Best way to remove access to some SharePoint Online Site/Libraries from M365 Admin/Engineer

Hi! BrianRMI 

I would recommend the following changes to configure and to also have in mind

Securing the HR Folders / Libraries:

The first step would be to secure the HR folder/Library, I would create a Entra ID group and add the members of HR (and other people that might need to have access to HR related files, like team managers) 

I would then break inheritance of the HR folder in Sharepoint and make sure that this Entra ID Group is the only group with access to the folder. That way its locked down for authorized personell only. 

Securing sites:

Unfortunatelly since this new Engineer will have the Sharepoint Administrator role on his account, they'll still be able to add themselves as owners (or member) to any site they wish. 

But best practice is to use the built-in M365 groups to manage membership as far as you can. If you require more customization and automation, Dynamic M365 groups or even regular Entra ID sec groups can work, 

But to actually make sure that the Engineer wont access sensitive sites, or elevate their permissions I would recommend to set up som Activity alerts in Purview, if your licenses permits it. 

Hope this helps you move forward. If you need further guidance I'm more than happy to help. 🙂 

Cheers

Oliwer Sundgren