Security

How To Manage Office 365 Access Without Hindering Owner Confidence

Are your powers users confident about the security of their content in Teams? A constant point of contention for power users are uninvited guests or unfamiliar users found within an Office 365 group, team, or site the power user owns. This persistent issue negatively impacts adoption and needs to be addressed. Surprisingly enough, SharePoint admins usually wind up being one of the root causes. Let’s investigate why.

Currently, in SharePoint Online, support staff with the SharePoint Administrator role must grant themselves Owner rights before they can access a site, team, or modify group membership. Admins that perform this action show up on the modern permissions display panel and in the O365 group causing concern amongst the site owners who quickly feel that they have no control over the access of their content. 

So what are these admins up to? 

Most SharePoint setups today use this method to perform system maintenance. In some cases, support may be performing a change request or resolving an issue.

6 Steps To Secure Access

These headaches can be alleviated by one Office 365 Group, a few updates, and a little scripting. Just follow the below steps:

  1. In the Office 365 Admin Center, create a “SharePoint Administrators” Office 365 Group and add all your SharePoint Support staff to it as “members” (Owner rights don’t seem to be as effective in this scenario).
  2. Request temporary Global or User Management Administrator rights.
  3. Run a PowerShell script to add “yourself” as an owner to all group connected SharePoint sites (Requires Global or User Management Administrator rights). 
  4. Add “yourself” as an owner to all other Team and Communication sites (not group connected) via the SharePoint Admin Center: https://[TenantName]-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/siteManagement
  5. Run another PowerShell script to add the “SharePoint Administrators” Office 365 Group to the “Site Collection Administrators” section of all sites.
  6. Run a final PowerShell script to remove your personal account’s access from the sites and the Office 365 Groups minus the “SharePoint Administrators” Office 365 Group.

That’s it! Your support staff now have Full Control access to all sites so that they can perform their daily duties without:

  • Disrupting the end-users by showing up in the Owners section and/or Office 365 Group.
  • Needing to add and remove themselves to make SharePoint changes.

Likewise, you can and should use this same process in tangent with a “SharePoint Service Accounts” Office 365 Group. Otherwise, whenever your Flow or analysis service account or job needs to access something, it will take additional steps to manually grant it access.

The Final Touch

Make adding these groups part of your manual and/or automated site creation process.

Interested in diving deeper on secure internal and external collaboration? Reach out to our team here to set up a free consultation call.