MGDC for SharePoint FAQ: How are SharePoint Groups and Security Groups used together?
1. Introduction
Access to SharePoint is often managed through groups. SharePoint has its own groups, independent of Microsoft Entra ID (formerly Azure Active Directory or AAD) groups. This can cause confusion, with questions about the need for SharePoint groups and whether AAD Security groups alone would suffice.
This article explores how SharePoint groups are used together with Microsoft Entra ID Security groups.
2. Why use groups at all?
While you can assign permissions to individual users, it is generally more efficient to manage permissions through groups. This approach simplifies adding individuals to roles or transitioning them between roles.
For example, when you set up a SharePoint site for a corporate project, you can assign permissions directly to the team members involved. However, if someone new joins the project, you’ll have to grant access to that individual in various locations. By using groups, you can simply add a new member to the project group, and they will automatically receive all the group’s permissions.
3. Why SharePoint Groups?
You can assign SharePoint permissions directly to Microsoft Entra ID Groups. However, it is generally recommended to use groups tied to roles in Entra ID and resource-related groups at different levels within each of the resources.
The resource groups should include the appropriate Entra ID groups assigned to roles relevant to the site. For instance, all members of a project group would be granted permission to sites associated with that project.
SharePoint team sites usually have three main SharePoint resource groups: Site Owners, Site Members, and Site Visitors. These are populated with members (or owners) of Microsoft Entra Id role groups.
Here’s an example:
4. Creating a New Site
To help with that process, the SharePoint user interface has evolved over time to make it simple to create a new site along with the required Entra ID group and related SharePoint groups. This is all done in a simple workflow that automates the process, asking for the minimum amount of information required.
Starting in the main SharePoint page, you can use the “+ Create site” button at the top, assuming your company allows self-service site creation. In my tenant, you start by selecting the type of site to create: “Team site” or “Communication site”.
I chose “Team site”. Next, I am offered a few different templates for team sites:
I chose the “Standard team” template. Next, I must give the site a name, description, e-mail alias and an address. This workflow will check if the name, e-mail alias and site are available.
You are assigned the role of site owner. The last step here is to add more people to the site, which will be members. You also have the option to add more owners (at least two are recommended).
I added two additional members and remained as the single owner. After this, the site was created. You can use the option on the top right of the SharePoint site to see the 3 members in the Group membership sidebar on the right.
This shows one owner (User2) and two members (User1 and User3). You can easily add more members here or assign the role of owner to any member.
This experience is designed to streamline the process and get you a new team site quickly.
5. Which groups were created?
Behind the scenes, a few groups were automatically created for you. In this case, you got a single new Microsoft 365 group in Microsoft Entra ID and 3 new SharePoint groups.
If you look in Entra ID and find the Microsoft 365 group, you will see it with a total of 3 members (User1, User2 and User3) and 1 owner (User 2).
You can click on Members and Owners options in the sidebar on the left to see the details.
Here are the details about the SharePoint groups in the site:
ProjectX Owners – Receives “Full Control” permission in the root web (the main subsite). The members of this group are the owners of the Microsoft 365 group.
ProjectX Members – Receives “Edit” permissions in the root web. The members of this group are the members of the Microsoft 365 group.
ProjectX Visitors – Receives “Read” permissions in the root web. This group has no members. Team sites are usually created to facilitate collaboration, so we generally do not need this group, but it’s created anyway if you need to add visitors later.
6. SharePoint permissions
Going deeper, you can use the Microsoft Graph Data Connect to pull permissions for this tenant and find the permission objects that grant access to this specific site. This will validate what we described previously and will allow you to review these permissions for a large tenant, using more sophisticated data tools. If you are not familiar with MGDC for SharePoint, get started at https://aka.ms/SharePointData.
Here are the JSON objects that represent the permissions granted in this scenario. First, here is the permission object granting Full Control to the SharePoint group for owners:
{
“ptenant”: “12345678-90ab-4c21-842a-abcea48840d5”,
“SiteId”: “567890ab-1234-4813-a993-ea22b84e26c7”,
“WebId”: “12341234-1234-4b50-8f07-1b4166cf66ba”,
“ListId”: “00000000-0000-0000-0000-000000000000”,
“ItemType”: “Web”,
“ItemURL”: “sites/ProjectX”,
“RoleDefinition”: “Full Control”,
“ScopeId”: “5f80eb7c-4b43-4fee-830b-1234567890ab”,
“SharedWithCount”: [
{
“Type”: “SharePointGroup”,
“Count”: 1
}
],
“SharedWith”: [
{
“Type”: “SharePointGroup”,
“Name”: “ProjectX Owners”,
“TypeV2”: “SharePointGroup”
}
],
“Operation”: “Full”,
“SnapshotDate”: “2024-07-31T00:00:00Z”,
“ShareCreatedBy”: {},
“ShareLastModifiedBy”: {},
“UniqueId”: “eeff5b6d-1234-1234-1234-f621f6a80394”
}
Note: The number of users (UserCount and TotalUserCount) is missing here. This is by design, since the SharePoint datasets currently only show the count of AAD group members, not AAD group owners.
Next, here is the permission object granting Edit to the SharePoint group for members:
{
“ptenant”: “12345678-90ab-4c21-842a-abcea48840d5”,
“SiteId”: “567890ab-1234-4813-a993-ea22b84e26c7”,
“WebId”: “12341234-1234-4b50-8f07-1b4166cf66ba”,
“ListId”: “00000000-0000-0000-0000-000000000000”,
“ItemType”: “Web”,
“ItemURL”: “sites/ProjectX”,
“RoleDefinition”: “Edit”,
“ScopeId”: “5f80eb7c-4b43-4fee-830b-1234567890ab”,
“SharedWithCount”: [
{
“Type”: “SharePointGroup”,
“Count”: 1
}
],
“SharedWith”: [
{
“Type”: “SharePointGroup”,
“Name”: “ProjectX Members”,
“TypeV2”: “SharePointGroup”,
“UserCount”: 3
}
],
“Operation”: “Full”,
“SnapshotDate”: “2024-07-31T00:00:00Z”,
“ShareCreatedBy”: {},
“ShareLastModifiedBy”: {},
“TotalUserCount”: 3,
“UniqueId”: “eeff5b6d-f3cf-451b-9863-f621f6a80394”
}
Finally, here is the permission object granting Read to the SharePoint group for visitors:
{
“ptenant”: “12345678-90ab-4c21-842a-abcea48840d5”,
“SiteId”: “567890ab-1234-4813-a993-ea22b84e26c7”,
“WebId”: “12341234-1234-4b50-8f07-1b4166cf66ba”,
“ListId”: “00000000-0000-0000-0000-000000000000”,
“ItemType”: “Web”,
“ItemURL”: “sites/ProjectX”,
“RoleDefinition”: “Read”,
“ScopeId”: “5f80eb7c-4b43-4fee-830b-1234567890ab”,
“SharedWithCount”: [
{
“Type”: “SharePointGroup”,
“Count”: 1
}
],
“SharedWith”: [
{
“Type”: “SharePointGroup”,
“Name”: “ProjectX Visitors”,
“TypeV2”: “SharePointGroup”
}
],
“Operation”: “Full”,
“SnapshotDate”: “2024-07-31T00:00:00Z”,
“ShareCreatedBy”: {},
“ShareLastModifiedBy”: {},
“UniqueId”: “eeff5b6d-1234-1234-1234-f621f6a80394”
}
Note: The number of users (UserCount and TotalUserCount) is missing here. This is by design, since there are no members in the “ProjectX Visitors” SharePoint group.
7. SharePoint groups
To complete the picture, let’s look at the definition of the 3 SharePoint groups: Owners, Members and Visitors. There are some interesting twists here. We’ll look at them one by one.
Let’s start with the Visitors group. This one is the simplest. It is a SharePoint group with an empty members list.
{
“ptenant”: “12345678-90ab-4c21-842a-abcea48840d5”,
“SiteId”: “567890ab-1234-4813-a993-ea22b84e26c7”,
“GroupId”: 4,
“GroupLinkId”: “00000000-0000-0000-0000-000000000000”,
“GroupType”: “SharePointGroup”,
“DisplayName”: “ProjectX Visitors”,
“Owner”: {
“Type”: “SharePointGroup”,
“Name”: “ProjectX Owners”,
“TypeV2”: “SharePointGroup”
},
“Members”: [],
“Operation”: “Full”,
“SnapshotDate”: “2024-07-31T00:00:00Z”
}
Next, here we have the Members group. This SharePoint group has the Entra ID Microsoft 365 group as the single member here.
{
“ptenant”: “12345678-90ab-4c21-842a-abcea48840d5”,
“SiteId”: “567890ab-1234-4813-a993-ea22b84e26c7”,
“GroupId”: 5,
“GroupLinkId”: “00000000-0000-0000-0000-000000000000”,
“GroupType”: “SharePointGroup”,
“DisplayName”: “ProjectX Members”,
“Owner”: {
“Type”: “SharePointGroup”,
“Name”: “ProjectX Owners”,
“TypeV2”: “SharePointGroup”
},
“Members”: [
{
“Type”: “SecurityGroup”,
“AadObjectId”: “11223344-5566-4ce6-885c-ff5faca9be7f”,
“Name”: “ProjectX Members”,
“Email”: “ProjectX@contoso.onmicrosoft.com”,
“TypeV2”: “SecurityGroup”
}
],
“Operation”: “Full”,
“SnapshotDate”: “2024-07-31T00:00:00Z”
}
Finally, the SharePoint group for Owners. This group has a special claim that assigns the owners of the Entra Id group as members of this SharePoint group. If you ever need to process this further, remember that the SharePoint group #3 is special.
{
“ptenant”: “12345678-90ab-4c21-842a-abcea48840d5”,
“SiteId”: “567890ab-1234-4813-a993-ea22b84e26c7”,
“GroupId”: 3,
“GroupLinkId”: “00000000-0000-0000-0000-000000000000”,
“GroupType”: “SharePointGroup”,
“DisplayName”: “ProjectX Owners”,
“Owner”: {
“Type”: “SharePointGroup”,
“Name”: “ProjectX Owners”,
“TypeV2”: “SharePointGroup”
},
“Members”: [
{
“Type”: “SecurityGroup”,
“AadObjectId”: “11223344-5566-4ce6-885c-ff5faca9be7f”,
“Name”: “ProjectX Owners”,
“Email”: “ProjectX@contoso.onmicrosoft.com”,
“TypeV2”: “SecurityGroup”
},
{
“Type”: “User”,
“Name”: “System Account”,
“TypeV2”: “InternalUser”
}
],
“Operation”: “Full”,
“SnapshotDate”: “2024-07-31T00:00:00Z”
}
Note: If you need to expand the members of this SharePoint Group #3, you should use the list of owners of the AAD group for “ProjectX”, not the list of members of the AAD group.
8. Conclusion
I hope this post helped you understand how SharePoint groups are used and combined with Azure Active Directory groups.
Keep in mind that you can download a full list of the SharePoint groups, their owners and their members using the Microsoft Graph Data Connect. For more information, refer to the overview post at https://aka.ms/SharePointData.
Microsoft Tech Community – Latest Blogs –Read More