Forum Discussion

Deleted's avatar
Deleted
Nov 15, 2016

O365 Global Admin has no access to recent SharePoint Online site collections

Is it just me, or has anyone else noticed that O365 Global Admins do not automatically get access to recently created Site Collections in SharePoint Online?

 

We have a small group of O365 Global Admins and all of us have MFA enabled.  This means that we often can't use our accounts for scripting and other various O365 add-ins/tools.

So I have a service account setup, which is also a Global Admin, but doesn't have MFA.

This account is able to get to older Site Collections (where it's not specifically in the SP Groups), but it's unable to access more recently created site collections.

 

I either get the:

 

Access Denied

myserviceaccount@corp.onmicrosoft.com does not have permissions to access this resource.
Here are a few ideas:

Please ask the site admin to give you access.

If you have a different account, try signing in with that account.
This will sign you out of all other Office 365 services that you're signed into at this time.
If this problem persists, contact your support team and include these technical details:
Correlation ID: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx 
Date and Time: 15/11/2016 2:00:00 p.m.
User: myserviceaccount@corp.onmicrosoft.com
Issue Type: User does not have permissions.
 
Or I get the:
You need permission to access this site.
[I'd like access, please.]
Request Access
 
Judging by the sites that work, this change looks to have been in about the last month or so.
 
Anyone else seeing this?
 
I'm going to try creating a SPAdmin only account and see if that has better luck than a Global admin.
 
Thanks
Craig
  • You can use the below PowerShell script to get the details of the SPO Site Collections for the Office 365 Groups.

     

    $cred=Get-Credential
    $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" -AllowRedirection
    Import-PSSession $exchangeSession -DisableNameChecking
    Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential $cred
    $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null}
    $Groups | Foreach-Object{ 
    $Group = $_ 
    $GName=$Group.SharePointSiteUrl
    Get-SPOSite -Identity $GName -Detailed |fl
    } 

    To add a member to Office 365 Groups, you can use the below one.

    Add-UnifiedGroupLinks -LinkType Members -Identity "engineering" -Links "alland@XXXXX.onmicrosoft.com

    I am sure that the Office 365 Group's SPO File audits are available in "Audit log search" in protection centre [https://protection.office.com/#/unifiedauditlog]. Screen-shot of the audit logs for O365 groups is posted below.

     

     

  • This is expected. A Global Admin shouldn't have access to individual sites unless explicitly granted. This is also true of on-prem, where a farm administrator does not automatically have access to Site Collections.
    • Ninos Yacoub's avatar
      Ninos Yacoub
      Copper Contributor

      This is really annoying. Users are asking for help in their site and we have no power over helping them with it. 

      SO, how can admins assit users who need help setting up their newly created site?

      • Miroslav Popov's avatar
        Miroslav Popov
        Copper Contributor
        Exactly.
        It's the same case with me.
        Users are able to mess around with creating sites and teams, and when they cry for help I must ask them to give me access... an the we go into the painful loop of explaining where to click and what to do.
        So my 5 minute intervention turns into an hour(s) long jumping through hoops for the simplest of tasks.
    • Deleted's avatar
      Deleted
      Really? When did this change?

      I have a number of site collections in SPOnline and the Global Admin is able to access most of them, even when they're not in any of the groups.

      It makes sense, it's just a change in behavior.

      Just tested with a brand new SP Admin (not a site collection owner) and it has access to some sites, but not others.

      This is potentially going to make it difficult to have a SPOnline service account, unless you add it to the site collection owners, for all site collections - which given that every new "thing" that MS builds goes off and creates site collections (I'm looking at you Planner, Groups, Teams) which are "less" manageable, is going to be fun...
      • I agree with Trevor and It have been always like this...if the user wasn't the creator of the Site Collections, he/she is not going to be able to access to them...but you can add he user as Site Collection Administrator using the UI or PowerShell
    • Louis Simonetti's avatar
      Louis Simonetti
      Iron Contributor

      I for one, love this feature. A Global admin should be able to administer the services and infrastructure, but they are not necessarily the right role for the managing and supporting the data.  That is how breaches, and data loss can occur. 

      • Torey Kirby's avatar
        Torey Kirby
        Copper Contributor
        SInce I have to do both, it has made it very difficult for me. I have a lot of users just going in creating stuff and then never delete it. How do I manage that?
  • Jason Heeter's avatar
    Jason Heeter
    Copper Contributor

    How does this apply to onsite backups (from cloud to secondary) or for migrating company data if you're going to collapse the environment. How would you know you have all your companies data without something having full access to all the sites both on O365 and it's ancillary off path products like Stream and Teams?

    • Deleted's avatar
      Deleted
      No idea. You're asking the wrong person.
      You'd probably need to check the documentation for your backup software.
  • exactly i know this functionality is already longer implemented if you login as a partner but as global admin it is new but i think it is a good one.
  • sorry for spamming the thread, it kept telling me it had failed to post...

Resources