Forum Discussion

BrianRMI's avatar
BrianRMI
Brass Contributor
Aug 12, 2024
Solved

Best way to remove access to some SharePoint Online Site/Libraries from M365 Admin/Engineer

My organization of ~400 users uses M365 with SharePoint Online. We are hiring a new M365 Engineer/Admin who needs a lot of SPO (and other) Admin access to do all the things he'll need to do.   My D...
admin
  • oliwer_sundgren's avatar
    oliwer_sundgren
    Aug 13, 2024

    Hi! BrianRMI 

     

    I would recommend the following changes to configure and to also have in mind

     

    Securing the HR Folders / Libraries:

    The first step would be to secure the HR folder/Library, I would create a Entra ID group and add the members of HR (and other people that might need to have access to HR related files, like team managers) 

    I would then break inheritance of the HR folder in Sharepoint and make sure that this Entra ID Group is the only group with access to the folder. That way its locked down for authorized personell only. 

     

    Securing sites:

    Unfortunatelly since this new Engineer will have the Sharepoint Administrator role on his account, they'll still be able to add themselves as owners (or member) to any site they wish. 

    But best practice is to use the built-in M365 groups to manage membership as far as you can. If you require more customization and automation, Dynamic M365 groups or even regular Entra ID sec groups can work, 

     

    But to actually make sure that the Engineer wont access sensitive sites, or elevate their permissions I would recommend to set up som Activity alerts in Purview, if your licenses permits it. 

     

    Hope this helps you move forward. If you need further guidance I'm more than happy to help. 🙂 

     

    Cheers

    Oliwer Sundgren

BrianRMI's avatar
BrianRMI
Brass Contributor
Aug 13, 2024
Thank you, Oliwer, this is right inline with my original thoughts but I hoped there was a more secure way to do this. But I get it, if someone has Admin access over a solution, they have Admin access over the entire solution... make sense to me (but now our Dir of IT, but that's my problem). So, I think I'll lock them out the best I can and then, to your point, add some sort of monitoring, logging, and alerting to hold them accountable and for us to proactively know/prove they violated our data security policy that we'll make abundantly clear. That's the best we can do.
oliwer_sundgren's avatar
oliwer_sundgren
Steel Contributor
Aug 13, 2024
No worries at all Brian! Keeping my fingers crossed that you'll manage to get your IT Director onboard with this as well 🙂

as an extra nugget that I just remembered is that if you have E5 licensing, you could play around with Authentication Context in Condtional access policies. This would make it possible to apply Conditional access based restrictions to specfic Sharepoint sites.

In other words... if the new engineers account or admin account tries to access a specific Sharepoint site (Not scopeable to library, its only scopeable to the whole site itself) that action would be blocked. Might be worth trying out to see if it works for your use-case 🙂

https://practical365.com/using-authentication-context-with-azure-ad-conditional-access-policies-to-secure-access-to-sensitive-sharepoint-content/
  • BrianRMI's avatar
    BrianRMI
    Brass Contributor
    Aug 13, 2024
    I'm going to look into this! I'll report back my findings if I try it.