Nov 15 2016 02:08 PM
Nov 15 2016 02:08 PM
Is it just me, or has anyone else noticed that O365 Global Admins do not automatically get access to recently created Site Collections in SharePoint Online?
We have a small group of O365 Global Admins and all of us have MFA enabled. This means that we often can't use our accounts for scripting and other various O365 add-ins/tools.
So I have a service account setup, which is also a Global Admin, but doesn't have MFA.
This account is able to get to older Site Collections (where it's not specifically in the SP Groups), but it's unable to access more recently created site collections.
I either get the:
Nov 15 2016 02:13 PM
Nov 15 2016 02:24 PM
Nov 15 2016 10:28 PM
Nov 15 2016 10:28 PM
Nov 15 2016 10:51 PM
Nov 16 2016 08:37 PM
Nov 16 2016 10:41 PM
Nov 17 2016 03:00 AM
Take a closer look at the SPO sites in the SPO Admin Center, if the SC Owner is listed as Company Administrator, then Global Admin will have rights to the SC.
I agree with Trevor and Juan, Global Admins have never had default access to an SC it must be granted.
Putting an AD group into the SCA group is the easiest way I have found.
The new Azure Privelged Identity Management may offer a nice approach in the future, but its integration with SPO is not very powerfull at this time.
Nov 20 2016 04:23 PM
Thanks for responding guys.
But I still have the problem that I can't get the details of sites that I don't know about. And I wont know about them unless I have access. And I can't give myself (or my service account) access, unless I know about them...
Given that Get-SPOSite doesn't return all sites by default and that the Site Collection list in O365 Admin/SPO Admin doesn't display Group sites (and Video, etc). How can I reliably get a list of site collections? To which I can then add my admin group/service account to, so that I can programmaticaly access those sites going forward.
Users are still able to external share from Group sites, which means there are potentially external users with access to content that I can't audit.
There are 3rd party tools claiming to be able to audit/report/change this stuff. How are they doing it? Or are they actually trapped in the same way, with minimal, if any, visability of Group sites?
Nov 21 2016 12:25 AM - edited Nov 21 2016 12:43 AM
Nov 21 2016 12:25 AM - edited Nov 21 2016 12:43 AM
SolutionYou can use the below PowerShell script to get the details of the SPO Site Collections for the Office 365 Groups.
$cred=Get-Credential $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" -AllowRedirection Import-PSSession $exchangeSession -DisableNameChecking Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential $cred $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null} $Groups | Foreach-Object{ $Group = $_ $GName=$Group.SharePointSiteUrl Get-SPOSite -Identity $GName -Detailed |fl }
To add a member to Office 365 Groups, you can use the below one.
Add-UnifiedGroupLinks -LinkType Members -Identity "engineering" -Links "alland@XXXXX.onmicrosoft.com
I am sure that the Office 365 Group's SPO File audits are available in "Audit log search" in protection centre [https://protection.office.com/#/unifiedauditlog]. Screen-shot of the audit logs for O365 groups is posted below.
Nov 21 2016 06:16 PM
Nov 21 2016 08:22 PM
OK, so here's my final solution.
What it does is enumerate all the site collections via Get-SPOSite and sets a particuarly Azure AD Security group to be a Site Collection Admin. Then it enumerates all the groups in Exchange Online, looking for ones with URLs, which are O365 Groups, which it then is able to set the Security Group as a Site Collection Admin.
The end result - I'm able to use a service account to enumerate ALL site collections (in two passes) and perform actions on them.
Thanks for everyone's help. This is not as simple as it should have been!
One key gotcha - the only way I've found to get the Claims ID for the group, is manually in the SPOnline UI (Site Permissions | Check Permissions). Would love to have a PowerShell mechanism for that!
Note: I have this running in a SPOnline Management Shell PowerShell console.
Thanks
Craig
Import-Module MSOnline # Jack Fruh - sharepointjack.com # add a user or users to the site collection admin role on every site collection in Office 365 sites (SharePoint Online) $SPOnlineAdminClaim = "c:0-.f|rolemanager|s-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX" #setup a log path $path = "$($(get-location).path)\LogFile.txt" #note we're using start-transcript, this does not work from inside the powershell ISE, only the command prompt start-transcript -path $Path write-host "This will connect to SharePoint Online" #Admin Variables: $Adminurl = "https://TENANT-admin.sharepoint.com" Write-Host "Get Credentials" $userName = 'SERVICE ACCOUNT EMAIL ADDRESS' $password = ConvertTo-SecureString 'SERVICE ACCOUNT PASSWORD' -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential ($userName, $password) #Connect to SPO Connect-SPOService -url $Adminurl -credential $credential write-host "Connected" -foregroundcolor green Write-Host "Get SPO Sites" $sites = get-sposite Foreach ($site in $sites) { Write-host "Adding users to $($site.URL)" -foregroundcolor yellow #Set the site collection admin flag for the Site collection admin write-host "Setting up SPOnline Admins as a site collection admin on $($site.url)..." set-spouser -site $site.url -loginname $SPOnlineAdminClaim -IsSiteCollectionAdmin $true write-host "Done" -foregroundcolor green } Write-Host "Done With SPO Sites" -ForegroundColor green Write-Host "Connect to Exchange Online" $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection if ($exchangeSession) { Write-Host "Import Exchange Online Session" $session = Import-PSSession $exchangeSession -DisableNameChecking -AllowClobber if ($session) { Write-Host "Connect to SharePoint Online" Connect-SPOService -Url $Adminurl -credential $credential Write-Host "Get Unified Groups" $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null} Write-Host "Enumerate Groups" $Groups | Foreach-Object{ $Group = $_ $GName = $Group.SharePointSiteUrl Write-Host "Setting up SPOnline Admins as a site colection admin on $($GName)..." Set-SPOUser -Site $GName -LoginName $SPOnlineAdminClaim -IsSiteCollectionAdmin $true } Remove-PSSession (Get-PSSession)[0] } } Write-host "Done with everything" -foregroundcolor green stop-transcript
May 16 2017 06:02 AM
But in On Premises you can give Web Application access which gives you all Site Collections within the Web Application.
It should be an option to add a SP admin to all site collections.
Jun 12 2017 11:05 AM
@Trevor Seward is correct and... in an on-prem environment you can set a web application policy granting site collection administration to all site collections in a web application. The web application administration layer is not available in SharePoint Online. It is likely that you enjoy site collection administrative permissions to all your on-prem site collections as a result of a web application policy. As a Global admin you can grant yourselft access to any site collections in SharePoint Online so you could add that to the start of your script (Set-SPOUser -site $SiteCollURL -LoginName $SiteCollectionAdmin1 -IsSiteCollectionAdmin $True) and you could remove the user from this role which the operation on the site collection were complete.
Jun 29 2017 06:46 AM
I for one, love this feature. A Global admin should be able to administer the services and infrastructure, but they are not necessarily the right role for the managing and supporting the data. That is how breaches, and data loss can occur.
Jul 29 2017 11:57 PM
Jul 29 2017 11:57 PM
Aug 17 2017 09:30 AM
I have the same need for such a script. But I don't get where this line
$SPOnlineAdminClaim = "c:0-.f|rolemanager|s-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX"
comes from. Where do I find this information for myself (or the AD group I am in)?
As a global admin by boss expects that I have access to everything.
Oct 13 2017 07:41 AM
How does this apply to onsite backups (from cloud to secondary) or for migrating company data if you're going to collapse the environment. How would you know you have all your companies data without something having full access to all the sites both on O365 and it's ancillary off path products like Stream and Teams?
Dec 20 2017 01:49 PM
This is really annoying. Users are asking for help in their site and we have no power over helping them with it.
SO, how can admins assit users who need help setting up their newly created site?
Jan 14 2018 01:03 PM
@Robert.krauss.skype wrote:
I have the same need for such a script. But I don't get where this line
$SPOnlineAdminClaim = "c:0-.f|rolemanager|s-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXX"
comes from. Where do I find this information for myself (or the AD group I am in)?
As a global admin by boss expects that I have access to everything.
It comes from this bit:
One key gotcha - the only way I've found to get the Claims ID for the group, is manually in the SPOnline UI (Site Permissions | Check Permissions). Would love to have a PowerShell mechanism for that!
Nov 21 2016 12:25 AM - edited Nov 21 2016 12:43 AM
Nov 21 2016 12:25 AM - edited Nov 21 2016 12:43 AM
SolutionYou can use the below PowerShell script to get the details of the SPO Site Collections for the Office 365 Groups.
$cred=Get-Credential $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" -AllowRedirection Import-PSSession $exchangeSession -DisableNameChecking Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential $cred $Groups=Get-UnifiedGroup |Where-Object {$_.SharePointSiteUrl -ne $null} $Groups | Foreach-Object{ $Group = $_ $GName=$Group.SharePointSiteUrl Get-SPOSite -Identity $GName -Detailed |fl }
To add a member to Office 365 Groups, you can use the below one.
Add-UnifiedGroupLinks -LinkType Members -Identity "engineering" -Links "alland@XXXXX.onmicrosoft.com
I am sure that the Office 365 Group's SPO File audits are available in "Audit log search" in protection centre [https://protection.office.com/#/unifiedauditlog]. Screen-shot of the audit logs for O365 groups is posted below.