cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to delegate admin to employee without access to sensitive data

Fredrik Gunne
Copper Contributor

‎Mar 03 2020 02:12 AM - last edited on ‎Feb 01 2023 11:50 AM by

‎Mar 03 2020 02:12 AM - last edited on ‎Feb 01 2023 11:50 AM by

How to delegate admin to employee without access to sensitive data

Hi,

 

We are a small ISV company with 12 employees, and we are on Office 365. We also use Azure DevOps for source repository and work-item tracking.

 

I am the CEO and co-owner. Me and the other co-owner are global admins.

Being a small company, I am also the "IT department", which includes things like:

* Adding and removing employees, configuring permissions, etc

* Creating external SharePoint sites for customer collaboration

* Adding and removing guest accounts (for customer collaboration)

* Etc

 

This has started to become a burden for me, and I would like to delegate at least some of the work to one of our employees. However, I don't want to make the person a global admin, since that would, at least in theory, give access to sensitive data (my email, HR documents with salaries, etc).

 

What are the recommended strategy to do this? I know there are more granular admin roles than global admin, but I don't see how this can help much. For instance, if I want to delegate the work to maintain our external sites for collaboration, I guess I could make my employee "SharePoint admin". But as soon as I do that, the employee (I guess) will get access to the SharePoint HR-site which contains the salary files, etc.

 

Any advice? 

1,505 Views
0 Likes
5 Replies
Reply
5 Replies
Vasil Michev

‎Mar 03 2020 09:33 AM

‎Mar 03 2020 09:33 AM

Re: How to delegate admin to employee without access to sensitive data

You can grant him permissions on the Site collections in question only, either as primary/secondary SC admin.

0 Likes
Reply
binodmaharjan_2020

‎Mar 03 2020 10:20 PM

‎Mar 03 2020 10:20 PM

Re: How to delegate admin to employee without access to sensitive data

HI @Vasil Michev 

Yes, you can provide them permission for a specific site only instead of Sharepoint Admin. External users will only be available to modify a given site as you delegate.

0 Likes
Reply
Fredrik Gunne

‎Mar 03 2020 11:55 PM

‎Mar 03 2020 11:55 PM

Re: How to delegate admin to employee without access to sensitive data

@binodmaharjan_2020 , @Vasil Michev : This would only help slightly. The tasks that this "semi-admin" would perform is much more than only maintaining security on a few site collections. Of the examples I mentioned, only the second task would be possible using your proposal:

 

* Adding and removing employees, configuring permissions, etc

* Creating external SharePoint sites for customer collaboration

* Adding and removing guest accounts (for customer collaboration)

* Etc

 

I am more looking for a way to grant permissions to a person enough to do more or less everything except a few things, such as the managers' email, some document libraries/sites etc.

 

This must be something that all companies of significant size must struggle with? I don't believe that the CEO of many companies handle all Office 365 management tasks - so how do they solve it?

0 Likes
Reply
Vasil Michev

‎Mar 04 2020 08:17 AM

‎Mar 04 2020 08:17 AM

Re: How to delegate admin to employee without access to sensitive data

There's nothing built-in in O365 for that, you'll have to look into third-party tools that do a "portal replacement" type of products.

0 Likes
Reply
binodmaharjan_2020

‎Mar 04 2020 08:37 PM

‎Mar 04 2020 08:37 PM

Re: How to delegate admin to employee without access to sensitive data

As per my knowledge, Roles are assigned for those people to whom you delegate tasks. In your case, you want to delegate admin to your employee but also afraid of having access data. There are only two solutions I have seen: 1. Either you provide permission manually to specific sites or else. They will have access only that you assigned. If they require additional permissions they will ask for it. 2. You can assign them as SharePoint Administrator (If Internal Employee). Even SP Admin cannot access any site until they themself become the members/owner of any site. You can keep Notification alerts and search/Investigate Audit logs if any misused.
0 Likes
Reply