Restrict acces to Admins to some sites / libraries

%3CLINGO-SUB%20id%3D%22lingo-sub-980080%22%20slang%3D%22en-US%22%3ERestrict%20acces%20to%20Admins%20to%20some%20sites%20%2F%20libraries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-980080%22%20slang%3D%22en-US%22%3E%3CP%3EI%20asked%20this%20in%20the%20regular%20community%2C%20my%20mistake.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20a%20smaller%20company%20committed%20to%20Teams%20on%20the%20front%20end%20with%20Sharepoint%20on%20the%20back%20end.%26nbsp%3B%20We%20have%20three%20people%20set%20up%20as%20Admins%20for%20Office%20365%20for%20Business.%26nbsp%3B%20I%20need%20to%20restrict%20access%20to%20the%20content%20created%20and%20managed%20by%20a%20couple%20of%20Teams%20and%20their%20libraries%20from%20my%20other%20two%20admins%2C%20specifically%20the%20Leadership%20private%20team%20and%20the%20HR%20team.%26nbsp%3B%20As%20it%20stands%2C%20while%20the%20admins%20are%20not%20members%20or%20owners%20of%20these%20teams%20%2F%20libraries%2C%20they%20can%20make%20themselves%20members%20and%20gain%20access%20to%20the%20restricted%20data%20in%20the%20libraries.%26nbsp%3B%20THey%20are%20doing%20good%20work%20overall%2C%20so%20I%20want%20to%20be%20able%20to%20selectively%20remove%20their%20Admin%20capabilities.%26nbsp%3B%20I%20have%20been%20told%20that%20this%20is%20not%20possible%20which%20makes%20no%20sense%20in%20the%20context%20of%20a%20really%20large%20company%2C%20let%20alone%20a%20small%20one.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20please%20direct%20me%20to%20how%20to%20do%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-980080%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-981699%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20acces%20to%20Admins%20to%20some%20sites%20%2F%20libraries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-981699%22%20slang%3D%22en-US%22%3EIt%20is%20not%20possible%20and%20this%20has%20always%20been%20true%20of%20IT%20since%20the%20concept%20of%20systems%20administration%20was%20a%20thing%20decades%20ago.%20Systems%20administrators%20can%20grant%20themselves%20access%20or%20otherwise%20gain%20access%20to%20underlying%20data%20because%20they're%20administrators%20of%20the%20system.%3CBR%20%2F%3E%3CBR%20%2F%3EImagine%20if%20you%20had%20a%20bad%20actor%20and%20the%20administrator%20couldn't%20take%20control%20of%20that%20resource...%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20an%20HR%20problem%2C%20not%20an%20IT%20one.%20You%20can%20look%20at%20the%20Unified%20Audit%20Log%20(or%20an%20administrator%20can%2Fdelegated%20user%20can)%20to%20see%20if%20an%20admin%20has%20granted%20themselves%20access%20to%20a%20particular%20resource%20but%20you%20can't%20prevent%20it%20from%20occurring.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-981717%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20acces%20to%20Admins%20to%20some%20sites%20%2F%20libraries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-981717%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20going%20to%20respectfully%20disagree%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F130%22%20target%3D%22_blank%22%3E%40Trevor%20Seward%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHaving%20spent%20more%20than%2040%20years%20in%20Information%20and%20Communication%20Tech%2C%20you%20don't%20need%20to%20tell%20me%20how%20to%20boil%20water.%26nbsp%3B%20Stratified%20administration%20rights%20are%20not%20unusual%20and%20have%20existed%20in%20other%20systems%20for%20decades.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20now%20understand%20that%20while%20Sharepoint%20does%20offer%20multiple%20levels%20of%20admin%2C%20there%20is%20no%20clarity%20in%20the%20documentation%20about%20who%20can%20do%20what%20with%20the%20data.%26nbsp%3B%20That's%20a%20missing%20element%20and%20bad%20design.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChecking%20the%20audit%20logs%20works.%26nbsp%3B%20It%20is%20identical%20to%20the%20old%20concept%20of%20locking%20the%20barn%20door%20after%20the%20horse%20is%20gone.%26nbsp%3B%20And%20thus%2C%20of%20dubious%20and%20limited%20value.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-981754%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20acces%20to%20Admins%20to%20some%20sites%20%2F%20libraries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-981754%22%20slang%3D%22en-US%22%3EWhen%20we%20look%20at%20Microsoft%2FUN*X%20systems%20design%2C%20this%20is%20a%20universal%20truth%20that%20the%20sysadmin%2Froot%20has%20full%20control%20over%20the%20system%20and%20all%20data%20over%20it.%20Global%20Admins%20are%20the%20equivalent%20(with%20SharePoint%20Admin%20role%20being%20scoped%20to%20ODfB%2FSPO).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-981762%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20acces%20to%20Admins%20to%20some%20sites%20%2F%20libraries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-981762%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20are%20correct%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F130%22%20target%3D%22_blank%22%3E%40Trevor%20Seward%3C%2FA%3E%20%26nbsp%3B%20There%20are%20however%2C%20proven%20systems%20that%20did%20not%20have%20this%20issue%2C%20although%20they%20have%20passed%20from%20memory.%26nbsp%3B%20It%20is%20possible%20that%20the%20less%20powerful%20admin%20types%20in%20Sharepoint%20could%20help%2C%20if%20only%20their%20documentation%20specified%20what%20control%20they%20have%20over%20document%20libraries%2C%20which%20none%20of%20the%20Microsoft%20docs%20that%20I%20have%20found%2C%20do.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20make%20no%20assertion%20that%20I%20have%20found%20them%20all.%26nbsp%3B%20For%20example%2C%20can%20a%20Teams%20Admin%2C%20read%20the%20contents%20of%20a%20Sharepoint%20Document%20Library%20if%20that%20person%20is%20not%20a%20Global%20Admin%3F%26nbsp%3B%20I%20fear%20yes%2C%20because%20Teams%20is%20built%20to%20leverage%20Sharepoint.%26nbsp%3B%20What%20I%20am%20looking%20for%20specifically%20is%20an%20admin%20role%20that%20allows%20for%20admin%20and%20support%20without%20open%20access%20to%20document%20libraries.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-981813%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20acces%20to%20Admins%20to%20some%20sites%20%2F%20libraries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-981813%22%20slang%3D%22en-US%22%3ESuch%20a%20role%20does%20not%20exist.%20The%20closest%20thing%20you%20can%20do%20is%20password%20protect%20files%20from%20within%20their%20own%20application%2C%20then%20upload%20said%20files.%20If%20the%20admin%20doesn't%20know%20the%20password%2C%20they%20can't%20open%20them.%20You%20lose%20out%20on%20some%20other%20platform%20features%2C%20though%2C%20such%20as%20search.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-981920%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20acces%20to%20Admins%20to%20some%20sites%20%2F%20libraries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-981920%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20clarity%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F130%22%20target%3D%22_blank%22%3E%40Trevor%20Seward%3C%2FA%3E%20%26nbsp%3B%20I%20will%20go%20with%20your%20expertise%20on%20this%20matter%20and%20simply%20ensure%20that%20my%20secure%20data%20users%20don't%20put%20anything%20on%20network%20resources%20be%20they%20Sharepoint%20or%20OneDrive%20for%20Business.%26nbsp%3B%20Nothing%20like%20going%20back%20to%201981%20and%20floppy%20disks.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I asked this in the regular community, my mistake.

 

We are a smaller company committed to Teams on the front end with Sharepoint on the back end.  We have three people set up as Admins for Office 365 for Business.  I need to restrict access to the content created and managed by a couple of Teams and their libraries from my other two admins, specifically the Leadership private team and the HR team.  As it stands, while the admins are not members or owners of these teams / libraries, they can make themselves members and gain access to the restricted data in the libraries.  THey are doing good work overall, so I want to be able to selectively remove their Admin capabilities.  I have been told that this is not possible which makes no sense in the context of a really large company, let alone a small one.

 

Can someone please direct me to how to do this?

6 Replies
It is not possible and this has always been true of IT since the concept of systems administration was a thing decades ago. Systems administrators can grant themselves access or otherwise gain access to underlying data because they're administrators of the system.

Imagine if you had a bad actor and the administrator couldn't take control of that resource...

This is an HR problem, not an IT one. You can look at the Unified Audit Log (or an administrator can/delegated user can) to see if an admin has granted themselves access to a particular resource but you can't prevent it from occurring.

I'm going to respectfully disagree  @Trevor Seward 

 

Having spent more than 40 years in Information and Communication Tech, you don't need to tell me how to boil water.  Stratified administration rights are not unusual and have existed in other systems for decades.  

 

I now understand that while Sharepoint does offer multiple levels of admin, there is no clarity in the documentation about who can do what with the data.  That's a missing element and bad design.

 

Checking the audit logs works.  It is identical to the old concept of locking the barn door after the horse is gone.  And thus, of dubious and limited value.

When we look at Microsoft/UN*X systems design, this is a universal truth that the sysadmin/root has full control over the system and all data over it. Global Admins are the equivalent (with SharePoint Admin role being scoped to ODfB/SPO).

You are correct @Trevor Seward   There are however, proven systems that did not have this issue, although they have passed from memory.  It is possible that the less powerful admin types in Sharepoint could help, if only their documentation specified what control they have over document libraries, which none of the Microsoft docs that I have found, do.

 

I make no assertion that I have found them all.  For example, can a Teams Admin, read the contents of a Sharepoint Document Library if that person is not a Global Admin?  I fear yes, because Teams is built to leverage Sharepoint.  What I am looking for specifically is an admin role that allows for admin and support without open access to document libraries.

Such a role does not exist. The closest thing you can do is password protect files from within their own application, then upload said files. If the admin doesn't know the password, they can't open them. You lose out on some other platform features, though, such as search.

Thanks for the clarity @Trevor Seward   I will go with your expertise on this matter and simply ensure that my secure data users don't put anything on network resources be they Sharepoint or OneDrive for Business.  Nothing like going back to 1981 and floppy disks.