I have recently presented “SharePoint Online ramp-up for SharePoint On-Premises professionals” session at the SharePoint Saturday Chicago Suburbs and promised attendees an articles of detailed walk through of what are my best practices for initial Office 365 tenant signup process and administrative security configuration for Office 365 and SharePoint Online.
Setting up SharePoint Online tenant with the best practices starts as soon as you sign up for Office 365 tenant (Part I of this article). Next step before configuring site taxonomy and provisioning user site collections are to configure least-privileged administrative accounts for SharePoint Online Administration.
In this article, we will walk through my personal best practices to configure SharePoint Online administrative access.
Office 365 and SharePoint Online Authorization Model - Security Roles, Security Groups, and Site Membership
Before we configure SharePoint Online Administrators, it is important to understand the Office 365 and SharePoint Online administrative roles.
- Security Roles in Office 365 and SharePoint Online
- Office 365 Roles – Billing Administrator, Global Administrator, Password Administrator, Service Administrator, and User Management Administrator. Out of all these roles, most common role is Global Administrator.
- SharePoint Online Roles – SharePoint Online Service Administrator – There is no specific role for SharePoint Online Administrator like Farm Administrator for On-Premises implementation. Any Office 365 Global Administrator with SharePoint Online License are considered as SharePoint Online Administrator.
- Site Collection Level Roles – Site Collection Administrator, Same as SharePoint On-Premises
- Site Level Roles – Site Owners, Site Members, Site Visitors, Same as SharePoint On-Premises
- Security Groups in Office 365 and SharePoint Online
- Office 365 Global Security Groups- These groups created by global administrator, by default all Office 365 global administrators are added to “Company Administrator” group, On premise AD groups can be mapped to the Global Security Groups when AD synchronization is configured. If you have many users and if they need to have permissions across more than one SharePoint Online Site Collection, this is preferred method.
- SharePoint Online Site Security Groups- Same as On-Premises SharePoint
Prescriptive Guidance for SharePoint Online Administrative Management
Here are my personal best practices & prescriptive guidance to configure SharePoint Online Administrative accounts and how to manage Site Collection Administrative access. This usually falls into three major categories – SPO System Account, SPO Admins Group, and Configure SPO Admin access to the SPO Site Collections.
Step 1 – Create SharePoint Online Administrative System Account
One of the first steps is to create SPO administrative account. You should always plan to create this account as Cloud ID, E.g. email@example.com. Having this as Cloud ID, it allows you to access your tenant even if On-Premises ADFS environment is unavailable.
Some of the reasons why you would have this account are running workflows with elevated privileges requires permanent account, service account for excel data connections, service accounts for BCS, system account for migration tools, or SPO Power Shell script execution account.
You can provision new Cloud Account from the Office 365 Administration site. Click on the users and groups section to provision new account.
Specify System account details especially User Name – SP_Admin. Please notice that we are creating Cloud Account here.
You must specify this account as Global Administrator. As mentioned earlier, There is no specific role for SharePoint Online Administrator like Farm Administrator for On-Premises implementation. Any Office 365 Global Administrator with SharePoint Online License are considered as SharePoint Online Administrator. Additionally, specify the real email address as Alternative Email Address for various reasons including system alerts or MS support communication.
As mentioned above, Global Administrator with SharePoint Online License makes this account SharePoint Online Administrator.
Click Next and save SP_Admin account information. This account should be listed on the Office 365 Users and Groups page as Cloud ID.
Step 2 – Configure SharePoint Online Administrators Group
Standalone SPO administrative account is great for system administrative access but in reality, you would require to have SharePoint Online administrative access for the human accounts. Managing all the SharePoint administrative access from single place would allow ease of administrative account maintenance and usually it can be done by Office 365 Global groups.
You must always plan to create this group as Cloud Group e.g. “SharePoint Admins” and add SharePoint Administrative System Account (sp_admin) and any other human SharePoint administrators in “SharePoint Admins” group. Optionally, you can have this account as synced On-Premises AD Distributed or Security group but having this as Cloud group allows you to access your tenant even if On-Premises ADFS environment is unavailable.
You can provision new Cloud Group from the Office 365 Administration site. Click on the users and groups section to provision new account.
Create a new group called “SharePoint Admins” and add “SP_Admin” and any other human SharePoint administrator accounts in the group. This would allow you to have single place to manage all the SharePoint administrative access. You can have peace of mind that only accounts in this group would have SharePoint Site Collection and administrative access.
Click Next and save SharePoint Admins group information. This group should be listed on the Office 365 Users and Groups page as Cloud Group.
Step 3 – Configuring SharePoint Online Administrators Access
By default, OOB site collections are configured with “Company Administrator” as Primary and Secondary Site Collection Admins. “Company Administrator” are anyone who has Office 365 Global Administrator role assigned. Usually this is bad practice to have Company Administrator access to the SharePoint Online site collections. Usually Global Admins as Exchange or Lync administrators or any other Office 365 workload administrators shouldn’t have access to the SharePoint Online Admin site and SharePoint site collections.
To configure least privileged SharePoint Online site collection administrative access, standardize the practice or governance policy to have “SP_admin” Cloud ID as Primary Site Collection Administrator and “SharePoint Admins” Cloud Group as Secondary Site Collection Administrators for all site collections.
With “SP_Admin” Cloud ID and “SharePoint Admins” Cloud group are configured in previous steps, it’s time to lock down out of box and future SharePoint Site Collections with SharePoint administrative access. You can start locking down administrative access by accessing SharePoint Administration site (https://yourdomain-admin.sharepoint.com) and visit “Manage Administrators” page for all the Site Collections.
As you may notice, first time you try to configure SharePoint Administrators on the OOB site collections, “Company Administrator” are configured as Primary and Secondary Site collections. As discussed earlier, Company Administrator is in-built Office 365 role which includes all the accounts with Global Administrator role. It means, everyone including Exchange Administrator or any other Office 365 workload administrators would have administrative access to the SharePoint Online sites. This must be lock down with SharePoint Administrators.
To ensure all the SharePoint site collections and sites are managed by only SharePoint Administrators, plan to specify “SP_Admin” Cloud ID as primary site collection administrator and “SharePoint Admins” Cloud Group as secondary site collection administrators.
As you notice, after following above steps, if you visit site collection properties, you would able to see all the site collections would have “SharePoint Admin” and “SharePoint Admins” as site collection administrators.
Also, each site collection would have “SharePoint Admin” and “SharePoint Admins” as site collection administrators on the Permissions page.
Hope this guide provide you best practices and guidance on how to manage your SharePoint Online environment with least-privileged administrative access.