question

JussiLehti-7925 avatar image
0 Votes"
JussiLehti-7925 asked sadomovalex answered

Sharepoint - One user account with two different roles (and permissions in Sharepoint)

Our client has a need to get rid of multiple AD Accounts of users who work for two different organizations (e.g. 50-50).

Currently those users login to the computer with the account of the organization they are working on currently and are granted access to those Sharepoint sites that has that same organizations' AD Groups permitted to those sites.


So they asked if it would be possible for those users to have only one AD Account and then create a new LDAP environment to give those AD accounts two different roles. And those roles would have different AD groups mapped to them.
And the most important question: Could we leverage those roles when the user authenticates to Sharepoint so that depending on the role the user chooses, he would only get permissions in Sharepoint to those sites which has thos AD groups that belong to the role that he has chosen.

This is a bit hard to explain and to try to get even started, but any comment would be appreciated.

Currenty they are using Sharepoint 2016 with SAML authentication via ADFS.

office-sharepoint-server-administrationoffice-sharepoint-server-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JussiLehti-7925 avatar image
0 Votes"
JussiLehti-7925 answered

To add more spice to the situation, SSO to Sharepoint should be working too (as it is working now) so probably the role selection should be made in some custom LDAP tool after the user has signed in to Windows.

Again, I'm not expecting answers since this seems quite complex.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoyZ avatar image
0 Votes"
JoyZ answered JoyZ commented

@JussiLehti-7925,

Per my knowledge, the short answer is NO, when we use SAML authentication via ADFS, it's necessary to define the claim that will be used as the unique identifier of the user.

Simply put, a user should have his own unique identifier rather than two roles pointing to one user.


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your quick reply!

How about if they would get rid of the ADFS between AD and Sharepoint?
Can we use SAML authentication with LDAP?


The logic behing the scenes would be something like this:

  • Active Directory holds the fundamental information about the user e.g. UPN, samaccountname, emailaddress firstname, lastname etc...

  • LDAP holds the same information about the user, but also there is two different Roles in LDAP for the user and those Roles would be unique identities in LDAP. Those LDAP identities should have an unique identifier in LDAP that is different than the one which the user logs in to Windows obviously, so that Sharepoint would know that the user is from LDAP and not from AD. Those LDAP Role identities of the user would also be assigned different AD groups so that Sharepoint would still able to leverage AD groups for granting users access to different sites etc...


And the actual sign-in scenario would be something like this:

  • User logs in to the computer with his Windows/AD account

  • User then selects from their custom built LDAP access manager thingy their jobrole for that day.

  • Then user opens Sharepoint and would be automatically Signed in via SSO with the LDAP Role-account he selected in previous step. (I don't know how this would be possible, but thats their hope)


I would like to say to our client just NO, but unfortunately they need some explanation and I was actually interested has anyone ever implemented something like this with Sharepoint..


0 Votes 0 ·
JoyZ avatar image JoyZ JussiLehti-7925 ·

@JussiLehti-7925,

Per my research, there is little sample or information about this, we suggest you open a support ticket from Microsoft about it to be raised to have a dedicated Technical Professional to support you from here.

Please go to the website (https://support.microsoft.com/en-sg/help/4051701/global-customer-service-phone-numbers) to find related number and call it to create a new Phone Service Request to Microsoft Phone Support team.

0 Votes 0 ·
sadomovalex avatar image
0 Votes"
sadomovalex answered

are domains of these organizations located in the same forest? Is yes it is possible (with limitations: Can users in one domain be assigned to Groups in another domain if both domains are in the same Forest) add users from domain A (organization 1) to AD groups in domain B (organization 2). In this case (in theory) the same user account may access Sharepoint sites which are granted for AD groups from domain A (organization 1) and sites granted for AD groups from domain B (organization 2). It should tested of course.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.