A very common question/decision point for IT departments embracing Office 365 and SharePoint is whether to rely on Active Directory Groups or SharePoint Groups when managing security in SharePoint. Both methods have their pros and cons. In this blog I would like to explain the difference between the 2 methods and provide a recommendation. Before we do that, let me first explain what all this terminology means.
What is Active Directory?
In simple, not-technical terms, Active Directory (AD) is an application (database) that keeps track of company’s user accounts, passwords and other user information (role, manager, etc). It is essentially a master source of all user accounts. Anytime employee joins or leaves the organization or changes a role, appropriate changes are made in AD first as a result. All the other systems (email access, login to company laptop, access to network folders) rely on AD. So for example, if you leave the organization, your AD account is deactivated and you will no longer be able to login to company’s PC or check work email.
What are Active Directory groups?
In addition to storing individual user info, Active Directory also allows IT Administrators to create groups of users. Those groups can be assigned various access rights within your organization (i.e. security group “Finance” will have access to Finance folder on your network drive).
Active Directory and Office 365
Since AD has become the golden standard in user management for many organizations, Office 365 allows synchronization of Active Directory to its online service. That means that all users and security groups from AD are available in SharePoint and Office 365. Say, a new employee joins your organization. By setting up a user in AD and adding him or her to corresponding AD group, he or she automatically becomes available as a user in Office 365 as well. All you have to do is assign a proper Office 365 license (assign Mailbox, SharePoint privileges, etc.) That is a huge time-saver for IT and usually fits very well the established on-boarding (HR) business processes.
What are SharePoint Groups?
SharePoint groups are security groups within SharePoint environment and is how SharePoint manages access to the sites. I have written a detailed blog post on how to properly setup security for a SharePoint site using SharePoint security groups. By default, every SharePoint site has 3 security groups:
- [Site Name] Visitors – these are users with Read Only access to the content
- [Site Name] Members – these are users with Add/Edit/Delete access to the content
- [Site Name] Owners – these are users with Full Control access to the whole site.
Once again, you can read more about proper setup and settings in this blog post.
So, Active Directory Groups or SharePoint Groups?
To help make you the right decision, let’s look at pros and cons of each approach…
Active Directory Groups
- Maintained regularly by IT folks. Because AD controls user access to the rest of company properties (email, laptop, network drives), AD is usually pretty well maintained
- Can be nested. That means you can embed 1 AD group inside of the other AD group. This is useful when you want to build hierarchical security structure (various groups within the department)
- Managed by IT department. This means that if you need to add a user to the site (in other words, you first need to add user to an AD group) on the fly, you need to be good friends with IT guys within your organization if you want this to be done quickly
- Can’t see members inside of an AD group in SharePoint. If you add AD group to the site, you can’t drill inside of it and see who are its members. For that, you will need to contact IT
- Can only contain members that are part of the organization (employees). Since AD group controls access to company Intellectual Property (IP), it is rarely used to store account information of non-employees. In SharePoint, that means that you will need to rely on SharePoint group for external sharing.
- Managed by SharePoint Site Owner. That means that users can be added to the group relatively easily “on the fly” by the site or group owner.
- You can see members inside of the SharePoint groups. This depends on how SharePoint security groups is setup, but typically, you can see who the members of the given SharePoint group are
- You can easily check individual user’s permissions to the site. If your members are part of a SharePoint group, you can easily check their site access using Check Permissions functionality. You can’t do that when your users are part of an AD group.
- Can contain non-employees. SharePoint groups can and will contain external users when you share your site externally
- Cannot be nested like an AD group. SharePoint groups are flat. Each site contains 1 level of groups and you cannot nest 1 SharePoint group inside of the other SharePoint Group.
- Many SharePoint groups are not kept up to date. Due to de-centralized approach and relative simplicity of site/group creation, SharePoint group membership is usually not kept up to date in many cases. Since maintenance of these groups usually falls on the shoulders of the business (site) owners, there is usually a lot of unnecessary group duplication, very little standardization, lack of common naming convention, etc.
So, now that we have this information, what is the recommended approach?
Well, like with many things in life, it depends…
Option 1: Use Active Directory Groups if…
- You already have established AD groups and are keeping them up to date and…
- You want to have strict control over security in your SharePoint environment and…
- Your information architecture/site security model relies on established company verticals/departments (i.e. HR Department, IT Department, Finance, etc.)
NOTE: If you do decide to use AD groups within SharePoint, follow the same best practices as with the individual users. Do not add AD group directly to the site! Create a SharePoint group and add an AD group inside of a SharePoint group. This way, if you need to add additional users to your site in addition to those that already exist in AD group, you can add them easily by adding individual users to the SharePoint group, alongside the AD group.
Option 2: Use SharePoint Groups if…
- You currently do not have AD groups stabled or IT does not maintain them on an ongoing basis or…
- Your governance model shifts control to the site owners and allows them to be in charge of who can have or cannot have access or…
- You are a matrix-type organization. For example, if you have SharePoint Department sites, and established AD groups, 1 for each department, you can easily add those AD groups to those sites. However, if you have, say a project site and the team is comprised of users from various departments, it is impractical to maintain AD groups for those “mixed” team sites. Your IT will be overwhelmed with its maintenance. In this case, rely on SharePoint groups exclusively!
Option 3: Use both, the AD groups and SharePoint groups if…
- You want to rip benefits from both methods. That usually ends up a good and viable option for many organizations.
As you can see, there is no right or wrong solution here. When making the decision on whether to use AD Groups or SharePoint Groups, choose the option that makes the most sense to your organization depending on the circumstances and company culture.