[O365] Synced security group member without permissions in SharePoint

Had a strange thing happen at my client yesterday. We were working on an Office365 set-up and had created some AD security groups in order to have reusable permission groups across a bunch of SharePoint site collections. We missed one person in the org due to which she was not able to access a site she was supposed to have permissions to. So we added here, but still she couldn’t access the site… weird…

TL/DR version: rebooting the machine fixed the problem. If your first response is: “huh?”, read on…

Security Tokens

If you have been working in SharePoint land for a long time like I have, this might trigger some flashbacks. When working with SharePoint on-premises, you might remember Windows (NTLM / Kerberos) authentication. A commonly encountered problem there was that your local security token will cache the groups that you are a member of. This means that when you get added to another group, this not always reflected properly in your token. In this case, a token without the group membership would be passed to the server resulting in not getting access to something that you should have access to. Logging out from Windows and logging back in again would fix this.

SharePoint Online authentication

Now with SharePoint Online, we are used a different style of authentication so there’s no security tokens being sent any more. Instead, you log in with Azure AD and your session + cookies are being used to ensure you remain logged in for a certain amount of time. So I was expecting group membership for security groups is not cached in any of these tokens. They could cache it server side, but that would require distributed cache to be used and basically you don’t want this because you want people just to get access when you’ve added them to a new group.

Have you tried turning it off and on again?

Let us cut a long story short. Rebooting her machine fixed the issue and I have no clue why. We tried logging out and back in again from Office365, that did not fix it. We tried syncing the AD group again after making the necessary changes, did not fix it. We tried adding her account manually in the site which temporarily fixed it of course, but removing it again would get her locked out again. For some reason, rebooting either triggered a refresh of something or it bought us just enough time for some other process to finish distributing the changes.

Hello-IT-Have

I usually do not post stuff if I don’t exactly know what it does or how it works. I’m going to make an exception this time should this help out others, cause we spent quite some time trying to figure out what was wrong (and still are). Should you know what is, PLEASE comment below cause this one drove me crazy! 🙂

 

Leave a Reply

Your email address will not be published. Required fields are marked *