Forum Discussion
Restrict Administrators from specific Document Libraries
We have some confidential document libraries that only Sr Management should be able to access, however, as IT administrators, we're SharePoint Admins, site owners etc and therefore have full access. ...
Admins have always had access to everything, it's where Admin governance / roles come into play by restricting your admins and what they can do. SharePoint admins obviously can go in and assign themselves as Site collection admins. These admins can see all files no matter what.
This is where you have to deploy extra tech. like IRM or possibly the newer sensitivity Labels with encryption on documents that can allow you to label documents as confidential and only people specified to see that label can open those documents. See the following: https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption-sensitivity-labels
Of course, this protects the document itself. The label can still have an admin that has rights to edit labels add themselves to the label permissions and get into the file, but you have to keep in mind, this is where audit log monitoring comes into play. You can have someone audit for these events and changes by admins to dig into why they are doing these actions.
Even if you don't do labels, you can audit permission changes on sites / libraries to see if admins accessed content as well. But using labels and encryption etc. keeps people from sharing these documents outside of your organization / to other users by downloading them etc.
This is where you have to deploy extra tech. like IRM or possibly the newer sensitivity Labels with encryption on documents that can allow you to label documents as confidential and only people specified to see that label can open those documents. See the following: https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption-sensitivity-labels
Of course, this protects the document itself. The label can still have an admin that has rights to edit labels add themselves to the label permissions and get into the file, but you have to keep in mind, this is where audit log monitoring comes into play. You can have someone audit for these events and changes by admins to dig into why they are doing these actions.
Even if you don't do labels, you can audit permission changes on sites / libraries to see if admins accessed content as well. But using labels and encryption etc. keeps people from sharing these documents outside of your organization / to other users by downloading them etc.