SharePoint Online user policy

I’m currently working in a large enterprise where we have a dedicated team of SharePoint administrators. This team is responsible for the current on-premises SharePoint environment. The way we give this team control over the whole environment is with the option ‘User Policy’ within the web application. Here we give the whole team administrator rights for the web application. This way we do not have to assign rights to every single site collection.

In SharePoint Online this option is not available and needs to be set on every site collection. Here we can use 2 option.

  • Use the same group and add them to the secondary site collection owners
  • Use the built-in roles from Office 365 and add this to the secondary site collection owners

We have chosen for the second option because we also can control the level of access to all other parts of SharePoint Online administration.

How can we find this role?

First we need to know this role is called within Office 365. Here we have a full set of roles

For SharePoint we have the Role ‘SharePoint administrator’. In another blog post I will go deeper into these roles and what the capabilities are.

Adding this role by hand

If you have just a few site collections, you can go to the SharePoint admin site and add the user to the secondary administrator by using the username ‘SharePoint Service Administrator’ Select the site collection and in the ribbon click on ‘Owners’ and ‘Manage administrators’

In the box next to ‘Site collection administrators’ type ‘SharePoint Service Administrator’ and click on ‘Check names’ or search for it in the address book. To be able to find this role within SharePoint, you need to have this role assigned to at least 1 person in your organization.

Do not forget to add this role to every new site collection!

Adding this role with a script

While doing it by hand is a solution and doable with just a few sites, but a nightmare when you have a lot of sites. So we how can we script this?

My first resource for scripting against Office 365 is PowerShell and this is possible with the PowerShell scripts delivered by Microsoft (http://www.powershellgallery.com/packages/MSOnline/1.0). The only problem with this is that we need a login name to give this role access. So the first thing is to find the login name for the role ‘SharePoint Service Administrator’. To find the login name you have to add the user to 1 site collection and query the users with Get-SPOUser

The login name is in the form of an Active Directory SID.

Now that we have the login name we can create a script that will add this role to all sites. The login name has a format of c:0-.f|rolemanager|" Here is an example of this script

Now that we have a script for assigning this role to all site collections we want this to run once a while, for this we can use Azure Automation or the new Azure Functions.

Another great idea is to make sure that this is set within your provisioning process.