How to make Audience with AD security groups reflect group membership changes quickly?
https://sharepoint.stackexchange.com/questions/190536
-
11-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a scenario, where
- Navigation link has Audience set to several AD groups (Azure AD Connect is used to sync on-premises AD up the cloud).
- A test user is a member of those groups when Audience was configured and he sees navigation links OK.
Then
- I remove this user from all of the groups, leaving just as Domain Member
- Ensure this change is replicated to Azure AD (can see this group "delete" update going through in synchronisation log)
The result is: test user can still see links protected by Audience, even though he is no longer a member of any groups directly or indirectly.
Another point confirming group changes have replicated is access to libraries, which are protected with the same AD groups. The test user loses access to libraries as expected.
Logging user off Sharepoint doesn't change anything. Waited for more than 2 hours and logged off and on again - still can see private links.
Update: Now, after a good 4 hours or so, the test user can't see the links again, meaning everything works as intended. I am quite confident it is a cache issue, but I still don't know where to control it.
Another update: I have been working with SPO support engineer and this issue replicates on their vanilla SPO site without any content, however there is a much shorter delay before new group membership applies to navigation.
Solution
This sounds like the caching mechanism in SecurityTokenService known from OnPremise (see here: http://blog.randomdust.com/2013/06/sharepoint-2013-claim-expiration-and-ad-sync/).
As this is a farm-setting, i don't think it can be controlled by a tenant.
OTHER TIPS
There is a timer job that compiles the audiences. Perhaps that needs to happen more frequently. This is 2010, but perhaps the setting is still available online.
http://www.eekels.net/schedule-audience-compilation-more-often-than-once-a-day/
This also is a farm setting and may not be accessible to a tenant.
Go into site settings and check user permissions, see if that user still shows up in the groups.
1.Open the SharePoint site on which you want to check permissions.
2.On the Site Actions menu Button image , click Site Settings.
3.On the Site Settings page, under Users and Permissions, click Check Effective permissions.
4.On the Check Effective Permissions page, in the User/Group box, type the e-mail address of the user or distribution group for which you want to verify permissions, and then click the Check Names icon.
5.Click Check Now.
The user could possibly have direct permission or be in another group.
a note from Microsoft outlining what I noted above:
Security Note: Audiences are only a convenient way to deliver content to specific groups of people. The content is still available and visible to anyone with appropriate permissions
