Security

SharePoint & Microsoft Entra ID (Azure AD) Integration Guide

Master the integration between SharePoint Online and Microsoft Entra ID (Azure AD). Learn how authentication, authorization, guest access, group management, conditional access, and identity governance work together for enterprise SharePoint security.

Errin O'ConnorFebruary 24, 202614 min read
SharePoint & Microsoft Entra ID (Azure AD) Integration Guide - Security guide by SharePoint Support
SharePoint & Microsoft Entra ID (Azure AD) Integration Guide - Expert Security guidance from SharePoint Support

SharePoint & Microsoft Entra ID (Azure AD) Integration Guide

SharePoint Online security is built entirely on Microsoft Entra ID (formerly Azure Active Directory). Understanding this integration is not optional for SharePoint administrators — it is the foundation of every permission, every guest access scenario, and every Conditional Access policy in your environment.

SharePoint governance framework showing policies, roles, and compliance
SharePoint governance model with policies and compliance controls

This guide covers the Entra ID / SharePoint integration from the perspective of a SharePoint administrator who needs to understand identity and access management.

---

The Entra ID / SharePoint Relationship

SharePoint Online does not have its own identity store. Every user, group, and guest in SharePoint is actually a principal in Microsoft Entra ID:

  • SharePoint users = Entra ID users
  • SharePoint groups = Microsoft 365 groups (backed by Entra ID) or Entra ID security groups
  • SharePoint guests = Entra ID B2B guest accounts
  • SharePoint permissions = SharePoint access control lists referencing Entra ID principals

Practical implication: When you add a user to a SharePoint site, you're granting them access by referencing their Entra ID user object. When that account is disabled in Entra ID (e.g., the employee leaves), their SharePoint access immediately stops working — no separate SharePoint offboarding required.

---

Authentication in SharePoint Online

SharePoint Online uses OAuth 2.0 / OpenID Connect for authentication, with Entra ID as the identity provider.

Authentication Flow

  • User navigates to SharePoint URL
  • Browser redirects to Entra ID login page (login.microsoftonline.com)
  • User authenticates: username + password + MFA (if required by Conditional Access)
  • Entra ID issues an access token
  • Browser presents access token to SharePoint
  • SharePoint validates token → grants access if user has permissions

For IT administrators: The key implication is that SharePoint cannot enforce MFA directly — MFA is configured in Entra ID Conditional Access policies and applies to all Microsoft 365 services including SharePoint.

Modern Authentication vs. Legacy Authentication

Modern authentication (OAuth 2.0) is required for:

  • Office desktop apps connecting to SharePoint Online
  • SharePoint mobile apps
  • Teams integration with SharePoint
  • Any third-party apps using OAuth

Legacy authentication (basic auth, NTLM, Kerberos) is blocked by default in new Microsoft 365 tenants. If you have older apps or scripts using legacy authentication to connect to SharePoint, they will fail when legacy auth is blocked.

Action item: Audit your SharePoint-connected applications for legacy auth usage before blocking legacy authentication.

---

Groups and SharePoint Permissions

Microsoft 365 Groups

When a user creates a Teams team or a SharePoint team site, a Microsoft 365 group is automatically created. This group is the foundation of permissions:

  • Group Owners = SharePoint site Owners
  • Group Members = SharePoint site Members
  • All SharePoint permissions flow through this group

Key characteristic: Microsoft 365 groups are managed in Entra ID (or Microsoft 365 Admin Center / Teams). Changes made in Entra ID immediately reflect in SharePoint.

Group lifecycle: When a Microsoft 365 group is deleted, its SharePoint site is deleted with it (after a 30-day soft-delete window). This creates governance risk — control who can delete Microsoft 365 groups.

Entra ID Security Groups

Security groups can be used directly in SharePoint permissions:

  • Add a security group to a SharePoint site's Owners/Members/Visitors
  • Group membership managed in Entra ID → SharePoint access updates automatically
  • Nested groups: Entra ID security groups can be nested (Group A contains Group B)

Best practice for large organizations: Use security groups for SharePoint access control. Assign security groups to SharePoint permission levels, not individual users. User access is managed via Entra ID group membership — not per-site SharePoint permission management.

Dynamic Groups

Entra ID supports dynamic membership groups — members automatically added/removed based on user attributes:

Example dynamic group rules:

  • All users in Department = "Finance" → Finance SharePoint access
  • All users in Country = "US" → US Intranet access
  • All users with JobTitle containing "Manager" → Management resources access

Dynamic groups update automatically when user attributes change — when an employee is transferred to Finance in HR, they automatically gain Finance SharePoint access within minutes.

---

Guest Access: Entra B2B

When you invite an external user to SharePoint, SharePoint creates an Entra ID B2B guest account:

Invitation flow:

  • SharePoint site owner shares content with external email
  • Entra ID sends invitation email to external user
  • External user redeems invitation: authenticates with their own identity (Microsoft, Google, email OTP)
  • Entra ID creates guest account in your tenant: [email protected]#EXT#@yourtenant.onmicrosoft.com
  • Guest account is added to SharePoint permission with specified access level

Guest account properties:

  • External email address
  • Authentication: Their own identity provider (not your Entra ID)
  • Access: Only to resources explicitly granted — guests cannot see your full directory
  • UserType = "Guest" (vs. "Member" for internal users)

Guest Access Policy Controls

Tenant-level guest settings (Entra ID → External Identities → External collaboration settings):

  • Who can invite guests: All users, limited admins, admins only
  • Guest access permissions: Full access, limited access (cannot see other guests), blocked
  • Guest invitation redemption: Allow any identity, restrict to specific identity providers
  • Collaboration restrictions: Allow/block specific domains

SharePoint-level guest settings (SharePoint Admin Center → Policies → Sharing):

  • Maximum guest sharing level: Anyone / New and existing guests / Existing guests / No sharing
  • Guest link expiration
  • Require guest authentication
  • Allow/block specific domains

Conditional Access for guests: Create Conditional Access policies in Entra ID targeting guest users to require MFA, compliant devices, or restrict access to specific time windows.

---

Conditional Access for SharePoint

Conditional Access policies in Entra ID control how users access SharePoint:

Common SharePoint Conditional Access Policies

Policy 1: Require MFA for all SharePoint access

```

Name: SharePoint - Require MFA

Users: All users (or target user groups)

Cloud apps: Office 365 SharePoint Online

Conditions: Any location, any device

Grant: Require multi-factor authentication

```

Policy 2: Require compliant device for full access

```

Name: SharePoint - Require Compliant Device

Users: All users

Cloud apps: Office 365 SharePoint Online

Conditions: All devices (or specific platforms)

Grant: Require device to be marked as compliant (Intune)

```

Policy 3: Block SharePoint from non-corporate networks

```

Name: SharePoint - Network Location Restriction

Users: All users (or sensitive groups)

Cloud apps: Office 365 SharePoint Online

Conditions: Location NOT in Named Locations (corporate network / VPN)

Grant: Block

```

Policy 4: Limit access from unmanaged devices

```

Name: SharePoint - Unmanaged Device Restriction

Users: All users

Cloud apps: Office 365 SharePoint Online

Conditions: Device compliance = Not compliant + Not Hybrid AD Joined

Grant: Session control → Use app enforced restrictions

```

App-enforced restrictions in SharePoint: when users access SharePoint from unmanaged devices, they get web-only access (no download, no print, no sync) — configured in SharePoint Admin Center → Access Control → Unmanaged devices.

---

Identity Governance for SharePoint

Access Reviews

Periodically review who has access to SharePoint sites via Entra ID Identity Governance:

  • Entra ID → Identity Governance → Access reviews → New access review
  • Scope: Microsoft 365 groups or specific group membership
  • Frequency: Quarterly or monthly
  • Reviewers: Group owners, manager, or selected reviewers
  • Actions: Remove users who don't respond or are marked "Denied"

Best practice: Quarterly access reviews for all groups with access to sites containing sensitive or confidential content.

Privileged Identity Management (PIM)

For SharePoint administrators, use Entra ID Privileged Identity Management to require just-in-time elevation for admin roles:

  • SharePoint Administrator: Eligible (not permanent)
  • Activation: Requires MFA + business justification + approval from Global Admin
  • Duration: 8-hour sessions maximum
  • Audit: All activations logged with justification

This reduces the risk of a compromised SharePoint Administrator account being used to exfiltrate data without detection.

---

Troubleshooting Entra ID / SharePoint Issues

"Access Denied" for a User

  • Confirm user account exists in Entra ID and is enabled
  • Confirm user is in the SharePoint site's permission group (Members/Owners/Visitors)
  • If using security group: confirm user is in the security group in Entra ID
  • Check Conditional Access: is a policy blocking this user's access? (Entra ID → Sign-in logs → filter by user + SharePoint)
  • Check guest vs. member status: guests have more restricted default access

"User Can't Be Found" When Adding to SharePoint

  • User must exist in Entra ID before being added to SharePoint
  • For external users: invite them first via Entra ID → External Identities → Invite

Guest Users Getting Access Denied After Redemption

  • Common cause: Conditional Access policy requiring MFA and guest's identity provider doesn't support Entra ID MFA
  • Fix: Create guest-specific Conditional Access policy with authentication strength = MFA

---

Conclusion

Entra ID is not an optional add-on to SharePoint — it is SharePoint's identity foundation. Understanding how users, groups, guest access, and Conditional Access policies interact with SharePoint permissions is essential for every SharePoint administrator managing an enterprise environment.

EPC Group provides comprehensive Entra ID + SharePoint security assessments, identifying misconfigured permissions, over-permissioned guest accounts, missing Conditional Access policies, and governance gaps. Contact us for a security assessment.

Share this article:

Written by Errin O'Connor

Founder, CEO & Chief AI Architect | Microsoft Press Bestselling Author | 25+ Years Microsoft Ecosystem

Errin O'Connor is a Microsoft Press bestselling author of 4 books covering SharePoint, Power BI, Azure, and large-scale migrations. He leads our SharePoint consulting practice with expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments.

Expert SharePoint Services

SharePoint Support & SecurityEmergency SupportFinancial Services Solutions
View pricing →Read our FAQ →See case studies →

Need Expert Help?

Our SharePoint consultants are ready to help you implement these strategies in your organization.

Get a Free ConsultationView Pricing