O365 Global Admin has no access to recent SharePoint Online site collections

OK, so here's my final solution.

What it does is enumerate all the site collections via Get-SPOSite and sets a particuarly Azure AD Security group to be a Site Collection Admin.  Then it enumerates all the groups in Exchange Online, looking for ones with URLs, which are O365 Groups, which it then is able to set the Security Group as a Site Collection Admin.

The end result - I'm able to use a service account to enumerate ALL site collections (in two passes) and perform actions on them.

Thanks for everyone's help.  This is not as simple as it should have been!

One key gotcha - the only way I've found to get the Claims ID for the group, is manually in the SPOnline UI (Site Permissions | Check Permissions).  Would love to have a PowerShell mechanism for that!

Note: I have this running in a SPOnline Management Shell PowerShell console.

Thanks

Craig

Import-Module MSOnline

# Jack Fruh - sharepointjack.com
# add a user or users to the site collection admin role on every site collection in Office 365 sites (SharePoint Online)

$SPOnlineAdminClaim = "c:0-.f|rolemanager|s-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX"

#setup a log path
$path = "$($(get-location).path)\LogFile.txt"
#note we're using start-transcript, this does not work from inside the powershell ISE, only the command prompt
 
start-transcript -path $Path
write-host "This will connect to SharePoint Online"
 
#Admin Variables:
$Adminurl = "https://TENANT-admin.sharepoint.com"
 
Write-Host "Get Credentials"
$userName = 'SERVICE ACCOUNT EMAIL ADDRESS'
$password = ConvertTo-SecureString 'SERVICE ACCOUNT PASSWORD' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($userName, $password) 
 
#Connect to SPO
Connect-SPOService -url $Adminurl -credential $credential
write-host "Connected" -foregroundcolor green
 
Write-Host "Get SPO Sites"
$sites = get-sposite
Foreach ($site in $sites)
{
    Write-host "Adding users to $($site.URL)" -foregroundcolor yellow
	#Set the site collection admin flag for the Site collection admin
	write-host "Setting up SPOnline Admins as a site collection admin on $($site.url)..."
	set-spouser -site $site.url -loginname $SPOnlineAdminClaim -IsSiteCollectionAdmin $true
	write-host "Done"	-foregroundcolor green
}
Write-Host "Done With SPO Sites" -ForegroundColor green

Write-Host "Connect to Exchange Online"
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection
if ($exchangeSession) {
    Write-Host "Import Exchange Online Session"
    $session = Import-PSSession $exchangeSession -DisableNameChecking -AllowClobber
    if ($session) {
        Write-Host "Connect to SharePoint Online"
        Connect-SPOService -Url $Adminurl -credential $credential
        Write-Host "Get Unified Groups"
        $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null}
        Write-Host "Enumerate Groups"
        $Groups | Foreach-Object{ 
            $Group = $_ 
            $GName = $Group.SharePointSiteUrl
	    Write-Host "Setting up SPOnline Admins as a site colection admin on $($GName)..."
	    Set-SPOUser -Site $GName -LoginName $SPOnlineAdminClaim -IsSiteCollectionAdmin $true
        }
    Remove-PSSession (Get-PSSession)[0]
    }
} 


Write-host "Done with everything" -foregroundcolor green 
stop-transcript