Forum Discussion
O365 Global Admin has no access to recent SharePoint Online site collections
You can use the below PowerShell script to get the details of the SPO Site Collections for the Office 365 Groups.
$cred=Get-Credential $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" -AllowRedirection Import-PSSession $exchangeSession -DisableNameChecking Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential $cred $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null} $Groups | Foreach-Object{ $Group = $_ $GName=$Group.SharePointSiteUrl Get-SPOSite -Identity $GName -Detailed |fl }To add a member to Office 365 Groups, you can use the below one.
Add-UnifiedGroupLinks -LinkType Members -Identity "engineering" -Links "alland@XXXXX.onmicrosoft.com
I am sure that the Office 365 Group's SPO File audits are available in "Audit log search" in protection centre [https://protection.office.com/#/unifiedauditlog]. Screen-shot of the audit logs for O365 groups is posted below.
Why say anything at all if you are not going to say what to do to fix the problem.
Expected really doesn't help anybody.
This is really annoying. Users are asking for help in their site and we have no power over helping them with it.
SO, how can admins assit users who need help setting up their newly created site?
- Exactly.
It's the same case with me.
Users are able to mess around with creating sites and teams, and when they cry for help I must ask them to give me access... an the we go into the painful loop of explaining where to click and what to do.
So my 5 minute intervention turns into an hour(s) long jumping through hoops for the simplest of tasks. - Apparently this will all be fixed up in the new SP Online Admin UI.
Deleted
Can you please ,if possible, expound on
1. where you get this info
2. more details
I for one, love this feature. A Global admin should be able to administer the services and infrastructure, but they are not necessarily the right role for the managing and supporting the data. That is how breaches, and data loss can occur.
- SInce I have to do both, it has made it very difficult for me. I have a lot of users just going in creating stuff and then never delete it. How do I manage that?
- My unfortunate response has been to turn off global Site, Team, O365 Group, Planner creation and restrict it to a handful of users who know what they're doing (naming schemes, conflicts, etc) until we have better tooling around site provisioning... which one of my guys has been working on using the SharePoint Patterns and Practices stuff.
Trevor Seward is correct and... in an on-prem environment you can set a web application policy granting site collection administration to all site collections in a web application. The web application administration layer is not available in SharePoint Online. It is likely that you enjoy site collection administrative permissions to all your on-prem site collections as a result of a web application policy. As a Global admin you can grant yourselft access to any site collections in SharePoint Online so you could add that to the start of your script (Set-SPOUser -site $SiteCollURL -LoginName $SiteCollectionAdmin1 -IsSiteCollectionAdmin $True) and you could remove the user from this role which the operation on the site collection were complete.
But in On Premises you can give Web Application access which gives you all Site Collections within the Web Application.
It should be an option to add a SP admin to all site collections.- Really? When did this change?
I have a number of site collections in SPOnline and the Global Admin is able to access most of them, even when they're not in any of the groups.
It makes sense, it's just a change in behavior.
Just tested with a brand new SP Admin (not a site collection owner) and it has access to some sites, but not others.
This is potentially going to make it difficult to have a SPOnline service account, unless you add it to the site collection owners, for all site collections - which given that every new "thing" that MS builds goes off and creates site collections (I'm looking at you Planner, Groups, Teams) which are "less" manageable, is going to be fun...- I agree with Trevor and It have been always like this...if the user wasn't the creator of the Site Collections, he/she is not going to be able to access to them...but you can add he user as Site Collection Administrator using the UI or PowerShell
- I agree that this is the way it should be, but it certainly hasn't always been this way. And I still have a Global Admin account that can access some sites (when they are not in any of the groups), but not others.
The big problem is sites created by the likes of Planner and Teams - aka O365 Group sites. These do not show up when you do a Get-SPOSite.
And if you specify them specifically (e.g. Get-SPOSite "https://mycorp.sharepoint.com/sites/O365GroupSite") you actually get anything unless you already have permission - which if the O365 site was created by someone else (and by default, anyone can create Planner/Teams/O365 Groups), then you're stuck.
There's some suggestion that the (now in preview) v2 of Azure AD PowerShell, is able to enumerate O365 Groups and so we may be able to access the site details that way, but I haven't tried this yet.
The underlying reason for doing this: I want to be able to find all the External users and look at what permissions they have on which sites (essentially to find rogue sharing).
