Tag: site collection administrator

Office 365 Advent Calendar – 20 Get notified about new SharePoint Online Site Collection Administrators

office-365-advent-calendar

If your organization provides business users with the possibility to manage sites themselves by assigning them site collection administrator rights, you may want to know if they add anyone else as site collection administrator. While you could run a script regularly to retrieve a list of all site collection administrators on all sites and then compare this data with previous information, there is also an alternative that you can use. Office 365 provides you with the option to get alerted when someone gets added as a site collection administrator.

First, open the Office 365 Security & Compliance portal. Select Alerts and ‘Manage alerts’, then click on ‘Add an alert’ in the right content pane

 

Setting up the alert is fairly easy. Start by specifying a name and optionally a description. The most important setting is “Send this alert when…” where you specify which activities you want to get alerted on. Select ‘Added site collection admin’ here. Sadly, there is no way to monitor removal of site collection admins.

Lastly, specify who should be alerted, and save your alert.

Please note the following: “It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results.” (Search the audit log in the Office 365 Security & Compliance Center). This means that notifications are not immediate, but may take some time until the corresponding event appears in the audit logs and the alert gets triggered.

Setting Administrators on all SharePoint Online Site Collections

Introduction

Imagine the following scenario: A user or a group of people need full access to all site collections in your Office 365 tenant. It could be a service account that gathers some statistics regularly, or a group of users who provide regular detailed support to your organization. How can you ensure that these users have access to all site collections, even newly created ones? What is the best of all to manage this group of users?

Currently, there is no way how you automatically assign users or groups as site collection administrators in your tenant. And while you can manage the settings per site collection in the SharePoint Online Administration area of the Office 365 portal, doing so for dozens or hundreds of sites is not a productive use of time.

Preparation

But there’s a way to automate this process, and as usual PowerShell comes to the rescue. What you need are the OfficeDev PnP PowerShell cmdlets available at https://github.com/OfficeDev/PnP-PowerShell (review the installation instructions on that page if you haven’t installed those awesome cmdlets yet) and an account which has been assigned either the “SharePoint administrator” or “Global administrator” role in your tenant.

The cmdlet we are interested in is called Set-SPOTenantSite. It allows you to manage some selected properties of a SharePoint Online site collection, among them the owners. The ‘Owners’ parameter expected a list of accounts, for example: ‘user1@mytenant.onmicrosoft.com’,  ‘user2@mytenant.onmicrosoft.com’,  ‘user3@mytenant.onmicrosoft.com’. As you can see, it requires a user’s login name. But how about groups? If I create an Office 365 group, how can I determine its login name? While you can also achieve the same thing via PowerShell, this is one way to do it via the browser:

  1. Go to a SharePoint site and grant the group access
  2. While still on the permissions view, click on the Group name so that you access it’s Personal Settings page
  3. On that page, it will list something like “Account c:0-.f|rolemanager|s-1-5-21-784567607-4288704409-1262486537-2161342”. “c:0-.f|rolemanager|s-1-5-21-784567607-4288704409-1262486537-2161342” is the login name which you need
  4. You can then remove the permissions for the group again

Next, you also need to think about which users you want to add as site collection administrators. If you have a group of users that should be added to all site collections, it makes sense to add all those users either to an Active Directory group (if you’re synchronising your Active Directory with Office 365) or an Office 365 group. That way, you can manage the group of users fairly easily, and add or remove users simply by managing the group – without having to do anything on the site collections directly.

The Script

Here’s the script that helps you set the site collection administrators on a filtered set of site collections (I’m skipping any personal OneDrive for Business sites in the *mytenant-my.sharepoint/* path, e.g. Update: I just realised that OneDrive sites aren’t returned by default, the IncludeOneDriveSites parameter has to be set to $true for this. Either way, we’re skipping sites in the mytenant.sharepoint.com/teams/* path in this example). Please note that in its current form below, it is meant to be run directly by someone who has account credentials for a “SharePoint administrator” or “Global administrator”. It can be adapted to use stored credentials, e.g. when you want to run it as a daily scheduled task on a server.

#comma separated list of users and groups to be added
$adminAccounts = "support@mytenant.onmicrosoft.com","superadmin@mytenant.onmicrosoft.com"

#Specify the tenant here
$tenant = "mytenant"

# Note: If you run this script regularly, please have a look at the following site to see how you can store credentials securely in Windows
# https://github.com/OfficeDev/PnP-PowerShell#settings-up-credentials
$cred = Get-Credential

write-host "Connecting to https://$($tenant)-admin.sharepoint.com"
Connect-SPOnline -Url "https://$($tenant)-admin.sharepoint.com" -Credentials $cred
write-host "Getting list of site collections"

#Note: we are only fetching the root site collection and any site collection in the /sites/ path
#Update filters here accordingly to match your requirements
$sitecollections = Get-SPOTenantSite | where {($_.Url -like "*$($tenant).sharepoint.com/") -or ($_.Url -like "*$($tenant).sharepoint.com/sites/*")}

foreach($sitecollection in $sitecollections) {
	write-host "Adding administrators to $($sitecollection.Url)"
	Set-SPOTenantSite -Url $sitecollection.Url -Owners $adminAccounts
}

That’s it, just a couple of lines of PowerShell which can save you a lot of time and help you with your support processes.

Lastly, if you want to run this script regularly as you want to ensure that your users/groups are also added to new site collections and added to existing ones (if they have been removed), I would recommend to follow the instructions given on the OfficeDev PnP PowerShell page for setting up credentials in Windows’ credentials manager and running the script as a scheduled task.