SOLVED
Home

O365 Global Admin has no access to recent SharePoint Online site collections

Highlighted
Craig Humphrey
Contributor

O365 Global Admin has no access to recent SharePoi...

Is it just me, or has anyone else noticed that O365 Global Admins do not automatically get access to recently created Site Collections in SharePoint Online?

 

We have a small group of O365 Global Admins and all of us have MFA enabled.  This means that we often can't use our accounts for scripting and other various O365 add-ins/tools.

So I have a service account setup, which is also a Global Admin, but doesn't have MFA.

This account is able to get to older Site Collections (where it's not specifically in the SP Groups), but it's unable to access more recently created site collections.

 

I either get the:

 

Access Denied

myserviceaccount@corp.onmicrosoft.com does not have permissions to access this resource.
Here are a few ideas:

Please ask the site admin to give you access.

If you have a different account, try signing in with that account.
This will sign you out of all other Office 365 services that you're signed into at this time.
If this problem persists, contact your support team and include these technical details:
Correlation ID: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx 
Date and Time: 15/11/2016 2:00:00 p.m.
User: myserviceaccount@corp.onmicrosoft.com
Issue Type: User does not have permissions.
 
Or I get the:
You need permission to access this site.
[I'd like access, please.]
Request Access
 
Judging by the sites that work, this change looks to have been in about the last month or so.
 
Anyone else seeing this?
 
I'm going to try creating a SPAdmin only account and see if that has better luck than a Global admin.
 
Thanks
Craig
  • Admin
  • Permissions
  • Security
  • SharePoint Online
  • Sites
14 Replies

Re: O365 Global Admin has no access to recent Shar...

This is expected. A Global Admin shouldn't have access to individual sites unless explicitly granted. This is also true of on-prem, where a farm administrator does not automatically have access to Site Collections.

Re: O365 Global Admin has no access to recent Shar...

Really? When did this change?

I have a number of site collections in SPOnline and the Global Admin is able to access most of them, even when they're not in any of the groups.

It makes sense, it's just a change in behavior.

Just tested with a brand new SP Admin (not a site collection owner) and it has access to some sites, but not others.

This is potentially going to make it difficult to have a SPOnline service account, unless you add it to the site collection owners, for all site collections - which given that every new "thing" that MS builds goes off and creates site collections (I'm looking at you Planner, Groups, Teams) which are "less" manageable, is going to be fun...

RE: O365 Global Admin has no access to recent Shar...

exactly i know this functionality is already longer implemented if you login as a partner but as global admin it is new but i think it is a good one.

Re: O365 Global Admin has no access to recent Shar...

I agree with Trevor and It have been always like this...if the user wasn't the creator of the Site Collections, he/she is not going to be able to access to them...but you can add he user as Site Collection Administrator using the UI or PowerShell

Re: O365 Global Admin has no access to recent Shar...

I agree that this is the way it should be, but it certainly hasn't always been this way. And I still have a Global Admin account that can access some sites (when they are not in any of the groups), but not others.

The big problem is sites created by the likes of Planner and Teams - aka O365 Group sites. These do not show up when you do a Get-SPOSite.
And if you specify them specifically (e.g. Get-SPOSite "https://mycorp.sharepoint.com/sites/O365GroupSite") you actually get anything unless you already have permission - which if the O365 site was created by someone else (and by default, anyone can create Planner/Teams/O365 Groups), then you're stuck.

There's some suggestion that the (now in preview) v2 of Azure AD PowerShell, is able to enumerate O365 Groups and so we may be able to access the site details that way, but I haven't tried this yet.

The underlying reason for doing this: I want to be able to find all the External users and look at what permissions they have on which sites (essentially to find rogue sharing).

Re: O365 Global Admin has no access to recent Shar...

This is different stuff...torday and by design Groups sites are hidden and not shown in the SharePoint Online Administration (same happens with Office 365 Video Channels). The only way to get listed / get details of a Group sites is using PowerShell and specifically the SPO cmdlets: Get-SPOSite, Set-SPOSite are your best friedns here. In the future I believe Microsoft is working on showing also Groups sites there that by the way it's something required for modern team sites

Re: O365 Global Admin has no access to recent Shar...

Take a closer look at the SPO sites in the SPO Admin Center, if the SC Owner is listed as Company Administrator, then Global Admin will have rights to the SC.

 

I agree with Trevor and Juan, Global Admins have never had default access to an SC it must be granted.

Putting an AD group into the SCA group is the easiest way I have found.

 

The new Azure Privelged Identity Management may offer a nice approach in the future, but its integration with SPO is not very powerfull at this time.

Re: O365 Global Admin has no access to recent Shar...

Thanks for responding guys.

 

But I still have the problem that  I can't get the details of sites that I don't know about.  And I wont know about them unless I have access.  And I can't give myself (or my service account) access, unless I know about them...

 

Given that Get-SPOSite doesn't return all sites by default and that the Site Collection list in O365 Admin/SPO Admin doesn't display Group sites (and Video, etc). How can I reliably get a list of site collections?  To which I can then add my admin group/service account to, so that I can programmaticaly access those sites going forward.

 

Users are still able to external share from Group sites, which means there are potentially external users with access to content that I can't audit.

 

There are 3rd party tools claiming to be able to audit/report/change this stuff.  How are they doing it?  Or are they actually trapped in the same way, with minimal, if any, visability of Group sites?

Solution

Re: O365 Global Admin has no access to recent Shar...

You can use the below PowerShell script to get the details of the SPO Site Collections for the Office 365 Groups.

 

$cred=Get-Credential
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" -AllowRedirection
Import-PSSession $exchangeSession -DisableNameChecking
Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential $cred
$Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null}
$Groups | Foreach-Object{ 
$Group = $_ 
$GName=$Group.SharePointSiteUrl
Get-SPOSite -Identity $GName -Detailed |fl
} 

To add a member to Office 365 Groups, you can use the below one.

Add-UnifiedGroupLinks -LinkType Members -Identity "engineering" -Links "alland@XXXXX.onmicrosoft.com

I am sure that the Office 365 Group's SPO File audits are available in "Audit log search" in protection centre [https://protection.office.com/#/unifiedauditlog]. Screen-shot of the audit logs for O365 groups is posted below.

 

audit o365 group.png

 

Re: O365 Global Admin has no access to recent Shar...

Thanks for that.

Works a treat!

Yeah, I know user activity on Group sites does turn up in the Audit logs. But I'm trying to audit External users and what they have access to.

Re: O365 Global Admin has no access to recent Shar...

OK, so here's my final solution.

 

What it does is enumerate all the site collections via Get-SPOSite and sets a particuarly Azure AD Security group to be a Site Collection Admin.  Then it enumerates all the groups in Exchange Online, looking for ones with URLs, which are O365 Groups, which it then is able to set the Security Group as a Site Collection Admin.

The end result - I'm able to use a service account to enumerate ALL site collections (in two passes) and perform actions on them.

 

Thanks for everyone's help.  This is not as simple as it should have been!

 

One key gotcha - the only way I've found to get the Claims ID for the group, is manually in the SPOnline UI (Site Permissions | Check Permissions).  Would love to have a PowerShell mechanism for that!

 

Note: I have this running in a SPOnline Management Shell PowerShell console.

 

Thanks

Craig

 

Import-Module MSOnline

# Jack Fruh - sharepointjack.com
# add a user or users to the site collection admin role on every site collection in Office 365 sites (SharePoint Online)

$SPOnlineAdminClaim = "c:0-.f|rolemanager|s-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX"

#setup a log path
$path = "$($(get-location).path)\LogFile.txt"
#note we're using start-transcript, this does not work from inside the powershell ISE, only the command prompt
 
start-transcript -path $Path
write-host "This will connect to SharePoint Online"
 
#Admin Variables:
$Adminurl = "https://TENANT-admin.sharepoint.com"
 
Write-Host "Get Credentials"
$userName = 'SERVICE ACCOUNT EMAIL ADDRESS'
$password = ConvertTo-SecureString 'SERVICE ACCOUNT PASSWORD' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($userName, $password) 
 
#Connect to SPO
Connect-SPOService -url $Adminurl -credential $credential
write-host "Connected" -foregroundcolor green
 
Write-Host "Get SPO Sites"
$sites = get-sposite
Foreach ($site in $sites)
{
    Write-host "Adding users to $($site.URL)" -foregroundcolor yellow
	#Set the site collection admin flag for the Site collection admin
	write-host "Setting up SPOnline Admins as a site collection admin on $($site.url)..."
	set-spouser -site $site.url -loginname $SPOnlineAdminClaim -IsSiteCollectionAdmin $true
	write-host "Done"	-foregroundcolor green
}
Write-Host "Done With SPO Sites" -ForegroundColor green

Write-Host "Connect to Exchange Online"
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection
if ($exchangeSession) {
    Write-Host "Import Exchange Online Session"
    $session = Import-PSSession $exchangeSession -DisableNameChecking -AllowClobber
    if ($session) {
        Write-Host "Connect to SharePoint Online"
        Connect-SPOService -Url $Adminurl -credential $credential
        Write-Host "Get Unified Groups"
        $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null}
        Write-Host "Enumerate Groups"
        $Groups | Foreach-Object{ 
            $Group = $_ 
            $GName = $Group.SharePointSiteUrl
	    Write-Host "Setting up SPOnline Admins as a site colection admin on $($GName)..."
	    Set-SPOUser -Site $GName -LoginName $SPOnlineAdminClaim -IsSiteCollectionAdmin $true
        }
    Remove-PSSession (Get-PSSession)[0]
    }
} 


Write-host "Done with everything" -foregroundcolor green 
stop-transcript

Re: O365 Global Admin has no access to recent Shar...

But in On Premises you can give Web Application access which gives you all Site Collections within the Web Application.


It should be an option to add a SP admin to all site collections. 

Re: O365 Global Admin has no access to recent Shar...

@Trevor Seward is correct and... in an on-prem environment you can set a web application policy granting site collection administration to all site collections in a web application.  The web application administration layer is not available in SharePoint Online.  It is likely that you enjoy site collection administrative permissions to all your on-prem site collections as a result of a web application policy. As a Global admin you can grant yourselft access to any site collections in SharePoint Online so you could add that to the start of your script (Set-SPOUser -site $SiteCollURL -LoginName $SiteCollectionAdmin1 -IsSiteCollectionAdmin $True) and you could remove the user from this role which the operation on the site collection were complete.  

Re: O365 Global Admin has no access to recent Shar...

I for one, love this feature. A Global admin should be able to administer the services and infrastructure, but they are not necessarily the right role for the managing and supporting the data.  That is how breaches, and data loss can occur. 

Related Conversations
Announcement: New OneDrive Admin Center Preview
Stephen Rose  in  OneDrive for Business  on
114 Replies
Updated: Online Interactive Guides
Maddie Egan  in  Online Interactive Guides  on
40 Replies
GA: Microsoft PowerApps and Flow
Chris McNulty  in  SharePoint  on
41 Replies
Custom markup in SharePoint calculated columns
Chris McNulty  in  SharePoint  on
10 Replies
audit log reports Group O365 Sites
Hajer Fathallah  in  SharePoint  on
3 Replies