Forum Discussion

Anonymous's avatar
Anonymous
Nov 15, 2016
Solved

O365 Global Admin has no access to recent SharePoint Online site collections

Is it just me, or has anyone else noticed that O365 Global Admins do not automatically get access to recently created Site Collections in SharePoint Online?

 

We have a small group of O365 Global Admins and all of us have MFA enabled.  This means that we often can't use our accounts for scripting and other various O365 add-ins/tools.

So I have a service account setup, which is also a Global Admin, but doesn't have MFA.

This account is able to get to older Site Collections (where it's not specifically in the SP Groups), but it's unable to access more recently created site collections.

 

I either get the:

 

Access Denied

myserviceaccount@corp.onmicrosoft.com does not have permissions to access this resource.
Here are a few ideas:

Please ask the site admin to give you access.

If you have a different account, try signing in with that account.
This will sign you out of all other Office 365 services that you're signed into at this time.
If this problem persists, contact your support team and include these technical details:
Correlation ID: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx 
Date and Time: 15/11/2016 2:00:00 p.m.
User: myserviceaccount@corp.onmicrosoft.com
Issue Type: User does not have permissions.
 
Or I get the:
You need permission to access this site.
[I'd like access, please.]
Request Access
 
Judging by the sites that work, this change looks to have been in about the last month or so.
 
Anyone else seeing this?
 
I'm going to try creating a SPAdmin only account and see if that has better luck than a Global admin.
 
Thanks
Craig
admin
Permissions
security
SharePoint Online
Sites
  • NarasimaPerumal Chandramohan's avatar
    NarasimaPerumal Chandramohan
    Nov 21, 2016

    You can use the below PowerShell script to get the details of the SPO Site Collections for the Office 365 Groups.

     

    $cred=Get-Credential
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" -AllowRedirection
Import-PSSession $exchangeSession -DisableNameChecking
Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential $cred
$Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null}
$Groups | Foreach-Object{ 
$Group = $_ 
$GName=$Group.SharePointSiteUrl
Get-SPOSite -Identity $GName -Detailed |fl
}

    To add a member to Office 365 Groups, you can use the below one.

    Add-UnifiedGroupLinks -LinkType Members -Identity "engineering" -Links "alland@XXXXX.onmicrosoft.com

    I am sure that the Office 365 Group's SPO File audits are available in "Audit log search" in protection centre [https://protection.office.com/#/unifiedauditlog]. Screen-shot of the audit logs for O365 groups is posted below.

     

     

30 Replies

Sort By
  • Anonymous's avatar
    Anonymous
    Jan 14, 2018
    sorry for spamming the thread, it kept telling me it had failed to post...
  • Jason Heeter's avatar
    Jason Heeter
    Copper Contributor
    Oct 13, 2017

    How does this apply to onsite backups (from cloud to secondary) or for migrating company data if you're going to collapse the environment. How would you know you have all your companies data without something having full access to all the sites both on O365 and it's ancillary off path products like Stream and Teams?

    • Anonymous's avatar
      Anonymous
      Jan 14, 2018
      No idea. You're asking the wrong person.
      You'd probably need to check the documentation for your backup software.
  • Anonymous's avatar
    Anonymous
    Nov 16, 2016
    exactly i know this functionality is already longer implemented if you login as a partner but as global admin it is new but i think it is a good one.
  • Trevor Seward's avatar
    Trevor Seward
    MVP
    Nov 15, 2016
    This is expected. A Global Admin shouldn't have access to individual sites unless explicitly granted. This is also true of on-prem, where a farm administrator does not automatically have access to Site Collections.
    • RobertFHPeterson's avatar
      RobertFHPeterson
      Copper Contributor
      Nov 03, 2023

      Trevor Seward 

      Why say anything at all if you are not going to say what to do to fix the problem. 

      Expected really doesn't help anybody.

    • Ninos Yacoub's avatar
      Ninos Yacoub
      Copper Contributor
      Dec 20, 2017

      This is really annoying. Users are asking for help in their site and we have no power over helping them with it. 

      SO, how can admins assit users who need help setting up their newly created site?

      • Miroslav Popov's avatar
        Miroslav Popov
        Copper Contributor
        May 18, 2018
        Exactly.
        It's the same case with me.
        Users are able to mess around with creating sites and teams, and when they cry for help I must ask them to give me access... an the we go into the painful loop of explaining where to click and what to do.
        So my 5 minute intervention turns into an hour(s) long jumping through hoops for the simplest of tasks.
    • Louis Simonetti's avatar
      Louis Simonetti
      Iron Contributor
      Jun 29, 2017

      I for one, love this feature. A Global admin should be able to administer the services and infrastructure, but they are not necessarily the right role for the managing and supporting the data.  That is how breaches, and data loss can occur. 

      • Torey Kirby's avatar
        Torey Kirby
        Copper Contributor
        Jun 27, 2018
        SInce I have to do both, it has made it very difficult for me. I have a lot of users just going in creating stuff and then never delete it. How do I manage that?

Resources