You add a user to a Microsoft 365 group, but the user does not get access to the SharePoint site connected to that group. Or you remove a user from the group, but the user still sees the site in their browser. This problem happens because SharePoint uses a cached membership list and does not check group changes in real time. The sync delay can last from minutes to up to 24 hours. This article explains the technical root cause and provides the exact steps to force a membership sync so access rights update immediately.
Key Takeaways: Group Membership Sync and SharePoint Access
- SharePoint admin center > Active sites > site > Membership Sync: Triggers an immediate refresh of group membership for a specific site.
- PowerShell Set-SPOSite -GroupAlias -SyncMembership: Forces sync for all sites connected to a Microsoft 365 group.
- SharePoint cache TTL of 24 hours: The default maximum delay before membership changes appear without manual intervention.
Why SharePoint Does Not Update Access After Group Membership Changes
SharePoint Online does not query Azure Active Directory every time a user requests a site. Instead, it stores a local copy of the group membership list for each site collection. This cached list has a time-to-live value that can be up to 24 hours. When you add or remove a user from a Microsoft 365 group, Azure AD sends a change notification to SharePoint. But SharePoint processes these notifications in batches, not in real time. The batch processing interval is typically 15 to 30 minutes, but under heavy load it can extend to several hours.
Another factor is the SharePoint People Picker cache. The People Picker uses a separate index that refreshes on a different schedule. A user may appear in the People Picker search results even after they have been removed from the group. This can mislead site owners into thinking the user still has access. The actual authorization check always uses the cached membership list, not the People Picker index.
The Role of Azure AD Group Writeback
If your environment uses on-premises Active Directory synced with Azure AD Connect, there is an additional delay. Azure AD Connect synchronizes group membership changes on a schedule, usually every 30 minutes. Until Azure AD receives the updated membership, SharePoint has no way to know about the change. This adds another layer of latency before the SharePoint cache can be updated.
Steps to Force Group Membership Sync in SharePoint
You can bypass the normal sync delay by using the SharePoint admin center or PowerShell. These methods force SharePoint to refresh its cached membership list immediately.
Method 1: Use the SharePoint Admin Center
- Open the SharePoint admin center
Sign in to Microsoft 365 with a SharePoint admin or Global admin account. Go to the Microsoft 365 admin center, then select SharePoint in the left navigation. Alternatively, go directly tohttps://admin.microsoft.com/SharePoint. - Navigate to Active sites
In the left menu of the SharePoint admin center, select Active sites. A list of all site collections appears. - Select the affected site
Find the site connected to the Microsoft 365 group whose membership changed. Click the site name to open the site details panel. - Click Membership Sync
In the site details panel, scroll down to the Group section. Click the Sync membership button. A confirmation dialog appears. Click Sync to confirm. SharePoint immediately refreshes the cached membership list for that site. - Verify access
Ask the affected user to sign out and sign back in to Microsoft 365. Then try to access the site. The permission change should take effect within a few minutes.
Method 2: Use SharePoint Online Management Shell
- Install the SharePoint Online Management Shell
If you have not installed it, download the module from the Microsoft Download Center. Open Windows PowerShell as administrator and runInstall-Module -Name Microsoft.Online.SharePoint.PowerShell. - Connect to SharePoint Online
RunConnect-SPOService -Url https://yourtenant-admin.sharepoint.com. Replaceyourtenantwith your tenant name. Sign in with a SharePoint admin or Global admin account. - Run the Set-SPOSite command with the SyncMembership parameter
Use this command:Set-SPOSite -Identity https://yourtenant.sharepoint.com/sites/yoursite -GroupAlias yourgroup -SyncMembership $true. Replace the site URL and group alias with your values. The-GroupAliasparameter is the email alias of the Microsoft 365 group. - Verify the sync completed
RunGet-SPOSite -Identity https://yourtenant.sharepoint.com/sites/yoursite | Select-Object LastSyncMembershipTime. This shows the timestamp of the last membership sync.
If SharePoint Still Has Issues After the Main Fix
User Still Cannot Access the Site After Sync
If you forced the sync and the user still gets an access denied message, check whether the user has been added to the site through a direct permission break. Open the site, go to Settings > Site permissions, and review any unique permissions that may override the group membership. Remove direct permission entries for that user so only the group permission applies.
User Still Sees the Site After Being Removed from the Group
The user may have the site pinned in their browser or in the SharePoint mobile app. Ask the user to clear the browser cache or reinstall the mobile app. Also check if the user has access through another group. A user can be a member of multiple groups that grant access to the same site.
Sync Button Is Grayed Out in the Admin Center
The Sync membership button is only available for sites that are connected to a Microsoft 365 group. If the site uses classic permissions or is a communication site, the button does not appear. For those site types, you must manage permissions manually.
| Item | SharePoint Admin Center Sync | PowerShell Sync |
|---|---|---|
| Prerequisites | SharePoint admin or Global admin role | SharePoint admin or Global admin role; SharePoint Online Management Shell installed |
| Scope | One site at a time | Single site or multiple sites with a script |
| Time to complete | 2 minutes per site | 1 minute per site after PowerShell session is connected |
| Automation possible | No | Yes, by looping through a list of sites |
| Audit log | No record of the manual sync | Operation logged in SharePoint admin audit log |
You can now force a membership sync using either the SharePoint admin center or PowerShell. This resolves access issues caused by the 24-hour cache delay. For ongoing management, consider running a scheduled PowerShell script once per day to sync all group-connected sites. This keeps access changes predictable and eliminates user frustration.