SOLVED

O365 Global Admin has no access to recent SharePoint Online site collections

Deleted
Not applicable

Is it just me, or has anyone else noticed that O365 Global Admins do not automatically get access to recently created Site Collections in SharePoint Online?

 

We have a small group of O365 Global Admins and all of us have MFA enabled.  This means that we often can't use our accounts for scripting and other various O365 add-ins/tools.

So I have a service account setup, which is also a Global Admin, but doesn't have MFA.

This account is able to get to older Site Collections (where it's not specifically in the SP Groups), but it's unable to access more recently created site collections.

 

I either get the:

 

Access Denied

myserviceaccount@corp.onmicrosoft.com does not have permissions to access this resource.
Here are a few ideas:

Please ask the site admin to give you access.

If you have a different account, try signing in with that account.
This will sign you out of all other Office 365 services that you're signed into at this time.
If this problem persists, contact your support team and include these technical details:
Correlation ID: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx 
Date and Time: 15/11/2016 2:00:00 p.m.
User: myserviceaccount@corp.onmicrosoft.com
Issue Type: User does not have permissions.
 
Or I get the:
You need permission to access this site.
[I'd like access, please.]
Request Access
 
Judging by the sites that work, this change looks to have been in about the last month or so.
 
Anyone else seeing this?
 
I'm going to try creating a SPAdmin only account and see if that has better luck than a Global admin.
 
Thanks
Craig
30 Replies
This is expected. A Global Admin shouldn't have access to individual sites unless explicitly granted. This is also true of on-prem, where a farm administrator does not automatically have access to Site Collections.
Really? When did this change?

I have a number of site collections in SPOnline and the Global Admin is able to access most of them, even when they're not in any of the groups.

It makes sense, it's just a change in behavior.

Just tested with a brand new SP Admin (not a site collection owner) and it has access to some sites, but not others.

This is potentially going to make it difficult to have a SPOnline service account, unless you add it to the site collection owners, for all site collections - which given that every new "thing" that MS builds goes off and creates site collections (I'm looking at you Planner, Groups, Teams) which are "less" manageable, is going to be fun...
exactly i know this functionality is already longer implemented if you login as a partner but as global admin it is new but i think it is a good one.
I agree with Trevor and It have been always like this...if the user wasn't the creator of the Site Collections, he/she is not going to be able to access to them...but you can add he user as Site Collection Administrator using the UI or PowerShell
I agree that this is the way it should be, but it certainly hasn't always been this way. And I still have a Global Admin account that can access some sites (when they are not in any of the groups), but not others.

The big problem is sites created by the likes of Planner and Teams - aka O365 Group sites. These do not show up when you do a Get-SPOSite.
And if you specify them specifically (e.g. Get-SPOSite "https://mycorp.sharepoint.com/sites/O365GroupSite") you actually get anything unless you already have permission - which if the O365 site was created by someone else (and by default, anyone can create Planner/Teams/O365 Groups), then you're stuck.

There's some suggestion that the (now in preview) v2 of Azure AD PowerShell, is able to enumerate O365 Groups and so we may be able to access the site details that way, but I haven't tried this yet.

The underlying reason for doing this: I want to be able to find all the External users and look at what permissions they have on which sites (essentially to find rogue sharing).
This is different stuff...torday and by design Groups sites are hidden and not shown in the SharePoint Online Administration (same happens with Office 365 Video Channels). The only way to get listed / get details of a Group sites is using PowerShell and specifically the SPO cmdlets: Get-SPOSite, Set-SPOSite are your best friedns here. In the future I believe Microsoft is working on showing also Groups sites there that by the way it's something required for modern team sites

Take a closer look at the SPO sites in the SPO Admin Center, if the SC Owner is listed as Company Administrator, then Global Admin will have rights to the SC.

 

I agree with Trevor and Juan, Global Admins have never had default access to an SC it must be granted.

Putting an AD group into the SCA group is the easiest way I have found.

 

The new Azure Privelged Identity Management may offer a nice approach in the future, but its integration with SPO is not very powerfull at this time.

Thanks for responding guys.

 

But I still have the problem that  I can't get the details of sites that I don't know about.  And I wont know about them unless I have access.  And I can't give myself (or my service account) access, unless I know about them...

 

Given that Get-SPOSite doesn't return all sites by default and that the Site Collection list in O365 Admin/SPO Admin doesn't display Group sites (and Video, etc). How can I reliably get a list of site collections?  To which I can then add my admin group/service account to, so that I can programmaticaly access those sites going forward.

 

Users are still able to external share from Group sites, which means there are potentially external users with access to content that I can't audit.

 

There are 3rd party tools claiming to be able to audit/report/change this stuff.  How are they doing it?  Or are they actually trapped in the same way, with minimal, if any, visability of Group sites?

best response confirmed by Matt_Nutt (Occasional Reader)
Solution

You can use the below PowerShell script to get the details of the SPO Site Collections for the Office 365 Groups.

 

$cred=Get-Credential
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" -AllowRedirection
Import-PSSession $exchangeSession -DisableNameChecking
Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential $cred
$Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null}
$Groups | Foreach-Object{ 
$Group = $_ 
$GName=$Group.SharePointSiteUrl
Get-SPOSite -Identity $GName -Detailed |fl
} 

To add a member to Office 365 Groups, you can use the below one.

Add-UnifiedGroupLinks -LinkType Members -Identity "engineering" -Links "alland@XXXXX.onmicrosoft.com

I am sure that the Office 365 Group's SPO File audits are available in "Audit log search" in protection centre [https://protection.office.com/#/unifiedauditlog]. Screen-shot of the audit logs for O365 groups is posted below.

 

audit o365 group.png

 

Thanks for that.

Works a treat!

Yeah, I know user activity on Group sites does turn up in the Audit logs. But I'm trying to audit External users and what they have access to.

OK, so here's my final solution.

 

What it does is enumerate all the site collections via Get-SPOSite and sets a particuarly Azure AD Security group to be a Site Collection Admin.  Then it enumerates all the groups in Exchange Online, looking for ones with URLs, which are O365 Groups, which it then is able to set the Security Group as a Site Collection Admin.

The end result - I'm able to use a service account to enumerate ALL site collections (in two passes) and perform actions on them.

 

Thanks for everyone's help.  This is not as simple as it should have been!

 

One key gotcha - the only way I've found to get the Claims ID for the group, is manually in the SPOnline UI (Site Permissions | Check Permissions).  Would love to have a PowerShell mechanism for that!

 

Note: I have this running in a SPOnline Management Shell PowerShell console.

 

Thanks

Craig

 

Import-Module MSOnline

# Jack Fruh - sharepointjack.com
# add a user or users to the site collection admin role on every site collection in Office 365 sites (SharePoint Online)

$SPOnlineAdminClaim = "c:0-.f|rolemanager|s-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX"

#setup a log path
$path = "$($(get-location).path)\LogFile.txt"
#note we're using start-transcript, this does not work from inside the powershell ISE, only the command prompt
 
start-transcript -path $Path
write-host "This will connect to SharePoint Online"
 
#Admin Variables:
$Adminurl = "https://TENANT-admin.sharepoint.com"
 
Write-Host "Get Credentials"
$userName = 'SERVICE ACCOUNT EMAIL ADDRESS'
$password = ConvertTo-SecureString 'SERVICE ACCOUNT PASSWORD' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($userName, $password) 
 
#Connect to SPO
Connect-SPOService -url $Adminurl -credential $credential
write-host "Connected" -foregroundcolor green
 
Write-Host "Get SPO Sites"
$sites = get-sposite
Foreach ($site in $sites)
{
    Write-host "Adding users to $($site.URL)" -foregroundcolor yellow
	#Set the site collection admin flag for the Site collection admin
	write-host "Setting up SPOnline Admins as a site collection admin on $($site.url)..."
	set-spouser -site $site.url -loginname $SPOnlineAdminClaim -IsSiteCollectionAdmin $true
	write-host "Done"	-foregroundcolor green
}
Write-Host "Done With SPO Sites" -ForegroundColor green

Write-Host "Connect to Exchange Online"
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection
if ($exchangeSession) {
    Write-Host "Import Exchange Online Session"
    $session = Import-PSSession $exchangeSession -DisableNameChecking -AllowClobber
    if ($session) {
        Write-Host "Connect to SharePoint Online"
        Connect-SPOService -Url $Adminurl -credential $credential
        Write-Host "Get Unified Groups"
        $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null}
        Write-Host "Enumerate Groups"
        $Groups | Foreach-Object{ 
            $Group = $_ 
            $GName = $Group.SharePointSiteUrl
	    Write-Host "Setting up SPOnline Admins as a site colection admin on $($GName)..."
	    Set-SPOUser -Site $GName -LoginName $SPOnlineAdminClaim -IsSiteCollectionAdmin $true
        }
    Remove-PSSession (Get-PSSession)[0]
    }
} 


Write-host "Done with everything" -foregroundcolor green 
stop-transcript

But in On Premises you can give Web Application access which gives you all Site Collections within the Web Application.


It should be an option to add a SP admin to all site collections. 

@Trevor Seward is correct and... in an on-prem environment you can set a web application policy granting site collection administration to all site collections in a web application.  The web application administration layer is not available in SharePoint Online.  It is likely that you enjoy site collection administrative permissions to all your on-prem site collections as a result of a web application policy. As a Global admin you can grant yourselft access to any site collections in SharePoint Online so you could add that to the start of your script (Set-SPOUser -site $SiteCollURL -LoginName $SiteCollectionAdmin1 -IsSiteCollectionAdmin $True) and you could remove the user from this role which the operation on the site collection were complete.  

I for one, love this feature. A Global admin should be able to administer the services and infrastructure, but they are not necessarily the right role for the managing and supporting the data.  That is how breaches, and data loss can occur. 

I have the same need for such a script. But I don't get where this line

 

$SPOnlineAdminClaim = "c:0-.f|rolemanager|s-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX"

 

comes from. Where do I find this information for myself (or the AD group I am in)?

 

As a global admin by boss expects that I have access to everything.

How does this apply to onsite backups (from cloud to secondary) or for migrating company data if you're going to collapse the environment. How would you know you have all your companies data without something having full access to all the sites both on O365 and it's ancillary off path products like Stream and Teams?

This is really annoying. Users are asking for help in their site and we have no power over helping them with it. 

SO, how can admins assit users who need help setting up their newly created site?


@Robert.krauss.skype wrote:

I have the same need for such a script. But I don't get where this line

 

$SPOnlineAdminClaim = "c:0-.f|rolemanager|s-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX"

 

comes from. Where do I find this information for myself (or the AD group I am in)?

 

As a global admin by boss expects that I have access to everything.


 



It comes from this bit:
One key gotcha - the only way I've found to get the Claims ID for the group, is manually in the SPOnline UI (Site Permissions | Check Permissions). Would love to have a PowerShell mechanism for that!

1 best response

Accepted Solutions
best response confirmed by Matt_Nutt (Occasional Reader)
Solution

You can use the below PowerShell script to get the details of the SPO Site Collections for the Office 365 Groups.

 

$cred=Get-Credential
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" -AllowRedirection
Import-PSSession $exchangeSession -DisableNameChecking
Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential $cred
$Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null}
$Groups | Foreach-Object{ 
$Group = $_ 
$GName=$Group.SharePointSiteUrl
Get-SPOSite -Identity $GName -Detailed |fl
} 

To add a member to Office 365 Groups, you can use the below one.

Add-UnifiedGroupLinks -LinkType Members -Identity "engineering" -Links "alland@XXXXX.onmicrosoft.com

I am sure that the Office 365 Group's SPO File audits are available in "Audit log search" in protection centre [https://protection.office.com/#/unifiedauditlog]. Screen-shot of the audit logs for O365 groups is posted below.

 

audit o365 group.png

 

View solution in original post