SharePoint Groups VS AD Groups, when choosing what

Share This Post

Wait for a second, what did you say? You have more than one type of groups when you are in Office 365?

Yes, you understand it well, we have a couple of groups in Office 365. That is confusing and some people or last in the desert when they hear about this. But I will give you some short guideline so you can following the basics.

If you have read this article you will understand what the different groups are and which type is fitting the best into your organization. Let’s get started with a simple pros and cons overview.

Overview of the types of groups

SHAREPOINT GROUPS

PROS

  • Maintained by SharePoint Admin. Users can be added “on the fly” by the Site Owners and Admins.
  • Groups can be added by business owners. When groups are created, specific owners can be set up. The group owners have the ability to update group membership. This allows business owners the ability to control access to their data directly.
  • Visibility of group membership.*There are multiple ways to set up SharePoint groups that can impact this.
  • External Users are allowed.SharePoint groups can contain external users if your site is externally shared.
  • System generated access requests. Users can request access to a site/library/page. An automated message will go to the site owner to accept or decline the request for access.

CONS

  • Cannot be nested. SharePoint groups are flat, each site may only contain 1 level of groups.
  • Difficult to maintain. Since maintenance of these groups usually falls on the individual site owners, there is a risk for unnecessary group duplication, little standardization, lack of common naming convention, etc.
  • Cannot be used across multiple site collections. It is necessary to create different SharePoint groups for each Site Collection.
  • Cannot be used in other systems.SharePoint groups are only applicable for SharePoint and will not be used for network shares, etc.

AD GROUPS

PROS

  • Maintained by IT admins. AD controls access to all company systems (email, laptop, network drives), AD is usually well maintained.
  • Can be nested. You can embed an AD group inside of another AD group. This is useful when you want to mimic company hierarchy.
  • Can be used across multiple site collections and sites.
  • Organizational hierarchy is often replicated within SharePoint implementations.

CONS

  • Maintained by IT admins. This means that if a new user needs access on the fly (quickly), you need to bribe your IT guy with some chocolate and Tacos.
  • Group membership is not visible from SharePoint. As a site owner or SharePoint admin, you will not be able to see what users are a part of the AD group unless you happen to be the AD admins as well.
  • External Users are not allowed. Since AD group controls access to internal company systems, it is not a place to store external users. You will need to rely on SharePoint groups for external sharing.
  • No access request system

Okay, I get it so now what?

Well, it still depends on what scenario and what governance you will be in place in your organisation.

Scenario 1:

  • You have already AD groups in the company?
  • You need or want to have strict access control?
  • Does your site architecture/security model is based on some company departments or functions?

For this scenario, you must use Active Directory groups to get access to SharePoint. 

Scenario 2:

  • If AD Groups are not regularly maintained
  • Your governance model shifts control to the site owners and they are in charge of the access
  • Project sites so you will need to give different people from other departments access to the site.

You will definitely choose SharePoint Groups and add people directly to the groups.

Scenario 3:

  • You need the best of both worlds or a hybrid scenario, this will fit for most organisations.

Use both, AD Groups and SharePoint group so you can add AD groups in some SharePoint Groups or add people directly to the SharePoint groups. 

Conclusion

There is no right or wrong solution. It all depends on the need of the customer and the governance they will add to their organisation. My choose is the 3the scenario so you can have both SharePoint Groups in combination with AD groups.

My advice for this one is to talk with the business / IT department of the company to discuss and capture the requirements and need for making a decision on the right solution.

More To Explore

Failed to start the Application Gateway

When setting up an Application Gateway (AGW), the public and private IP addresses of the Application Gateway are required in order to complete the configuration.