In SharePoint, the People Picker control is used to select users, groups, and claims to grant permission to items such as lists, libraries, and sites. Although it has many uses, it is most commonly used to select users or groups while granting permissions on sites, lists, libraries etc.
People Picker relies on the authentication method configured at the zone level of the web application, to initiate the query. A query initiated by the People Picker control searches the following locations
- User Information List (UIL)
- Claims provider (configured at the Web application level and zone (for e.g. Active Directory, Forms Based Authentication etc.,)
Note: The People Picker control does not query the User Profile Service Application (UPSA). Also, the query results are not dependent on the User Profile Sync or Microsoft Identity Manager (MIM) in the case of SharePoint 2016
User Information List (UIL):
UIL is a hidden list maintained on the root site of every Site Collection. The list can be accessed from the following url à http://[siteurl]/_catalogs/users/detail.aspx. The list is specific to the scope of the site collection in which it is contained.
UIL is automatically managed by SharePoint and can only be accessed by administrators. A new item is created in the UIL every time a user is granted access rights to the site. This behavior varies slightly in SharePoint 2010 and earlier versions, where the user is added to the UIL at the time of first access.
In case an AD group is granted access to the site, the group gets added to the hidden UIL. However, the individual users included in the group are not added until the user logs into the site.
Role of User Profile Service Application in relation to UIL:
The UIL contains a limited subset of metadata on the users (e.g. Name, title, email etc.) compared to the User Profile Service Application (UPSA). The list is reliant on the UPSA to maintain the metadata (name, title etc.) of the users contained in the list. Failure to include the user in a User Profile sync will render the information contained in the UIL stale causing issues with the user.
UIL is only used for certain purposes such as querying by the People picker control, populating “Created By” or “Last modified by” details for the users in document libraries and SharePoint lists etc. Everything else, including but not limited to Search, Workflows, Alerts, Audiences etc., leverage the UPSA for retrieving user information and do not access the UIL.
Note: The recommended best practice is to include all the accounts in the User Profile/MIM sync that has a potential of being used in the farm. In the case of AD security groups, each account included in the group will also need to be individually included in the user profile sync as well.
Starting with SharePoint 2013, claims based authentication has become the recommended authentication mechanism. It is also the default authentication mechanism for web applications.
In claims mode, People Picker searches and resolves queries based on the claims provider that is specified for the authentication method used by the Web application and zone. Depending on how the zone is configured, the authentication mechanism could be one of the following
- Windows authentication (Active Directory)
- Forms-Based Authentication (FBA)
- Custom Claims Provider (SAML token-based authentication)