Back to List

How to (and not to) Manage Group Permissions in SharePoint Online

Kyle Ziber Kyle Ziber  |  
Jun 23, 2020
 
About the author: Kyle Ziber has been working in SharePoint and the Microsoft Cloud since 2010. He holds an MCSE in both SharePoint and Productivity from Microsoft.
 
There are many ways to manage permissions in SharePoint Online. Today, we’ll walk through three scenarios for controlling permission with groups in SharePoint Online. I’ll be covering a few ideas utilizing Azure Active Directory (AD), Azure AD Dynamic Groups, and SharePoint Groups.
 

SharePoint Groups

SharePoint Groups are a container for individual users or groups that can be assigned permissions in SharePoint. The biggest flaw here is that they are only usable within the Site Collection, where they are created. This limitation means they cannot cross and be used in other Site Collections or outside of SharePoint.
 
Each Site and SubSite has three default SharePoint Groups: Owners (Full Control), Members (Edit), and Visitors (Read-Only). These default groups should be utilized first over creating new custom groups. You can add users individually to these groups – but it can be hard to manage, and users tend not to be updated when moving around or leaving the organization.
 
Pros:
  • Managed by the Site Owners
 
Cons:
  • Only available for use in that individual Site Collection
  • Hard to keep up to date
 

Active Directory Security Groups

There are two ways to utilize Active Directory Security Groups in SharePoint Online: you can use groups that are synced from on-prem via Azure AD Connect, or you can create new groups directly in Azure AD. These groups can then have the users added to them and be used in SharePoint or other applications for Permissions. You would add these Azure AD Groups to whichever Default SharePoint Group matches the permissions needed.
 
Pros:
  • Reusable throughout your SharePoint environment and organization
  • Controlled by IT
  • Can be an O365 Group so Group Owners can manage users as well
 
Cons:
  • Management is done by IT
  • Site Owners may not have visibility to see who is in these groups
  • Still manually updated by IT as users move around your organization
 

Azure Active Directory Dynamic Groups

I’ll just come right out and say it: I think this is the best option for most organizations because it requires the least amount of overhead for the IT Staff and Site Owners.

Azure AD has a system known as Dynamic Groups – which allows you to create a Security Group where membership is based on the AD Attributes of the users. In other words, if a user’s location on their AD Account is listed as “Green Bay, WI,” then you can have them automatically added to the “All-Employees-GreenBay” Security Group.

You can use any attribute available in Azure AD for this functionality, which makes it very flexible. As users move throughout the organization and their AD Attributes are updated, their group membership will also be automatically updated in Azure AD. These Azure AD Dynamic Security Groups can then be used in SharePoint Groups on your various sites to assign site permissions.
 
Pros:
  • Same Pros as Azure AD Security Groups
  • Automatically updated when user accounts are updated
  • Minimal IT management needed
  • Can be used in conjunction with O365 Groups for dynamic Teams
 
Cons:
  • Groups need to be set up by IT
  • Site Owners don’t have control of who is in these groups
  • Requires Azure Premium P1 licensing
 

Wrap-up

All three of the above scenarios work for permissions management and have their own sets of Pros and Cons. Utilizing Azure AD Dynamic Groups over the other options gives you the best opportunity for keeping your groups up to date with the least amount of administrative work. One big hurdle with Dynamic groups is the need for Azure Premium P1 licensing, but a licensing expert has told me that it can be added to your tenant license with little to no financial impact.

If you would like to learn more, please feel free to contact us.
 
 
Resources:
SharePointAzure

 

Love our Blogs?

Sign up to get notified of new Skyline posts.

 


Related Content


Blog Article
Microsoft Teams for Project Managers: The Guide
Libby FisetteLibby Fisette  |  
May 26, 2020
This guide is written by Libby Fisette - Skyline’s Modern Workplace Director and author of, “How to Productively Work Remotely with Microsoft Teams: The Guide”.​ In this guide, I'll walk through using Teams as a Project Manager and explain how you can:   Quickly...
Blog Article
Best Practices for Creating and Managing Teams in Microsoft Teams
Libby FisetteLibby Fisette  |  
May 12, 2020
This blog is written by Libby Fisette - Skyline’s Modern Workplace Director and author of, “How to Productively Work Remotely with Microsoft Teams: The Guide”.​Microsoft Teams allows individuals and groups to self-organize using Teams and Channels. Teams are collections of...
Blog Article
What is a SharePoint Site Index? (And Why You Should Do One)
Ben WeldenBen Welden  |  
Apr 28, 2020
Lately, clients have been asking me about SharePoint site indexes more and more, so I wrote this blog to help explain what a site index is and why you would want to use one.   What is a SharePoint site index? A SharePoint site index is simply a list of all the sites in a SharePoint...
Blog Article
How to Effectively Manage Your Team with Microsoft Teams
Libby FisetteLibby Fisette  |  
Apr 21, 2020
This blog is written by Libby Fisette - Skyline’s Modern Workplace Director and author of, “How to Productively Work Remotely with Microsoft Teams: The Guide”. As a leader of a team or group of individuals, it’s your role to inspire and motivate your team to...
Blog Article
Working Out in the Open with Microsoft Teams
Libby FisetteLibby Fisette  |  
Apr 07, 2020
This blog is written by Libby Fisette - Skyline’s Modern Workplace Director and author of, “How to Productively Work Remotely with Microsoft Teams: The Guide”. One of the many interesting ideas sparked by using a collaboration tool like Microsoft Teams is the idea of "...