Home NewsX MGDC for SharePoint FAQ: How are SharePoint Groups and Security Groups used together?

MGDC for SharePoint FAQ: How are SharePoint Groups and Security Groups used together?

by info.odysseyx@gmail.com
0 comment 7 views


1. Introduction

Access to SharePoint is often managed through groups. SharePoint has its own groups that are independent of Microsoft Entra Identity (formerly Azure Active Directory or AAD) groups. This can cause confusion, with questions about the need for SharePoint groups and whether AAD security groups alone are sufficient.

This article explores how to use SharePoint groups with Microsoft Entra ID security groups.

2. Why use groups?

While you can assign permissions to individual users, it is usually more efficient to manage permissions through groups. This approach simplifies adding individuals to roles or switching between roles.

For example, when setting up a SharePoint site for a corporate project, you can assign permissions directly to the relevant team members. However, when someone new joins the project, you need to grant that individual access in multiple places. With groups, you can simply add new members to the project group and they will automatically receive all the permissions of the group.

3. Why do we need SharePoint groups?

You can assign SharePoint permissions directly to Microsoft Entra ID groups. However, it is generally recommended to use groups associated with roles in Entra IDs and resource-related groups at different levels within each resource.

The resource group must contain the appropriate Entra ID groups assigned to roles relevant to the site. For example, all members of a project group are granted permissions to sites associated with that project.

SharePoint team sites typically have three main SharePoint resource groups: Site Owners, Site Members, and Site Visitors. These are populated by members (or owners) of the Microsoft Entra Id role group.

Here is an example:

Jose_Barreto_0-1724778185655.png

4. Create a new site

To help with this process, the SharePoint user interface has evolved over time to make it simple to create a new site with the required Entra ID groups and associated SharePoint groups. All of this is done in a simple workflow that automates the process and asks for the minimum amount of information required.

Starting from the SharePoint main page, assuming your company allows self-service site creation, you can use the “+ Create site” button at the top. In my tenant, you start by choosing the type of site you want to create: “Team site” or “Communication site.”

Jose_Barreto_1-1724778185664.png

I chose “Team Site”. Then, you are given a few different templates for team sites.

Jose_Barreto_2-1724778185695.png

I chose the “Standard team” template. Next, you need to give your site a name, description, email alias, and address. This workflow will check if the name, email alias, and site are available.

Jose_Barreto_3-1724778185710.png

You have been assigned the Site Owner role. The final step here is to add more people to the site. These will be members. You also have the option to add more owners (at least 2 is recommended).

Jose_Barreto_4-1724778185718.png

I added two additional members and remained as the sole owner. After that the site was created. Using the options in the top right of the SharePoint site, you can see the three members in the Group Membership sidebar on the right.

Here you see one owner (User2) and two members (User1 and User3). From here you can easily add members or assign the owner role to all members.

This experience is designed to streamline your process and get you up and running with new team sites quickly.

Jose_Barreto_5-1724778185728.png

5. What groups were created?

A few groups were automatically created in the background. In this case, we got a single new Microsoft 365 group and three new SharePoint groups from the Microsoft Entra ID.

When you look for the Microsoft 365 group in Entra ID, you can see that it has a total of 3 members (User1, User2, User3) and 1 owner (User 2).

Jose_Barreto_6-1724778185736.png

Click on the Members & Owners option in the left sidebar to view details.

Jose_Barreto_7-1724778185746.png

Here are more details about SharePoint groups on your site:

  • Project X owner – Grants “Full Control” permissions on the root web (main subsite). Members of this group are owners of the Microsoft 365 group.
  • Project X Members – Grants “Edit” permission on the root web. Members of this group are members of the Microsoft 365 group.
  • Project X visitant – Grants “Read” permission on the root web. This group has no members. Team sites are usually created to facilitate collaboration, so this group is not usually needed, but it is created in case you need to add visitors later.

6. SharePoint Permissions

Digging deeper, you can pull permissions for this tenant using Microsoft Graph Data Connect to find the permission object that grants access to this specific site. This will validate what we discussed earlier and allow you to use more sophisticated data tools to review these permissions for a large tenant. If you are not familiar with MGDC for SharePoint, get started. https://aka.ms/SharePointData.

Here is a JSON object representing the permissions granted in this scenario. First, a permissions object granting full control to the SharePoint group for the owner.

{
    "ptenant": "12345678-90ab-4c21-842a-abcea48840d5",
    "SiteId": "567890ab-1234-4813-a993-ea22b84e26c7",
    "WebId": "12341234-1234-4b50-8f07-1b4166cf66ba",
    "ListId": "00000000-0000-0000-0000-000000000000",
    "ItemType": "Web",
    "ItemURL": "sites/ProjectX",
    "RoleDefinition": "Full Control",
    "ScopeId": "5f80eb7c-4b43-4fee-830b-1234567890ab",
    "SharedWithCount": [
        {
            "Type": "SharePointGroup",
            "Count": 1
        }
    ],
    "SharedWith": [
        {
            "Type": "SharePointGroup",
            "Name": "ProjectX Owners",
            "TypeV2": "SharePointGroup"
        }
    ],
    "Operation": "Full",
    "SnapshotDate": "2024-07-31T00:00:00Z",
    "ShareCreatedBy": {},
    "ShareLastModifiedBy": {},
    "UniqueId": "eeff5b6d-1234-1234-1234-f621f6a80394"
}

Note: There are no user counts (UserCount and TotalUserCount) here. This is intentional, as the SharePoint dataset currently only shows the number of AAD group members, not AAD group owners.

The following is a permission object that grants edit permissions to SharePoint group members.

{
    "ptenant": "12345678-90ab-4c21-842a-abcea48840d5",
    "SiteId": "567890ab-1234-4813-a993-ea22b84e26c7",
    "WebId": "12341234-1234-4b50-8f07-1b4166cf66ba",
    "ListId": "00000000-0000-0000-0000-000000000000",
    "ItemType": "Web",
    "ItemURL": "sites/ProjectX",
    "RoleDefinition": "Edit",
    "ScopeId": "5f80eb7c-4b43-4fee-830b-1234567890ab",
    "SharedWithCount": [
        {
            "Type": "SharePointGroup",
            "Count": 1
        }
    ],
    "SharedWith": [
        {
            "Type": "SharePointGroup",
            "Name": "ProjectX Members",
            "TypeV2": "SharePointGroup",
            "UserCount": 3
        }
    ],
    "Operation": "Full",
    "SnapshotDate": "2024-07-31T00:00:00Z",
    "ShareCreatedBy": {},
    "ShareLastModifiedBy": {},
    "TotalUserCount": 3,
    "UniqueId": "eeff5b6d-f3cf-451b-9863-f621f6a80394"
}

Finally, here is the permission object that grants read access to SharePoint group visitors:

{
    "ptenant": "12345678-90ab-4c21-842a-abcea48840d5",
    "SiteId": "567890ab-1234-4813-a993-ea22b84e26c7",
    "WebId": "12341234-1234-4b50-8f07-1b4166cf66ba",
    "ListId": "00000000-0000-0000-0000-000000000000",
    "ItemType": "Web",
    "ItemURL": "sites/ProjectX",
    "RoleDefinition": "Read",
    "ScopeId": "5f80eb7c-4b43-4fee-830b-1234567890ab",
    "SharedWithCount": [
        {
            "Type": "SharePointGroup",
            "Count": 1
        }
    ],
    "SharedWith": [
        {
            "Type": "SharePointGroup",
            "Name": "ProjectX Visitors",
            "TypeV2": "SharePointGroup"
        }
    ],
    "Operation": "Full",
    "SnapshotDate": "2024-07-31T00:00:00Z",
    "ShareCreatedBy": {},
    "ShareLastModifiedBy": {},
    "UniqueId": "eeff5b6d-1234-1234-1234-f621f6a80394"
}

Note: There are no user counts (UserCount and TotalUserCount) here. This is intentional, as the “ProjectX Visitors” SharePoint group has no members.

7. SharePoint Groups

To complete the picture, let’s look at the definitions of three SharePoint groups: Owners, Members, and Visitors. There are some interesting twists here. Let’s look at them one by one.

Let’s start with the Visitors group. This is the simplest. It’s a SharePoint group with an empty members list.

{
    "ptenant": "12345678-90ab-4c21-842a-abcea48840d5",
    "SiteId": "567890ab-1234-4813-a993-ea22b84e26c7",
    "GroupId": 4,
    "GroupLinkId": "00000000-0000-0000-0000-000000000000",
    "GroupType": "SharePointGroup",
    "DisplayName": "ProjectX Visitors",
    "Owner": {
        "Type": "SharePointGroup",
        "Name": "ProjectX Owners",
        "TypeV2": "SharePointGroup"
    },
    "Members": [],
    "Operation": "Full",
    "SnapshotDate": "2024-07-31T00:00:00Z"
}

Next, here we have the Members group. This SharePoint group has a single member here, the Entra ID Microsoft 365 group.

{
    "ptenant": "12345678-90ab-4c21-842a-abcea48840d5",
    "SiteId": "567890ab-1234-4813-a993-ea22b84e26c7",
    "GroupId": 5,
    "GroupLinkId": "00000000-0000-0000-0000-000000000000",
    "GroupType": "SharePointGroup",
    "DisplayName": "ProjectX Members",
    "Owner": {
        "Type": "SharePointGroup",
        "Name": "ProjectX Owners",
        "TypeV2": "SharePointGroup"
    },
    "Members": [
        {
            "Type": "SecurityGroup",
            "AadObjectId": "11223344-5566-4ce6-885c-ff5faca9be7f",
            "Name": "ProjectX Members",
            "Email": "ProjectX@contoso.onmicrosoft.com",
            "TypeV2": "SecurityGroup"
        }
    ],
    "Operation": "Full",
    "SnapshotDate": "2024-07-31T00:00:00Z"
}

Finally, a SharePoint group for Owners. This group has a special claim that makes the owners of the Entra Id group members of this SharePoint group. If you need to process this further, remember that SharePoint group #3 is special.

{
    "ptenant": "12345678-90ab-4c21-842a-abcea48840d5",
    "SiteId": "567890ab-1234-4813-a993-ea22b84e26c7",
    "GroupId": 3,
    "GroupLinkId": "00000000-0000-0000-0000-000000000000",
    "GroupType": "SharePointGroup",
    "DisplayName": "ProjectX Owners",
    "Owner": {
        "Type": "SharePointGroup",
        "Name": "ProjectX Owners",
        "TypeV2": "SharePointGroup"
    },
    "Members": [
        {
            "Type": "SecurityGroup",
            "AadObjectId": "11223344-5566-4ce6-885c-ff5faca9be7f",
            "Name": "ProjectX Owners",
            "Email": "ProjectX@contoso.onmicrosoft.com",
            "TypeV2": "SecurityGroup"
        },
        {
            "Type": "User",
            "Name": "System Account",
            "TypeV2": "InternalUser"
        }
    ],
    "Operation": "Full",
    "SnapshotDate": "2024-07-31T00:00:00Z"
}

NOTE: If you need to expand the membership of this SharePoint group #3, you will need to use the list of AAD group owners for “ProjectX” and not the list of AAD group members.

8. Conclusion

I hope this post helped you understand how SharePoint groups are used and combined with Azure Active Directory groups.

Please note that you can use Microsoft Graph Data Connect to download a complete list of SharePoint groups, owners, and members. For more information, see this overview post: https://aka.ms/SharePointData.





Source link

You may also like

Leave a Comment

Our Company

Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Laest News

@2024 – All Right Reserved. Designed and Developed by OdysseyX