Forum Discussion
O365 Global Admin has no access to recent SharePoint Online site collections
- Nov 21, 2016
You can use the below PowerShell script to get the details of the SPO Site Collections for the Office 365 Groups.
$cred=Get-Credential $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" -AllowRedirection Import-PSSession $exchangeSession -DisableNameChecking Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential $cred $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null} $Groups | Foreach-Object{ $Group = $_ $GName=$Group.SharePointSiteUrl Get-SPOSite -Identity $GName -Detailed |fl }
To add a member to Office 365 Groups, you can use the below one.
Add-UnifiedGroupLinks -LinkType Members -Identity "engineering" -Links "alland@XXXXX.onmicrosoft.com
I am sure that the Office 365 Group's SPO File audits are available in "Audit log search" in protection centre [https://protection.office.com/#/unifiedauditlog]. Screen-shot of the audit logs for O365 groups is posted below.
Thanks for responding guys.
But I still have the problem that I can't get the details of sites that I don't know about. And I wont know about them unless I have access. And I can't give myself (or my service account) access, unless I know about them...
Given that Get-SPOSite doesn't return all sites by default and that the Site Collection list in O365 Admin/SPO Admin doesn't display Group sites (and Video, etc). How can I reliably get a list of site collections? To which I can then add my admin group/service account to, so that I can programmaticaly access those sites going forward.
Users are still able to external share from Group sites, which means there are potentially external users with access to content that I can't audit.
There are 3rd party tools claiming to be able to audit/report/change this stuff. How are they doing it? Or are they actually trapped in the same way, with minimal, if any, visability of Group sites?
You can use the below PowerShell script to get the details of the SPO Site Collections for the Office 365 Groups.
$cred=Get-Credential $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" -AllowRedirection Import-PSSession $exchangeSession -DisableNameChecking Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential $cred $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null} $Groups | Foreach-Object{ $Group = $_ $GName=$Group.SharePointSiteUrl Get-SPOSite -Identity $GName -Detailed |fl }
To add a member to Office 365 Groups, you can use the below one.
Add-UnifiedGroupLinks -LinkType Members -Identity "engineering" -Links "alland@XXXXX.onmicrosoft.com
I am sure that the Office 365 Group's SPO File audits are available in "Audit log search" in protection centre [https://protection.office.com/#/unifiedauditlog]. Screen-shot of the audit logs for O365 groups is posted below.
- Thomas AndreOct 31, 2018Copper ContributorGreat and very helpful script. Thank you!
- Matthieu DEMOULINMar 12, 2018Copper Contributor
Great script, saved my 4ss
Proposed enhancement : replace the current site admin by the new one (global admin for example), and add the old one as the secondary site admin.
- AnonymousJan 14, 2018
Robert.krauss.skype wrote:
I have the same need for such a script. But I don't get where this line
$SPOnlineAdminClaim = "c:0-.f|rolemanager|s-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX"
comes from. Where do I find this information for myself (or the AD group I am in)?
As a global admin by boss expects that I have access to everything.
It comes from this bit:
One key gotcha - the only way I've found to get the Claims ID for the group, is manually in the SPOnline UI (Site Permissions | Check Permissions). Would love to have a PowerShell mechanism for that! - Robert KAug 17, 2017Brass Contributor
I have the same need for such a script. But I don't get where this line
$SPOnlineAdminClaim = "c:0-.f|rolemanager|s-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX"
comes from. Where do I find this information for myself (or the AD group I am in)?
As a global admin by boss expects that I have access to everything.
- AnonymousNov 22, 2016
OK, so here's my final solution.
What it does is enumerate all the site collections via Get-SPOSite and sets a particuarly Azure AD Security group to be a Site Collection Admin. Then it enumerates all the groups in Exchange Online, looking for ones with URLs, which are O365 Groups, which it then is able to set the Security Group as a Site Collection Admin.
The end result - I'm able to use a service account to enumerate ALL site collections (in two passes) and perform actions on them.
Thanks for everyone's help. This is not as simple as it should have been!
One key gotcha - the only way I've found to get the Claims ID for the group, is manually in the SPOnline UI (Site Permissions | Check Permissions). Would love to have a PowerShell mechanism for that!
Note: I have this running in a SPOnline Management Shell PowerShell console.
Thanks
Craig
Import-Module MSOnline # Jack Fruh - sharepointjack.com # add a user or users to the site collection admin role on every site collection in Office 365 sites (SharePoint Online) $SPOnlineAdminClaim = "c:0-.f|rolemanager|s-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX" #setup a log path $path = "$($(get-location).path)\LogFile.txt" #note we're using start-transcript, this does not work from inside the powershell ISE, only the command prompt start-transcript -path $Path write-host "This will connect to SharePoint Online" #Admin Variables: $Adminurl = "https://TENANT-admin.sharepoint.com" Write-Host "Get Credentials" $userName = 'SERVICE ACCOUNT EMAIL ADDRESS' $password = ConvertTo-SecureString 'SERVICE ACCOUNT PASSWORD' -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential ($userName, $password) #Connect to SPO Connect-SPOService -url $Adminurl -credential $credential write-host "Connected" -foregroundcolor green Write-Host "Get SPO Sites" $sites = get-sposite Foreach ($site in $sites) { Write-host "Adding users to $($site.URL)" -foregroundcolor yellow #Set the site collection admin flag for the Site collection admin write-host "Setting up SPOnline Admins as a site collection admin on $($site.url)..." set-spouser -site $site.url -loginname $SPOnlineAdminClaim -IsSiteCollectionAdmin $true write-host "Done" -foregroundcolor green } Write-Host "Done With SPO Sites" -ForegroundColor green Write-Host "Connect to Exchange Online" $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection if ($exchangeSession) { Write-Host "Import Exchange Online Session" $session = Import-PSSession $exchangeSession -DisableNameChecking -AllowClobber if ($session) { Write-Host "Connect to SharePoint Online" Connect-SPOService -Url $Adminurl -credential $credential Write-Host "Get Unified Groups" $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null} Write-Host "Enumerate Groups" $Groups | Foreach-Object{ $Group = $_ $GName = $Group.SharePointSiteUrl Write-Host "Setting up SPOnline Admins as a site colection admin on $($GName)..." Set-SPOUser -Site $GName -LoginName $SPOnlineAdminClaim -IsSiteCollectionAdmin $true } Remove-PSSession (Get-PSSession)[0] } } Write-host "Done with everything" -foregroundcolor green stop-transcript
- AnonymousNov 22, 2016Thanks for that.
Works a treat!
Yeah, I know user activity on Group sites does turn up in the Audit logs. But I'm trying to audit External users and what they have access to.