Forum Discussion
O365 Global Admin has no access to recent SharePoint Online site collections
Is it just me, or has anyone else noticed that O365 Global Admins do not automatically get access to recently created Site Collections in SharePoint Online?
We have a small group of O365 Global Admins and all of us have MFA enabled. This means that we often can't use our accounts for scripting and other various O365 add-ins/tools.
So I have a service account setup, which is also a Global Admin, but doesn't have MFA.
This account is able to get to older Site Collections (where it's not specifically in the SP Groups), but it's unable to access more recently created site collections.
I either get the:
myserviceaccount@corp.onmicrosoft.com does not have permissions to access this resource.
Here are a few ideas:
Please ask the site admin to give you access.
If you have a different account, try signing in with that account.
This will sign you out of all other Office 365 services that you're signed into at this time.
If this problem persists, contact your support team and include these technical details:
Correlation ID: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
Date and Time: 15/11/2016 2:00:00 p.m.
User: myserviceaccount@corp.onmicrosoft.com
Issue Type: User does not have permissions.
You can use the below PowerShell script to get the details of the SPO Site Collections for the Office 365 Groups.
$cred=Get-Credential $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" -AllowRedirection Import-PSSession $exchangeSession -DisableNameChecking Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential $cred $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null} $Groups | Foreach-Object{ $Group = $_ $GName=$Group.SharePointSiteUrl Get-SPOSite -Identity $GName -Detailed |fl }
To add a member to Office 365 Groups, you can use the below one.
Add-UnifiedGroupLinks -LinkType Members -Identity "engineering" -Links "alland@XXXXX.onmicrosoft.com
I am sure that the Office 365 Group's SPO File audits are available in "Audit log search" in protection centre [https://protection.office.com/#/unifiedauditlog]. Screen-shot of the audit logs for O365 groups is posted below.
- This is expected. A Global Admin shouldn't have access to individual sites unless explicitly granted. This is also true of on-prem, where a farm administrator does not automatically have access to Site Collections.
- Ninos YacoubCopper Contributor
This is really annoying. Users are asking for help in their site and we have no power over helping them with it.
SO, how can admins assit users who need help setting up their newly created site?
- Miroslav PopovCopper ContributorExactly.
It's the same case with me.
Users are able to mess around with creating sites and teams, and when they cry for help I must ask them to give me access... an the we go into the painful loop of explaining where to click and what to do.
So my 5 minute intervention turns into an hour(s) long jumping through hoops for the simplest of tasks.
- DeletedReally? When did this change?
I have a number of site collections in SPOnline and the Global Admin is able to access most of them, even when they're not in any of the groups.
It makes sense, it's just a change in behavior.
Just tested with a brand new SP Admin (not a site collection owner) and it has access to some sites, but not others.
This is potentially going to make it difficult to have a SPOnline service account, unless you add it to the site collection owners, for all site collections - which given that every new "thing" that MS builds goes off and creates site collections (I'm looking at you Planner, Groups, Teams) which are "less" manageable, is going to be fun...- I agree with Trevor and It have been always like this...if the user wasn't the creator of the Site Collections, he/she is not going to be able to access to them...but you can add he user as Site Collection Administrator using the UI or PowerShell
- Louis SimonettiIron Contributor
I for one, love this feature. A Global admin should be able to administer the services and infrastructure, but they are not necessarily the right role for the managing and supporting the data. That is how breaches, and data loss can occur.
- Torey KirbyCopper ContributorSInce I have to do both, it has made it very difficult for me. I have a lot of users just going in creating stuff and then never delete it. How do I manage that?
- Deletederror
- Jason HeeterCopper Contributor
How does this apply to onsite backups (from cloud to secondary) or for migrating company data if you're going to collapse the environment. How would you know you have all your companies data without something having full access to all the sites both on O365 and it's ancillary off path products like Stream and Teams?
- DeletedNo idea. You're asking the wrong person.
You'd probably need to check the documentation for your backup software.
- Deletedexactly i know this functionality is already longer implemented if you login as a partner but as global admin it is new but i think it is a good one.
- Deletedsorry for spamming the thread, it kept telling me it had failed to post...