Friday, February 24, 2017

Problem with delayed propagation of Azure AD groups to Sharepoint Online

As you probably know in Sharepoint Online it is possible to use Azure AD groups which belong to your tenant for configuring permissions. The problem is that Azure AD security groups are not become available in Sharepoint Online immediately after creation, there is some delay between the moment when group was created and the moment when it can be resolved in Sharepoint people picker. If you have automation process which creates Sharepoint Online site, Azure groups and then grants them permissions on created site, you need to handle this delay.

One of the solutions is to make several attempts to try to resolve Azure AD group in Sharepoint. If group is not available yet, wait some time and repeat attempt. And you need to decide maximum number of attempts and delay between them. Here is possible solution:

   1: private static void AddAzureGroupToSharepointGroup(ClientContext ctx,
   2:     Microsoft.SharePoint.Client.Group spGroup, string azureGroupName)
   3: {
   4:     if (spGroup == null)
   5:     {
   6:         Console.WriteLine("Sharepoint group is null (Azure group name '{0}')",
   7:             azureGroupName);
   8:         return;
   9:     }
  10:     if (string.IsNullOrEmpty(azureGroupName))
  11:     {
  12:         Console.WriteLine("Azure group name '{0}' is empty", azureGroupName);
  13:         return;
  14:     }
  15:  
  16:     Console.WriteLine("Add Azure group '{0}' to Sharepoint group '{1}'",
  17:         azureGroupName, spGroup.LoginName);
  18:  
  19:     int num = 0, numOfAttempts = 30;
  20:     do
  21:     {
  22:         try
  23:         {
  24:             var user = ctx.Web.EnsureUser(azureGroupName);
  25:             ctx.Load(user);
  26:             ctx.ExecuteQueryRetry();
  27:             break;
  28:         }
  29:         catch
  30:         {
  31:             Console.WriteLine("Group '{0}' is not available yet (attempt #{1})",
  32:                 azureGroupName, num + 1);
  33:         }
  34:         Thread.Sleep(60000);
  35:         num++;
  36:     } while (num < numOfAttempts);
  37:  
  38:     ctx.Web.AddUserToGroup(spGroup.LoginName, azureGroupName);
  39: }

This methods add specified Azure AD group to Sharepoint group. In order to make it work Azure group should be available in Sharepoint Online (should be resolvable in people picker). It makes max 30 attempts and waits 1 minute between each attempts (lines 19-36). If group is not available yet, then call to Web.EnsureUser() will throw exception (line 24). We catch this exception and increment attempts counter (lines 29-35). If group was resolved it means that it is propagated to Sharepoint Online (Azure AD groups are represented in Sharepoint Online as User object – in the same way as for regular AD groups) and we can add it to the Sharepoint group (line 38). Method Web.AddUserToGroup() is extension method which is implemented in OfficeDevPnP.Core.

No comments:

Post a Comment