend has re-emerged that is ushering us...

When Is Your App Too Complex for Power Apps?

When Microsoft first launched Power Apps and Power Automate, these apps were positioned to replace legacy SharePoint on-premises functionality such...
X