Best Practices for Configuring SharePoint Online Tenant Part II – Streamline SharePoint Administrative Access

I have recently presented “SharePoint Online ramp-up for SharePoint On-Premises professionals” session at the SharePoint Saturday Chicago Suburbs and promised attendees an articles of detailed walk through of what are my best practices for initial Office 365 tenant signup process and administrative security configuration for Office 365 and SharePoint Online.

Setting up SharePoint Online tenant with the best practices starts as soon as you sign up for Office 365 tenant (Part I of this article). Next step before configuring site taxonomy and provisioning user site collections are to configure least-privileged administrative accounts for SharePoint Online Administration.

In this article, we will walk through my personal best practices to configure SharePoint Online administrative access.

Office 365 and SharePoint Online Authorization Model - Security Roles, Security Groups, and Site Membership

Before we configure SharePoint Online Administrators, it is important to understand the Office 365 and SharePoint Online administrative roles.

X_O365 and SPO Auth Model

  • Security Roles in Office 365 and SharePoint Online
    • Office 365 Roles – Billing Administrator, Global Administrator, Password Administrator, Service Administrator, and User Management Administrator. Out of all these roles, most common role is Global Administrator.
    • SharePoint Online Roles – SharePoint Online Service Administrator – There is no specific role for SharePoint Online Administrator like Farm Administrator for On-Premises implementation. Any Office 365 Global Administrator with SharePoint Online License are considered as SharePoint Online Administrator.
    • Site Collection Level Roles – Site Collection Administrator, Same as SharePoint On-Premises
    • Site Level Roles – Site Owners, Site Members, Site Visitors, Same as SharePoint On-Premises
  • Security Groups in Office 365 and SharePoint Online
    • Office 365 Global Security Groups- These groups created by global administrator, by default all Office 365 global administrators are added to “Company Administrator” group, On premise AD groups can be mapped to the Global Security Groups when AD synchronization is configured. If you have many users and if they need to have permissions across more than one SharePoint Online Site Collection, this is preferred method.
    • SharePoint Online Site Security Groups- Same as On-Premises SharePoint

Prescriptive Guidance for SharePoint Online Administrative Management

Here are my personal best practices & prescriptive guidance to configure SharePoint Online Administrative accounts and how to manage Site Collection Administrative access. This usually falls into three major categories – SPO System Account, SPO Admins Group, and Configure SPO Admin access to the SPO Site Collections.

X_SPO Accounts Mgmt

Step 1 – Create SharePoint Online Administrative System Account

One of the first steps is to create SPO administrative account. You should always plan to create this account as Cloud ID, E.g. sp_admin@yourdomain.onmicrosoft.com. Having this as Cloud ID, it allows you to access your tenant even if On-Premises ADFS environment is unavailable.

Some of the reasons why you would have this account are running workflows with elevated privileges requires permanent account, service account for excel data connections, service accounts for BCS, system account for migration tools, or SPO Power Shell script execution account.

You can provision new Cloud Account from the Office 365 Administration site. Click on the users and groups section to provision new account.

4_SPO Tenant

Specify System account details especially User Name – SP_Admin. Please notice that we are creating Cloud Account here.

5_SPO Tenant

You must specify this account as Global Administrator. As mentioned earlier, There is no specific role for SharePoint Online Administrator like Farm Administrator for On-Premises implementation. Any Office 365 Global Administrator with SharePoint Online License are considered as SharePoint Online Administrator. Additionally, specify the real email address as Alternative Email Address for various reasons including system alerts or MS support communication.

6_SPO Tenant

As mentioned above, Global Administrator with SharePoint Online License makes this account SharePoint Online Administrator.

7_SPO Tenant

Click Next and save SP_Admin account information. This account should be listed on the Office 365 Users and Groups page as Cloud ID.

8_SPO Tenant

Step 2 – Configure SharePoint Online Administrators Group

Standalone SPO administrative account is great for system administrative access but in reality, you would require to have SharePoint Online administrative access for the human accounts. Managing all the SharePoint administrative access from single place would allow ease of administrative account maintenance and usually it can be done by Office 365 Global groups.

You must always plan to create this group as Cloud Group e.g. “SharePoint Admins” and add SharePoint Administrative System Account (sp_admin) and any other human SharePoint administrators in “SharePoint Admins” group. Optionally, you can have this account as synced On-Premises AD Distributed or Security group but having this as Cloud group allows you to access your tenant even if On-Premises ADFS environment is unavailable.

You can provision new Cloud Group from the Office 365 Administration site. Click on the users and groups section to provision new account.

9_SPO Tenant

Create a new group called “SharePoint Admins” and add “SP_Admin” and any other human SharePoint administrator accounts in the group. This would allow you to have single place to manage all the SharePoint administrative access. You can have peace of mind that only accounts in this group would have SharePoint Site Collection and administrative access.

10_SPO Tenant

Click Next and save SharePoint Admins group information. This group should be listed on the Office 365 Users and Groups page as Cloud Group.

11_SPO Tenant

Step 3 – Configuring SharePoint Online Administrators Access

By default, OOB site collections are configured with “Company Administrator” as Primary and Secondary Site Collection Admins. “Company Administrator” are anyone who has Office 365 Global Administrator role assigned. Usually this is bad practice to have Company Administrator access to the SharePoint Online site collections. Usually Global Admins as Exchange or Lync administrators or any other Office 365 workload administrators shouldn’t have access to the SharePoint Online Admin site and SharePoint site collections.

To configure least privileged SharePoint Online site collection administrative access, standardize the practice or governance policy to have “SP_admin” Cloud ID as Primary Site Collection Administrator and “SharePoint Admins” Cloud Group as Secondary Site Collection Administrators for all site collections.

With “SP_Admin” Cloud ID and “SharePoint Admins” Cloud group are configured in previous steps, it’s time to lock down out of box and future SharePoint Site Collections with SharePoint administrative access. You can start locking down administrative access by accessing SharePoint Administration site (https://yourdomain-admin.sharepoint.com) and visit “Manage Administrators” page for all the Site Collections.

13_SPO Tenant

As you may notice, first time you try to configure SharePoint Administrators on the OOB site collections, “Company Administrator” are configured as Primary and Secondary Site collections. As discussed earlier, Company Administrator is in-built Office 365 role which includes all the accounts with Global Administrator role. It means, everyone including Exchange Administrator or any other Office 365 workload administrators would have administrative access to the SharePoint Online sites. This must be lock down with SharePoint Administrators.

14_SPO Tenant

To ensure all the SharePoint site collections and sites are managed by only SharePoint Administrators, plan to specify “SP_Admin” Cloud ID as primary site collection administrator and “SharePoint Admins” Cloud Group as secondary site collection administrators.

15_SPO Tenant

As you notice, after following above steps, if you visit site collection properties, you would able to see all the site collections would have “SharePoint Admin” and “SharePoint Admins” as site collection administrators.

16_SPO Tenant

Also, each site collection would have “SharePoint Admin” and “SharePoint Admins” as site collection administrators on the Permissions page.

17_SPO Tenant

Hope this guide provide you best practices and guidance on how to manage your SharePoint Online environment with least-privileged administrative access.

Advertisements
This entry was posted in Office 365. Bookmark the permalink.

7 Responses to Best Practices for Configuring SharePoint Online Tenant Part II – Streamline SharePoint Administrative Access

  1. I would add the importance of planning for and choosing an effective organization name. Now that you’ve used niksspssuburbs.sharepoint.com, other organizations won’t be able to use it. Of course, nobody else probably will need to. However, I was working with a client who had been planning to use their abbreviated name, but when it came time to set up their tenant, that organization name was already being used.

    Also, I’d encourage folks to plan their custom domain names effectively and secure those and any SSL certificates ahead of time to prevent project delays.

    • Nik Patel says:

      Eric, it’s great to see you here. You have brought up a great point. Organization name, default domain name can’t be used across multiple tenants mainly because of public domain system and Office 365 creates multiple DNS entries behind the screen – mainly for yourdomain.sharepoint.com and yourdomain.onmicrosoft.com.

  2. Sam Keloga says:

    Nik, Great article. I am new to SharePoint. Could you please clarify how the users of ‘SharePoint Admins’ Group are prevented from having Global Administrator privileges or SharePoint Online Administrator privileges? A per my understanding, If the users of ‘SharePoint Admins’ Group are created by following instructions from Step 1 above, they would still be having Global Adminstrator privileges. Thanks.

    • Nik Patel says:

      Hi Sam.. The way SPO works, you must assign Global Administrator privilege with SharePoint online license to become SharePoint Online Administrator. At this moment, there is no other way around it.. I have asked this many times to MS folks and it’s by design.. Unfortunately, that’s how it is.. As long as you don’t assign Exchange or Lync or other licenses, you are guaranteed that Global admin will be SP admin in addition to managing domain users and groups.. Which, I really hope gets corrected.. It’s defective design but it’s expected behavior…

  3. Just to re-confirm. There is no way to grant any user Site Admin to all Site collections from the UI without doing it manually for each site or writing a SPO Management Shell script. And we are now learning that apparently, you can’t add SPO Tenant cloud groups to Site admin using Management Shell Script for some reason. These seem like tough limitations on SPO.

  4. Now that we have some admin granularity in the Office 365 Admin panel maybe instead of Global Admin for the sp_admin account we can now configure Custom Admin with only SharePoint Online Admin ticked ?

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s