SOLVED

O365 Global Admin has no access to recent SharePoint Online site collections

%3CLINGO-SUB%20id%3D%22lingo-sub-30031%22%20slang%3D%22en-US%22%3EO365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30031%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20just%20me%2C%20or%20has%20anyone%20else%20noticed%20that%20O365%20Global%20Admins%20do%20not%20automatically%20get%20access%20to%20recently%20created%20Site%20Collections%20in%20SharePoint%20Online%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20small%20group%20of%20O365%20Global%20Admins%20and%20all%20of%20us%20have%20MFA%20enabled.%20%26nbsp%3BThis%20means%20that%20we%20often%20can't%20use%20our%20accounts%20for%20scripting%20and%20other%20various%20O365%20add-ins%2Ftools.%3C%2FP%3E%3CP%3ESo%20I%20have%20a%20service%20account%20setup%2C%20which%20is%20also%20a%20Global%20Admin%2C%20but%20doesn't%20have%20MFA.%3C%2FP%3E%3CP%3EThis%20account%20is%20able%20to%20get%20to%20older%20Site%20Collections%20(where%20it's%20not%20specifically%20in%20the%20SP%20Groups)%2C%20but%20it's%20unable%20to%20access%20more%20recently%20created%20site%20collections.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20either%20get%20the%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%20class%3D%22ms-spo-technicalSection%22%3E%3CDIV%20class%3D%22ms-descriptiontext%20ms-spo-technicalItemsSection%22%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3E%3CEM%3EAccess%20Denied%20%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CEM%3Emyserviceaccount%40corp.onmicrosoft.com%20does%20not%20have%20permissions%20to%20access%20this%20resource.%20%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EHere%20are%20a%20few%20ideas%3A%20%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CEM%3EPlease%20ask%20the%20site%20admin%20to%20give%20you%20access.%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CEM%3EIf%20you%20have%20a%20different%20account%2C%20try%20signing%20in%20with%20that%20account.%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EThis%20will%20sign%20you%20out%20of%20all%20other%20Office%20365%20services%20that%20you're%20signed%20into%20at%20this%20time.%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EIf%20this%20problem%20persists%2C%20contact%20your%20support%20team%20and%20include%20these%20technical%20details%3A%20%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ECorrelation%20ID%3A%20xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx%26nbsp%3B%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EDate%20and%20Time%3A%2015%2F11%2F2016%202%3A00%3A00%20p.m.%20%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EUser%3A%20myserviceaccount%40corp.onmicrosoft.com%20%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EIssue%20Type%3A%20User%20does%20not%20have%20permissions.%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3EOr%20I%20get%20the%3A%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3E%3CEM%3EYou%20need%20permission%20to%20access%20this%20site.%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3E%3CEM%3E%5BI'd%20like%20access%2C%20please.%5D%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3E%3CEM%3ERequest%20Access%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3EJudging%20by%20the%20sites%20that%20work%2C%20this%20change%20looks%20to%20have%20been%20in%20about%20the%20last%20month%20or%20so.%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3EAnyone%20else%20seeing%20this%3F%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3EI'm%20going%20to%20try%20creating%20a%20SPAdmin%20only%20account%20and%20see%20if%20that%20has%20better%20luck%20than%20a%20Global%20admin.%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3EThanks%3C%2FDIV%3E%3CDIV%20class%3D%22ms-spo-technicalItem%22%3ECraig%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-30031%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESites%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-280821%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280821%22%20slang%3D%22en-US%22%3EGreat%20and%20very%20helpful%20script.%20Thank%20you!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271834%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271834%22%20slang%3D%22en-US%22%3EMy%20unfortunate%20response%20has%20been%20to%20turn%20off%20global%20Site%2C%20Team%2C%20O365%20Group%2C%20Planner%20creation%20and%20restrict%20it%20to%20a%20handful%20of%20users%20who%20know%20what%20they're%20doing%20(naming%20schemes%2C%20conflicts%2C%20etc)%20until%20we%20have%20better%20tooling%20around%20site%20provisioning...%20which%20one%20of%20my%20guys%20has%20been%20working%20on%20using%20the%20SharePoint%20Patterns%20and%20Practices%20stuff.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-210046%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-210046%22%20slang%3D%22en-US%22%3ESInce%20I%20have%20to%20do%20both%2C%20it%20has%20made%20it%20very%20difficult%20for%20me.%20I%20have%20a%20lot%20of%20users%20just%20going%20in%20creating%20stuff%20and%20then%20never%20delete%20it.%20How%20do%20I%20manage%20that%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-195223%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-195223%22%20slang%3D%22en-US%22%3EExactly.%3CBR%20%2F%3EIt's%20the%20same%20case%20with%20me.%3CBR%20%2F%3EUsers%20are%20able%20to%20mess%20around%20with%20creating%20sites%20and%20teams%2C%20and%20when%20they%20cry%20for%20help%20I%20must%20ask%20them%20to%20give%20me%20access...%20an%20the%20we%20go%20into%20the%20painful%20loop%20of%20explaining%20where%20to%20click%20and%20what%20to%20do.%3CBR%20%2F%3ESo%20my%205%20minute%20intervention%20turns%20into%20an%20hour(s)%20long%20jumping%20through%20hoops%20for%20the%20simplest%20of%20tasks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183388%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183388%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2969%22%20target%3D%22_blank%22%3E%40Yuri%20Deglin%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20details%20a%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSharePoint-Blog%2FIntroducing-the-new-SharePoint-Admin-Center%2Fba-p%2F70294%22%20target%3D%22_blank%22%3EHERE%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20that%20helps.%3CBR%20%2F%3ECraig%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183331%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183331%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2088%22%20target%3D%22_blank%22%3E%40Craig%20Humphrey%3C%2FA%3E%3C%2FP%3E%3CP%3ECan%20you%20please%20%2Cif%20possible%2C%20expound%20on%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20where%20you%20get%20this%20info%3C%2FP%3E%3CP%3E2.%20more%20details%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-170575%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-170575%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGreat%20script%2C%20saved%20my%204ss%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EProposed%20enhancement%20%3A%20replace%20the%20current%20site%20admin%20by%20the%20new%20one%20(global%20admin%20for%20example)%2C%20and%20add%20the%20old%20one%20as%20the%20secondary%20site%20admin.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-145007%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-145007%22%20slang%3D%22en-US%22%3EApparently%20this%20will%20all%20be%20fixed%20up%20in%20the%20new%20SP%20Online%20Admin%20UI.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-145005%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-145005%22%20slang%3D%22en-US%22%3Esorry%20for%20spamming%20the%20thread%2C%20it%20kept%20telling%20me%20it%20had%20failed%20to%20post...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-145004%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-145004%22%20slang%3D%22en-US%22%3ENo%20idea.%20You're%20asking%20the%20wrong%20person.%3CBR%20%2F%3EYou'd%20probably%20need%20to%20check%20the%20documentation%20for%20your%20backup%20software.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-144997%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144997%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F103755%22%20target%3D%22_blank%22%3E%40Robert%3C%2FA%3E.krauss.skype%20wrote%3A%3CBR%20%2F%3E%3CP%3EI%20have%20the%20same%20need%20for%20such%20a%20script.%20But%20I%20don't%20get%20where%20this%20line%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%24SPOnlineAdminClaim%20%3D%20%22c%3A0-.f%7Crolemanager%7Cs-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX%22%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ecomes%20from.%20Where%20do%20I%20find%20this%20information%20for%20myself%20(or%20the%20AD%20group%20I%20am%20in)%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20a%20global%20admin%20by%20boss%20expects%20that%20I%20have%20access%20to%20everything.%3C%2FP%3E%0A%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBR%20%2F%3E%3CBR%20%2F%3E%0A%3CP%3EIt%20comes%20from%20this%20bit%3A%3CBR%20%2F%3E%0AOne%20key%20gotcha%20-%20the%20only%20way%20I've%20found%20to%20get%20the%20Claims%20ID%20for%20the%20group%2C%20is%20manually%20in%20the%20SPOnline%20UI%20(Site%20Permissions%20%7C%20Check%20Permissions).%20%20Would%20love%20to%20have%20a%20PowerShell%20mechanism%20for%20that!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-139039%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-139039%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20really%20annoying.%20Users%20are%20asking%20for%20help%20in%20their%20site%20and%20we%20have%20no%20power%20over%20helping%20them%20with%20it.%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESO%2C%20how%20can%20admins%20assit%20users%20who%20need%20help%20setting%20up%20their%20newly%20created%20site%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-116381%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116381%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20does%20this%20apply%20to%20onsite%20backups%20(from%20cloud%20to%20secondary)%20or%20for%20migrating%20company%20data%20if%20you're%20going%20to%20collapse%20the%20environment.%20How%20would%20you%20know%20you%20have%20all%20your%20companies%20data%20without%20something%20having%20full%20access%20to%20all%20the%20sites%20both%20on%20O365%20and%20it's%20ancillary%20off%20path%20products%20like%20Stream%20and%20Teams%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-97285%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-97285%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20same%20need%20for%20such%20a%20script.%20But%20I%20don't%20get%20where%20this%20line%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%24SPOnlineAdminClaim%20%3D%20%22c%3A0-.f%7Crolemanager%7Cs-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX%22%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecomes%20from.%20Where%20do%20I%20find%20this%20information%20for%20myself%20(or%20the%20AD%20group%20I%20am%20in)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20a%20global%20admin%20by%20boss%20expects%20that%20I%20have%20access%20to%20everything.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-91439%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-91439%22%20slang%3D%22en-US%22%3Eerror%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-83582%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-83582%22%20slang%3D%22en-US%22%3E%3CP%3EI%20for%20one%2C%20love%20this%20feature.%20A%20Global%20admin%20should%20be%20able%20to%20administer%20the%20services%20and%20infrastructure%2C%20but%20they%20are%20not%20necessarily%20the%20right%20role%20for%20the%20managing%20and%20supporting%20the%20data.%26nbsp%3B%20That%20is%20how%20breaches%2C%20and%20data%20loss%20can%20occur.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-77136%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-77136%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F130%22%20target%3D%22_blank%22%3E%40Trevor%20Seward%3C%2FA%3E%26nbsp%3Bis%20correct%20and...%20in%20an%20on-prem%20environment%20you%20can%20set%20a%20web%20application%20policy%20granting%20site%20collection%20administration%20to%20all%20site%20collections%20in%20a%20web%20application.%20%26nbsp%3BThe%20web%20application%20administration%20layer%20is%20not%20available%20in%20SharePoint%20Online.%20%26nbsp%3BIt%20is%20likely%20that%20you%20enjoy%20site%20collection%20administrative%20permissions%20to%20all%20your%20on-prem%20site%20collections%20as%20a%20result%20of%20a%20web%20application%20policy.%20As%20a%20Global%20admin%20you%20can%20grant%20yourselft%20access%20to%20any%20site%20collections%20in%20SharePoint%20Online%20so%20you%20could%20add%20that%20to%20the%20start%20of%20your%20script%20(Set-SPOUser%20-site%20%24SiteCollURL%20-LoginName%20%24SiteCollectionAdmin1%20-IsSiteCollectionAdmin%20%24True)%20and%20you%20could%20remove%20the%20user%20from%20this%20role%20which%20the%20operation%20on%20the%20site%20collection%20were%20complete.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-70303%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-70303%22%20slang%3D%22en-US%22%3E%3CP%3EBut%20in%20On%20Premises%20you%20can%20give%20Web%20Application%20access%20which%20gives%20you%20all%20Site%20Collections%20within%20the%20Web%20Application.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIt%20should%20be%20an%20option%20to%20add%20a%20SP%20admin%20to%20all%20site%20collections.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-31247%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-31247%22%20slang%3D%22en-US%22%3E%3CP%3EOK%2C%20so%20here's%20my%20final%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20it%20does%20is%20enumerate%20all%20the%20site%20collections%20via%20Get-SPOSite%20and%20sets%20a%20particuarly%20Azure%20AD%20Security%20group%20to%20be%20a%20Site%20Collection%20Admin.%20%26nbsp%3BThen%20it%20enumerates%20all%20the%20groups%20in%20Exchange%20Online%2C%20looking%20for%20ones%20with%20URLs%2C%20which%20are%20O365%20Groups%2C%20which%20it%20then%20is%20able%20to%20set%20the%20Security%20Group%20as%20a%20Site%20Collection%20Admin.%3C%2FP%3E%3CP%3EThe%20end%20result%20-%20I'm%20able%20to%20use%20a%20service%20account%20to%20enumerate%20ALL%20site%20collections%20(in%20two%20passes)%20and%20perform%20actions%20on%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20everyone's%20help.%20%26nbsp%3BThis%20is%20not%20as%20simple%20as%20it%20should%20have%20been!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20key%20gotcha%20-%20the%20only%20way%20I've%20found%20to%20get%20the%20Claims%20ID%20for%20the%20group%2C%20is%20manually%20in%20the%20SPOnline%20UI%20(Site%20Permissions%20%7C%20Check%20Permissions).%20%26nbsp%3BWould%20love%20to%20have%20a%20PowerShell%20mechanism%20for%20that!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3A%20I%20have%20this%20running%20in%20a%20SPOnline%20Management%20Shell%20PowerShell%20console.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ECraig%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EImport-Module%20MSOnline%0A%0A%23%20Jack%20Fruh%20-%20sharepointjack.com%0A%23%20add%20a%20user%20or%20users%20to%20the%20site%20collection%20admin%20role%20on%20every%20site%20collection%20in%20Office%20365%20sites%20(SharePoint%20Online)%0A%0A%24SPOnlineAdminClaim%20%3D%20%22c%3A0-.f%7Crolemanager%7Cs-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX%22%0A%0A%23setup%20a%20log%20path%0A%24path%20%3D%20%22%24(%24(get-location).path)%5CLogFile.txt%22%0A%23note%20we're%20using%20start-transcript%2C%20this%20does%20not%20work%20from%20inside%20the%20powershell%20ISE%2C%20only%20the%20command%20prompt%0A%20%0Astart-transcript%20-path%20%24Path%0Awrite-host%20%22This%20will%20connect%20to%20SharePoint%20Online%22%0A%20%0A%23Admin%20Variables%3A%0A%24Adminurl%20%3D%20%22https%3A%2F%2FTENANT-admin.sharepoint.com%22%0A%20%0AWrite-Host%20%22Get%20Credentials%22%0A%24userName%20%3D%20'SERVICE%20ACCOUNT%20EMAIL%20ADDRESS'%0A%24password%20%3D%20ConvertTo-SecureString%20'SERVICE%20ACCOUNT%20PASSWORD'%20-AsPlainText%20-Force%0A%24credential%20%3D%20New-Object%20System.Management.Automation.PSCredential%20(%24userName%2C%20%24password)%20%0A%20%0A%23Connect%20to%20SPO%0AConnect-SPOService%20-url%20%24Adminurl%20-credential%20%24credential%0Awrite-host%20%22Connected%22%20-foregroundcolor%20green%0A%20%0AWrite-Host%20%22Get%20SPO%20Sites%22%0A%24sites%20%3D%20get-sposite%0AForeach%20(%24site%20in%20%24sites)%0A%7B%0A%20%20%20%20Write-host%20%22Adding%20users%20to%20%24(%24site.URL)%22%20-foregroundcolor%20yellow%0A%20%23Set%20the%20site%20collection%20admin%20flag%20for%20the%20Site%20collection%20admin%0A%20write-host%20%22Setting%20up%20SPOnline%20Admins%20as%20a%20site%20collection%20admin%20on%20%24(%24site.url)...%22%0A%20set-spouser%20-site%20%24site.url%20-loginname%20%24SPOnlineAdminClaim%20-IsSiteCollectionAdmin%20%24true%0A%20write-host%20%22Done%22%20-foregroundcolor%20green%0A%7D%0AWrite-Host%20%22Done%20With%20SPO%20Sites%22%20-ForegroundColor%20green%0A%0AWrite-Host%20%22Connect%20to%20Exchange%20Online%22%0A%24exchangeSession%20%3D%20New-PSSession%20-ConfigurationName%20Microsoft.Exchange%20-ConnectionUri%20%22https%3A%2F%2Foutlook.office365.com%2Fpowershell-liveid%2F%22%20-Credential%20%24credential%20-Authentication%20%22Basic%22%20-AllowRedirection%0Aif%20(%24exchangeSession)%20%7B%0A%20%20%20%20Write-Host%20%22Import%20Exchange%20Online%20Session%22%0A%20%20%20%20%24session%20%3D%20Import-PSSession%20%24exchangeSession%20-DisableNameChecking%20-AllowClobber%0A%20%20%20%20if%20(%24session)%20%7B%0A%20%20%20%20%20%20%20%20Write-Host%20%22Connect%20to%20SharePoint%20Online%22%0A%20%20%20%20%20%20%20%20Connect-SPOService%20-Url%20%24Adminurl%20-credential%20%24credential%0A%20%20%20%20%20%20%20%20Write-Host%20%22Get%20Unified%20Groups%22%0A%20%20%20%20%20%20%20%20%24Groups%3DGet-UnifiedGroup%20%7CWhere-Object%20%7B%24_.SharePointSiteUrl%20-ne%20%24null%7D%0A%20%20%20%20%20%20%20%20Write-Host%20%22Enumerate%20Groups%22%0A%20%20%20%20%20%20%20%20%24Groups%20%7C%20Foreach-Object%7B%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%24Group%20%3D%20%24_%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%24GName%20%3D%20%24Group.SharePointSiteUrl%0A%20%20%20%20%20Write-Host%20%22Setting%20up%20SPOnline%20Admins%20as%20a%20site%20colection%20admin%20on%20%24(%24GName)...%22%0A%20%20%20%20%20Set-SPOUser%20-Site%20%24GName%20-LoginName%20%24SPOnlineAdminClaim%20-IsSiteCollectionAdmin%20%24true%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20Remove-PSSession%20(Get-PSSession)%5B0%5D%0A%20%20%20%20%7D%0A%7D%20%0A%0A%0AWrite-host%20%22Done%20with%20everything%22%20-foregroundcolor%20green%20%0Astop-transcript%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-31242%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-31242%22%20slang%3D%22en-US%22%3EThanks%20for%20that.%3CBR%20%2F%3E%3CBR%20%2F%3EWorks%20a%20treat!%3CBR%20%2F%3E%3CBR%20%2F%3EYeah%2C%20I%20know%20user%20activity%20on%20Group%20sites%20does%20turn%20up%20in%20the%20Audit%20logs.%20But%20I'm%20trying%20to%20audit%20External%20users%20and%20what%20they%20have%20access%20to.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30993%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30993%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20use%20the%20below%20PowerShell%20script%20to%20get%20the%20details%20of%20the%20SPO%20Site%20Collections%20for%20the%20Office%20365%20Groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%24cred%3DGet-Credential%0A%24exchangeSession%20%3D%20New-PSSession%20-ConfigurationName%20Microsoft.Exchange%20-ConnectionUri%20%22https%3A%2F%2Foutlook.office365.com%2Fpowershell-liveid%2F%22%20-Credential%20%24cred%20-Authentication%20%22Basic%22%20-AllowRedirection%0AImport-PSSession%20%24exchangeSession%20-DisableNameChecking%0AConnect-SPOService%20-Url%20https%3A%2F%2Ftenantname-admin.sharepoint.com%20-credential%20%24cred%0A%24Groups%3DGet-UnifiedGroup%20%7CWhere-Object%20%7B%24_.SharePointSiteUrl%20-ne%20%24null%7D%0A%24Groups%20%7C%20Foreach-Object%7B%20%0A%24Group%20%3D%20%24_%20%0A%24GName%3D%24Group.SharePointSiteUrl%0AGet-SPOSite%20-Identity%20%24GName%20-Detailed%20%7Cfl%0A%7D%20%3C%2FPRE%3E%3CP%3ETo%20add%20a%20member%20to%20Office%20365%20Groups%2C%20you%20can%20use%20the%20below%20one.%3C%2FP%3E%3CPRE%3EAdd-UnifiedGroupLinks%20-LinkType%20Members%20-Identity%20%22engineering%22%20-Links%20%22alland%40XXXXX.onmicrosoft.com%3C%2FPRE%3E%3CP%3EI%20am%20sure%20that%20the%20Office%20365%20Group's%20SPO%20File%20audits%20are%20available%20in%20%22Audit%20log%20search%22%20in%20protection%20centre%20%5B%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2F%23%2Funifiedauditlog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%2F%23%2Funifiedauditlog%3C%2FA%3E%5D.%20Screen-shot%20of%20the%20audit%20logs%20for%20O365%20groups%20is%20posted%20below.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F8592iEFD812B57199CB8D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22audit%20o365%20group.png%22%20title%3D%22audit%20o365%20group.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30974%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30974%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20responding%20guys.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20still%20have%20the%20problem%20that%20%26nbsp%3BI%20can't%20get%20the%20details%20of%20sites%20that%20I%20don't%20know%20about.%20%26nbsp%3BAnd%20I%20wont%20know%20about%20them%20unless%20I%20have%20access.%20%26nbsp%3BAnd%20I%20can't%20give%20myself%20(or%20my%20service%20account)%20access%2C%20unless%20I%20know%20about%20them...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGiven%20that%20Get-SPOSite%20doesn't%20return%20all%20sites%20by%20default%20and%20that%20the%20Site%20Collection%20list%20in%20O365%20Admin%2FSPO%20Admin%20doesn't%20display%20Group%20sites%20(and%20Video%2C%20etc).%20How%20can%20I%20reliably%20get%20a%20list%20of%20site%20collections%3F%20%26nbsp%3BTo%20which%20I%20can%20then%20add%20my%20admin%20group%2Fservice%20account%20to%2C%20so%20that%20I%20can%20programmaticaly%20access%20those%20sites%20going%20forward.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsers%20are%20still%20able%20to%20external%20share%20from%20Group%20sites%2C%20which%20means%20there%20are%20potentially%20external%20users%20with%20access%20to%20content%20that%20I%20can't%20audit.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%203rd%20party%20tools%20claiming%20to%20be%20able%20to%20audit%2Freport%2Fchange%20this%20stuff.%20%26nbsp%3BHow%20are%20they%20doing%20it%3F%20%26nbsp%3BOr%20are%20they%20actually%20trapped%20in%20the%20same%20way%2C%20with%20minimal%2C%20if%20any%2C%20visability%20of%20Group%20sites%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30467%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30467%22%20slang%3D%22en-US%22%3E%3CP%3ETake%20a%20closer%20look%20at%20the%20SPO%20sites%20in%20the%20SPO%20Admin%20Center%2C%20if%20the%20SC%20Owner%20is%20listed%20as%20Company%20Administrator%2C%20then%20Global%20Admin%20will%20have%20rights%20to%20the%20SC.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20with%20Trevor%20and%20Juan%2C%20Global%20Admins%20have%20never%20had%20default%20access%20to%20an%20SC%20it%20must%20be%20granted.%3C%2FP%3E%3CP%3EPutting%20an%20AD%20group%20into%20the%20SCA%20group%20is%20the%20easiest%20way%20I%20have%20found.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20new%20Azure%20Privelged%20Identity%20Management%20may%20offer%20a%20nice%20approach%20in%20the%20future%2C%20but%20its%20integration%20with%20SPO%20is%20not%20very%20powerfull%20at%20this%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30418%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30418%22%20slang%3D%22en-US%22%3EThis%20is%20different%20stuff...torday%20and%20by%20design%20Groups%20sites%20are%20hidden%20and%20not%20shown%20in%20the%20SharePoint%20Online%20Administration%20(same%20happens%20with%20Office%20365%20Video%20Channels).%20The%20only%20way%20to%20get%20listed%20%2F%20get%20details%20of%20a%20Group%20sites%20is%20using%20PowerShell%20and%20specifically%20the%20SPO%20cmdlets%3A%20Get-SPOSite%2C%20Set-SPOSite%20are%20your%20best%20friedns%20here.%20In%20the%20future%20I%20believe%20Microsoft%20is%20working%20on%20showing%20also%20Groups%20sites%20there%20that%20by%20the%20way%20it's%20something%20required%20for%20modern%20team%20sites%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30406%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30406%22%20slang%3D%22en-US%22%3EI%20agree%20that%20this%20is%20the%20way%20it%20should%20be%2C%20but%20it%20certainly%20hasn't%20always%20been%20this%20way.%20And%20I%20still%20have%20a%20Global%20Admin%20account%20that%20can%20access%20some%20sites%20(when%20they%20are%20not%20in%20any%20of%20the%20groups)%2C%20but%20not%20others.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20big%20problem%20is%20sites%20created%20by%20the%20likes%20of%20Planner%20and%20Teams%20-%20aka%20O365%20Group%20sites.%20These%20do%20not%20show%20up%20when%20you%20do%20a%20Get-SPOSite.%3CBR%20%2F%3EAnd%20if%20you%20specify%20them%20specifically%20(e.g.%20Get-SPOSite%20%22%3CA%20href%3D%22https%3A%2F%2Fmycorp.sharepoint.com%2Fsites%2FO365GroupSite%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmycorp.sharepoint.com%2Fsites%2FO365GroupSite%3C%2FA%3E%22)%20you%20actually%20get%20anything%20unless%20you%20already%20have%20permission%20-%20which%20if%20the%20O365%20site%20was%20created%20by%20someone%20else%20(and%20by%20default%2C%20anyone%20can%20create%20Planner%2FTeams%2FO365%20Groups)%2C%20then%20you're%20stuck.%3CBR%20%2F%3E%3CBR%20%2F%3EThere's%20some%20suggestion%20that%20the%20(now%20in%20preview)%20v2%20of%20Azure%20AD%20PowerShell%2C%20is%20able%20to%20enumerate%20O365%20Groups%20and%20so%20we%20may%20be%20able%20to%20access%20the%20site%20details%20that%20way%2C%20but%20I%20haven't%20tried%20this%20yet.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20underlying%20reason%20for%20doing%20this%3A%20I%20want%20to%20be%20able%20to%20find%20all%20the%20External%20users%20and%20look%20at%20what%20permissions%20they%20have%20on%20which%20sites%20(essentially%20to%20find%20rogue%20sharing).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30090%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30090%22%20slang%3D%22en-US%22%3EI%20agree%20with%20Trevor%20and%20It%20have%20been%20always%20like%20this...if%20the%20user%20wasn't%20the%20creator%20of%20the%20Site%20Collections%2C%20he%2Fshe%20is%20not%20going%20to%20be%20able%20to%20access%20to%20them...but%20you%20can%20add%20he%20user%20as%20Site%20Collection%20Administrator%20using%20the%20UI%20or%20PowerShell%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30084%22%20slang%3D%22en-US%22%3ERE%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30084%22%20slang%3D%22en-US%22%3Eexactly%20i%20know%20this%20functionality%20is%20already%20longer%20implemented%20if%20you%20login%20as%20a%20partner%20but%20as%20global%20admin%20it%20is%20new%20but%20i%20think%20it%20is%20a%20good%20one.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30037%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30037%22%20slang%3D%22en-US%22%3EReally%3F%20When%20did%20this%20change%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20a%20number%20of%20site%20collections%20in%20SPOnline%20and%20the%20Global%20Admin%20is%20able%20to%20access%20most%20of%20them%2C%20even%20when%20they're%20not%20in%20any%20of%20the%20groups.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20makes%20sense%2C%20it's%20just%20a%20change%20in%20behavior.%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20tested%20with%20a%20brand%20new%20SP%20Admin%20(not%20a%20site%20collection%20owner)%20and%20it%20has%20access%20to%20some%20sites%2C%20but%20not%20others.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20potentially%20going%20to%20make%20it%20difficult%20to%20have%20a%20SPOnline%20service%20account%2C%20unless%20you%20add%20it%20to%20the%20site%20collection%20owners%2C%20for%20all%20site%20collections%20-%20which%20given%20that%20every%20new%20%22thing%22%20that%20MS%20builds%20goes%20off%20and%20creates%20site%20collections%20(I'm%20looking%20at%20you%20Planner%2C%20Groups%2C%20Teams)%20which%20are%20%22less%22%20manageable%2C%20is%20going%20to%20be%20fun...%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30032%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Global%20Admin%20has%20no%20access%20to%20recent%20SharePoint%20Online%20site%20collections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30032%22%20slang%3D%22en-US%22%3EThis%20is%20expected.%20A%20Global%20Admin%20shouldn't%20have%20access%20to%20individual%20sites%20unless%20explicitly%20granted.%20This%20is%20also%20true%20of%20on-prem%2C%20where%20a%20farm%20administrator%20does%20not%20automatically%20have%20access%20to%20Site%20Collections.%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

Is it just me, or has anyone else noticed that O365 Global Admins do not automatically get access to recently created Site Collections in SharePoint Online?

 

We have a small group of O365 Global Admins and all of us have MFA enabled.  This means that we often can't use our accounts for scripting and other various O365 add-ins/tools.

So I have a service account setup, which is also a Global Admin, but doesn't have MFA.

This account is able to get to older Site Collections (where it's not specifically in the SP Groups), but it's unable to access more recently created site collections.

 

I either get the:

 

Access Denied

myserviceaccount@corp.onmicrosoft.com does not have permissions to access this resource.
Here are a few ideas:

Please ask the site admin to give you access.

If you have a different account, try signing in with that account.
This will sign you out of all other Office 365 services that you're signed into at this time.
If this problem persists, contact your support team and include these technical details:
Correlation ID: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx 
Date and Time: 15/11/2016 2:00:00 p.m.
User: myserviceaccount@corp.onmicrosoft.com
Issue Type: User does not have permissions.
 
Or I get the:
You need permission to access this site.
[I'd like access, please.]
Request Access
 
Judging by the sites that work, this change looks to have been in about the last month or so.
 
Anyone else seeing this?
 
I'm going to try creating a SPAdmin only account and see if that has better luck than a Global admin.
 
Thanks
Craig
29 Replies
No idea. You're asking the wrong person.
You'd probably need to check the documentation for your backup software.
Highlighted
sorry for spamming the thread, it kept telling me it had failed to post...
Highlighted
Apparently this will all be fixed up in the new SP Online Admin UI.
Highlighted

 

Great script, saved my 4ss

 

Proposed enhancement : replace the current site admin by the new one (global admin for example), and add the old one as the secondary site admin.

Highlighted

@Deleted

Can you please ,if possible, expound on 

1. where you get this info

2. more details 

Highlighted

Hey @Yuri Deglin,

 

the details a HERE.

 

Hope that helps.
Craig

Highlighted
Exactly.
It's the same case with me.
Users are able to mess around with creating sites and teams, and when they cry for help I must ask them to give me access... an the we go into the painful loop of explaining where to click and what to do.
So my 5 minute intervention turns into an hour(s) long jumping through hoops for the simplest of tasks.
Highlighted
SInce I have to do both, it has made it very difficult for me. I have a lot of users just going in creating stuff and then never delete it. How do I manage that?
Highlighted
My unfortunate response has been to turn off global Site, Team, O365 Group, Planner creation and restrict it to a handful of users who know what they're doing (naming schemes, conflicts, etc) until we have better tooling around site provisioning... which one of my guys has been working on using the SharePoint Patterns and Practices stuff.
Highlighted
Great and very helpful script. Thank you!