In one of the recent projects, we were exploring an approach to manage security access to Office 365 groups through AD security groups during custom provisioning proccess for private Modern team sites and Office 365 groups.
In this blog, I will share some of the observations, findings during the project, and also some workarounds for the security model.
The new convention of Unified groups with Office 365 Groups, Modern Team Sites and Teams (with Groups) sets up permissions in Azure AD with SharePoint and Exchange groups components of Office Groups. They can also be found from the admin center of Office 365 tenancy.
All security is managed via Unified Groups in Modern Team Sites and Office 365 groups. These allow access to use the group features such as Conversations, Sharing, Outlook client integration etc.
1. When a Office 365 Group or Modern Team is created, an AD unified group is created with both members and owners added into it.
2. All Owners of the Unified Group are also added as Members of the Office 365 Group. This is kind of mandatory.
3. Unified Groups are special AD Groups and not similar to AD security groups or Exchange groups.
4. Provisioning of Unified Groups and syncing across Exchange and SharePoint takes some time (about 15-30 min) as per my observation.
1. Since Unified Groups cannot have nested security groups, it is not possible to add AD security groups in Modern Team Sites and Office 365 Groups to Unified groups.
2. Any changes to access in Office 365 Groups or Modern Teams take time to sync across. So if you change permission give it about 5-10 min to reflect across SharePoint, Outlook and Active Directory
The workaround approach would be to continue add security groups to SharePoint Groups which allows the members of the security group to access the SharePoint sites. It provides the option to join the Office 365 if interested. When requested the user is added to the Office 365 unified group and get the Office 365 groups functionality for private team sites.
This approach works for the SharePoint security access and doesn’t work much for Exchange part.