Forum Discussion
Best way to remove access to some SharePoint Online Site/Libraries from M365 Admin/Engineer
My organization of ~400 users uses M365 with SharePoint Online. We are hiring a new M365 Engineer/Admin who needs a lot of SPO (and other) Admin access to do all the things he'll need to do.
My Dir of IT would like us to prevent this new engineer/admin for being able to access a couple SPO Sites like Finance and Exec Team and prevent access to a couple document libraries in our HR site.
What is the best way (or best practices) to set this up in Entra ID and/or M365? Oh, we are fully cloud-based, so no local Domain Controllers and servers.
Thanks!
Brian
Hi! BrianRMI
I would recommend the following changes to configure and to also have in mind
Securing the HR Folders / Libraries:
The first step would be to secure the HR folder/Library, I would create a Entra ID group and add the members of HR (and other people that might need to have access to HR related files, like team managers)
I would then break inheritance of the HR folder in Sharepoint and make sure that this Entra ID Group is the only group with access to the folder. That way its locked down for authorized personell only.
Securing sites:
Unfortunatelly since this new Engineer will have the Sharepoint Administrator role on his account, they'll still be able to add themselves as owners (or member) to any site they wish.
But best practice is to use the built-in M365 groups to manage membership as far as you can. If you require more customization and automation, Dynamic M365 groups or even regular Entra ID sec groups can work,
But to actually make sure that the Engineer wont access sensitive sites, or elevate their permissions I would recommend to set up som Activity alerts in Purview, if your licenses permits it.
Hope this helps you move forward. If you need further guidance I'm more than happy to help. 🙂
Cheers
Oliwer Sundgren
6 Replies
Hi! BrianRMI
I would recommend the following changes to configure and to also have in mind
Securing the HR Folders / Libraries:
The first step would be to secure the HR folder/Library, I would create a Entra ID group and add the members of HR (and other people that might need to have access to HR related files, like team managers)
I would then break inheritance of the HR folder in Sharepoint and make sure that this Entra ID Group is the only group with access to the folder. That way its locked down for authorized personell only.
Securing sites:
Unfortunatelly since this new Engineer will have the Sharepoint Administrator role on his account, they'll still be able to add themselves as owners (or member) to any site they wish.
But best practice is to use the built-in M365 groups to manage membership as far as you can. If you require more customization and automation, Dynamic M365 groups or even regular Entra ID sec groups can work,
But to actually make sure that the Engineer wont access sensitive sites, or elevate their permissions I would recommend to set up som Activity alerts in Purview, if your licenses permits it.
Hope this helps you move forward. If you need further guidance I'm more than happy to help. 🙂
Cheers
Oliwer Sundgren
- Thank you, Oliwer, this is right inline with my original thoughts but I hoped there was a more secure way to do this. But I get it, if someone has Admin access over a solution, they have Admin access over the entire solution... make sense to me (but now our Dir of IT, but that's my problem). So, I think I'll lock them out the best I can and then, to your point, add some sort of monitoring, logging, and alerting to hold them accountable and for us to proactively know/prove they violated our data security policy that we'll make abundantly clear. That's the best we can do.
- No worries at all Brian! Keeping my fingers crossed that you'll manage to get your IT Director onboard with this as well 🙂
as an extra nugget that I just remembered is that if you have E5 licensing, you could play around with Authentication Context in Condtional access policies. This would make it possible to apply Conditional access based restrictions to specfic Sharepoint sites.
In other words... if the new engineers account or admin account tries to access a specific Sharepoint site (Not scopeable to library, its only scopeable to the whole site itself) that action would be blocked. Might be worth trying out to see if it works for your use-case 🙂
https://practical365.com/using-authentication-context-with-azure-ad-conditional-access-policies-to-secure-access-to-sensitive-sharepoint-content/
- Could be by Security Groups, M365 Groups, Roles, but likely a combo of these? There are lots of predefined roles to choose from. I'm looking for guidance on the right combination to get specifically allow the admin the ability to manage all site except those mentioned above.
