I'm having an issue with the timing around creating a new Azure AD security group and using that group for SharePoint Online folder access.

Using New-PnPAzureADGroup i'm creating the security group, then using Set-PnPListPermission and Set-PnPFolderPermission i'm setting the security group with the required permission for that List or Folder.

It seems that Set-PnPListPermission & Set-PnPFolderPermission are running too quickly after the creation of the group as it reports

Set-PnPListPermission : The specified user XXXX123_SP could not be found.

The strange thing is, once the group has been created I can immediately run Get-PnPAzureADGroup and retrieve the group. I can also manually run the same command a little later and it completes successfully.

I assume the groups take time before they're available in SharePoint, what's the best practice approach to check and wait for these groups before applying them in SharePoint?

Thanks in Advance

CodePudding user response：

You could try to use following PnP PowerShell commands:

Set-PnPListPermission -Identity '$LibraryName' -User 'c:0t.c|tenant|$AdGroupID' -AddRole 'Read'

I replaced -Group with -User in the PnP PowerShell command. Then executed successfully with on error message.

CodePudding user response：

I've encountered this issue, except with external users rather than AD Groups but I think the root is the same. The object can be immediately queried from AD but takes times to become resolvable in SharePoint.

I doubt you'll find a documented best practice as this is a bit of an advanced use case. In my case I seem to recall it taking between 5 and 30 seconds to resolve. What I did was loop 10 times with a Thread.Sleep and break out when it succeeds. Event then you'd get occasional failures - you just log them and move on and let support staff deal with it.

Not my proudest coding moment but it (mostly) got the job done.