Forum Discussion
O365 Global Admin has no access to recent SharePoint Online site collections
You can use the below PowerShell script to get the details of the SPO Site Collections for the Office 365 Groups.
$cred=Get-Credential $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" -AllowRedirection Import-PSSession $exchangeSession -DisableNameChecking Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential $cred $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null} $Groups | Foreach-Object{ $Group = $_ $GName=$Group.SharePointSiteUrl Get-SPOSite -Identity $GName -Detailed |fl }To add a member to Office 365 Groups, you can use the below one.
Add-UnifiedGroupLinks -LinkType Members -Identity "engineering" -Links "alland@XXXXX.onmicrosoft.com
I am sure that the Office 365 Group's SPO File audits are available in "Audit log search" in protection centre [https://protection.office.com/#/unifiedauditlog]. Screen-shot of the audit logs for O365 groups is posted below.
I have a number of site collections in SPOnline and the Global Admin is able to access most of them, even when they're not in any of the groups.
It makes sense, it's just a change in behavior.
Just tested with a brand new SP Admin (not a site collection owner) and it has access to some sites, but not others.
This is potentially going to make it difficult to have a SPOnline service account, unless you add it to the site collection owners, for all site collections - which given that every new "thing" that MS builds goes off and creates site collections (I'm looking at you Planner, Groups, Teams) which are "less" manageable, is going to be fun...
- I agree with Trevor and It have been always like this...if the user wasn't the creator of the Site Collections, he/she is not going to be able to access to them...but you can add he user as Site Collection Administrator using the UI or PowerShell
- I agree that this is the way it should be, but it certainly hasn't always been this way. And I still have a Global Admin account that can access some sites (when they are not in any of the groups), but not others.
The big problem is sites created by the likes of Planner and Teams - aka O365 Group sites. These do not show up when you do a Get-SPOSite.
And if you specify them specifically (e.g. Get-SPOSite "https://mycorp.sharepoint.com/sites/O365GroupSite") you actually get anything unless you already have permission - which if the O365 site was created by someone else (and by default, anyone can create Planner/Teams/O365 Groups), then you're stuck.
There's some suggestion that the (now in preview) v2 of Azure AD PowerShell, is able to enumerate O365 Groups and so we may be able to access the site details that way, but I haven't tried this yet.
The underlying reason for doing this: I want to be able to find all the External users and look at what permissions they have on which sites (essentially to find rogue sharing).Take a closer look at the SPO sites in the SPO Admin Center, if the SC Owner is listed as Company Administrator, then Global Admin will have rights to the SC.
I agree with Trevor and Juan, Global Admins have never had default access to an SC it must be granted.
Putting an AD group into the SCA group is the easiest way I have found.
The new Azure Privelged Identity Management may offer a nice approach in the future, but its integration with SPO is not very powerfull at this time.
