none
Alternative for Everyone Groups

    Question

  • Hello,

    In our tenancy we have both domain synced and native (on.microsoft.com) accounts. The on.microsoft.com accounts should only have access to one site collection.

    Some of our content on the all site collections should be accessible by all internal users, that is all synced accounts but not native accounts.

    To prevent access by the native accounts, I have hidden the groups

    Set-SPOTenant -ShowEveryoneExceptExternalUsersClaim $false
    Set-SPOTenant -ShowEveryoneClaim $false
    Set-SPOTenant -ShowAllUsersClaim $false

    But this leaves a problem we have a couple of domains and I need a way to grant all synced users access to certain content. I have tried creating a universal group and adding the domain users group from both domains. I understand now that Office 365 does not sync domain users so this does not work.

    So I guess there are two questions here

    1. Is there anyway to restrict the native accounts on a site collection, if so I could allow the everyone but external users group back again.

    2. Failing the above, does anyone know of a way I can create an AD group that will work.

    many thanks

    Laura

    Monday, April 4, 2016 5:09 PM

Answers

All replies

  • Can you not create the Security Groups for your domain users and not domain users and give permission based on that?

    Basically go to your Office 365 Admin center --> Click Groups --> Create new group by clicking + sign. Select Security Group. Once its created you can add users either one by one or by importing using PowerShell. See example below.

    https://community.office365.com/en-us/f/148/t/296477

    You can use these security group to directly apply permission at the SharePoint site. 

    I hope this helps.

    Wednesday, April 20, 2016 7:44 PM
    Moderator
  • Hello,

    Thank you for coming back to me.

    Yes we could create a group in Office 365 or a Security group in AD and add all the users individually via a script.

    This would work but leaves us with groups with thousands of users and the overhead of maintaining them, i.e. for new starters....., which is what we would have liked to avoid if possible with a group like domain users.

    Regards

    Laura

    Friday, April 22, 2016 9:11 AM
  • In that case you can use Azure AD Dynamic groups. You do not have to manage users individually. You can set the rules for dynamic membership. Read the following article.

    SharePoint Online and Azure AD Dynamic Groups

    Though this will require Azure AD Premium. 

    Friday, April 22, 2016 9:32 AM
    Moderator