How to delegate admin to employee without access to sensitive data

%3CLINGO-SUB%20id%3D%22lingo-sub-1206183%22%20slang%3D%22en-US%22%3EHow%20to%20delegate%20admin%20to%20employee%20without%20access%20to%20sensitive%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1206183%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20a%20small%20ISV%20company%20with%2012%20employees%2C%20and%20we%20are%20on%20Office%20365.%20We%20also%20use%20Azure%20DevOps%20for%20source%20repository%20and%20work-item%20tracking.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20the%20CEO%20and%20co-owner.%20Me%20and%20the%20other%20co-owner%20are%20global%20admins.%3C%2FP%3E%3CP%3EBeing%20a%20small%20company%2C%20I%20am%20also%20the%20%22IT%20department%22%2C%20which%20includes%20things%20like%3A%3C%2FP%3E%3CP%3E*%20Adding%20and%20removing%20employees%2C%20configuring%20permissions%2C%20etc%3C%2FP%3E%3CP%3E*%20Creating%20external%20SharePoint%20sites%20for%20customer%20collaboration%3C%2FP%3E%3CP%3E*%26nbsp%3BAdding%20and%20removing%20guest%20accounts%20(for%20customer%20collaboration)%3C%2FP%3E%3CP%3E*%20Etc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20has%20started%20to%20become%20a%20burden%20for%20me%2C%20and%20I%20would%20like%20to%20delegate%20at%20least%20some%20of%20the%20work%20to%20one%20of%20our%20employees.%20However%2C%20I%20don't%20want%20to%20make%20the%20person%20a%20global%20admin%2C%20since%20that%20would%2C%20at%20least%20in%20theory%2C%20give%20access%20to%20sensitive%20data%20(my%20email%2C%20HR%20documents%20with%20salaries%2C%20etc).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20are%20the%20recommended%20strategy%20to%20do%20this%3F%20I%20know%20there%20are%20more%20granular%20admin%20roles%20than%20global%20admin%2C%20but%20I%20don't%20see%20how%20this%20can%20help%20much.%20For%20instance%2C%20if%20I%20want%20to%20delegate%20the%20work%20to%20maintain%20our%20external%20sites%20for%20collaboration%2C%20I%20guess%20I%20could%20make%20my%20employee%20%22SharePoint%20admin%22.%20But%20as%20soon%20as%20I%20do%20that%2C%20the%20employee%20(I%20guess)%20will%20get%20access%20to%20the%20SharePoint%20HR-site%20which%20contains%20the%20salary%20files%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20advice%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1206183%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1207115%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20delegate%20admin%20to%20employee%20without%20access%20to%20sensitive%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1207115%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20grant%20him%20permissions%20on%20the%20Site%20collections%20in%20question%20only%2C%20either%20as%20primary%2Fsecondary%20SC%20admin.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1208193%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20delegate%20admin%20to%20employee%20without%20access%20to%20sensitive%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1208193%22%20slang%3D%22en-US%22%3E%3CP%3EHI%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20you%20can%20provide%20them%20permission%20for%20a%20specific%20site%20only%20instead%20of%20Sharepoint%20Admin.%20External%20users%20will%20only%20be%20available%20to%20modify%20a%20given%20site%20as%20you%20delegate.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1208313%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20delegate%20admin%20to%20employee%20without%20access%20to%20sensitive%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1208313%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F571992%22%20target%3D%22_blank%22%3E%40binodmaharjan_2020%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3A%20This%20would%20only%20help%20slightly.%20The%20tasks%20that%20this%20%22semi-admin%22%20would%20perform%20is%20much%20more%20than%20only%20maintaining%20security%20on%20a%20few%20site%20collections.%20Of%20the%20examples%20I%20mentioned%2C%20only%20the%20second%20task%20would%20be%20possible%20using%20your%20proposal%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*%20Adding%20and%20removing%20employees%2C%20configuring%20permissions%2C%20etc%3C%2FP%3E%3CP%3E*%20Creating%20external%20SharePoint%20sites%20for%20customer%20collaboration%3C%2FP%3E%3CP%3E*%26nbsp%3BAdding%20and%20removing%20guest%20accounts%20(for%20customer%20collaboration)%3C%2FP%3E%3CP%3E*%20Etc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20more%20looking%20for%20a%20way%20to%20grant%20permissions%20to%20a%20person%20enough%20to%20do%20more%20or%20less%20everything%20%3CSTRONG%3Eexcept%3C%2FSTRONG%3E%26nbsp%3Ba%20few%20things%2C%20such%20as%20the%20managers'%20email%2C%20some%20document%20libraries%2Fsites%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20must%20be%20something%20that%20all%20companies%20of%20significant%20size%20must%20struggle%20with%3F%20I%20don't%20believe%20that%20the%20CEO%20of%20many%20companies%20handle%20all%20Office%20365%20management%20tasks%20-%20so%20how%20do%20they%20solve%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1209236%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20delegate%20admin%20to%20employee%20without%20access%20to%20sensitive%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1209236%22%20slang%3D%22en-US%22%3E%3CP%3EThere's%20nothing%20built-in%20in%20O365%20for%20that%2C%20you'll%20have%20to%20look%20into%20third-party%20tools%20that%20do%20a%20%22portal%20replacement%22%20type%20of%20products.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1210520%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20delegate%20admin%20to%20employee%20without%20access%20to%20sensitive%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1210520%22%20slang%3D%22en-US%22%3EAs%20per%20my%20knowledge%2C%20Roles%20are%20assigned%20for%20those%20people%20to%20whom%20you%20delegate%20tasks.%20In%20your%20case%2C%20you%20want%20to%20delegate%20admin%20to%20your%20employee%20but%20also%20afraid%20of%20having%20access%20data.%20There%20are%20only%20two%20solutions%20I%20have%20seen%3A%201.%20Either%20you%20provide%20permission%20manually%20to%20specific%20sites%20or%20else.%20They%20will%20have%20access%20only%20that%20you%20assigned.%20If%20they%20require%20additional%20permissions%20they%20will%20ask%20for%20it.%202.%20You%20can%20assign%20them%20as%20SharePoint%20Administrator%20(If%20Internal%20Employee).%20Even%20SP%20Admin%20cannot%20access%20any%20site%20until%20they%20themself%20become%20the%20members%2Fowner%20of%20any%20site.%20You%20can%20keep%20Notification%20alerts%20and%20search%2FInvestigate%20Audit%20logs%20if%20any%20misused.%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

 

We are a small ISV company with 12 employees, and we are on Office 365. We also use Azure DevOps for source repository and work-item tracking.

 

I am the CEO and co-owner. Me and the other co-owner are global admins.

Being a small company, I am also the "IT department", which includes things like:

* Adding and removing employees, configuring permissions, etc

* Creating external SharePoint sites for customer collaboration

* Adding and removing guest accounts (for customer collaboration)

* Etc

 

This has started to become a burden for me, and I would like to delegate at least some of the work to one of our employees. However, I don't want to make the person a global admin, since that would, at least in theory, give access to sensitive data (my email, HR documents with salaries, etc).

 

What are the recommended strategy to do this? I know there are more granular admin roles than global admin, but I don't see how this can help much. For instance, if I want to delegate the work to maintain our external sites for collaboration, I guess I could make my employee "SharePoint admin". But as soon as I do that, the employee (I guess) will get access to the SharePoint HR-site which contains the salary files, etc.

 

Any advice? 

5 Replies
Highlighted

You can grant him permissions on the Site collections in question only, either as primary/secondary SC admin.

Highlighted

HI @Vasil Michev 

Yes, you can provide them permission for a specific site only instead of Sharepoint Admin. External users will only be available to modify a given site as you delegate.

Highlighted

@binodmaharjan_2020 , @Vasil Michev : This would only help slightly. The tasks that this "semi-admin" would perform is much more than only maintaining security on a few site collections. Of the examples I mentioned, only the second task would be possible using your proposal:

 

* Adding and removing employees, configuring permissions, etc

* Creating external SharePoint sites for customer collaboration

* Adding and removing guest accounts (for customer collaboration)

* Etc

 

I am more looking for a way to grant permissions to a person enough to do more or less everything except a few things, such as the managers' email, some document libraries/sites etc.

 

This must be something that all companies of significant size must struggle with? I don't believe that the CEO of many companies handle all Office 365 management tasks - so how do they solve it?

Highlighted

There's nothing built-in in O365 for that, you'll have to look into third-party tools that do a "portal replacement" type of products.

Highlighted
As per my knowledge, Roles are assigned for those people to whom you delegate tasks. In your case, you want to delegate admin to your employee but also afraid of having access data. There are only two solutions I have seen: 1. Either you provide permission manually to specific sites or else. They will have access only that you assigned. If they require additional permissions they will ask for it. 2. You can assign them as SharePoint Administrator (If Internal Employee). Even SP Admin cannot access any site until they themself become the members/owner of any site. You can keep Notification alerts and search/Investigate Audit logs if any misused.