Monitor Permission Changes in SPO via Alert Policy (Compliance Center Portal)

Dieter Tontsch (GMail) 937 Reputation points

My gola ist to try to protect a SPO site, resp. a library as good as possible in terms of access privileges.From what I understand, this isn't quite possible for Global Admins, which per default are also SahrePoint Admins and therefor they are site admins, right? But then at least there might be a chance to get alerted if someone, being a SahrePoint Admin or a regualr user with according privileges, does modify access privileges within SPO. Actually I am more interested ina particular site, but I don't know if this can be achieved per site or even library only. I followed this article making use of alert policies ( Im my case I created a policy to get alerted on Category Security if Activity is "Shared file, folder or site" which says:

User (member or guest) shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization's directory. The value in the Detailcolumn for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest. This activity is often accompanied by a second event that describes how the user was granted access to the resource; for example, adding the user to a group that has access to the resource.

and condition is like File:Site Collection URL is any of*

The point is I'd also like to get alerted if someone, even a global admin does modify permissions from library or site permission settings. Usually normal uses do not have such access, but global admins and site owners do have.

The point is that I don't get any alerts if permissions do change on resp. library, it doesn't even work if I do not add this condition at al, while it should then work on ay SharePont or OneDrive location within our tenant, shouldn't it?

Isn't my approach a valid one, is there any other option, without the use of third-party tools do achieve my goal? Actually I am especially interested in monitoring access modifications performed by Global Administrators, because proper access for regular users can be hardened by assigning them minimal permissions.

kind regards,

SharePoint Server
SharePoint Server
A family of Microsoft on-premises document management and storage systems.
2,297 questions
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,273 questions
SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,897 questions
{count} votes

Accepted answer
  1. Emily Du-MSFT 44,151 Reputation points Microsoft Vendor


    1.Global administrator is SharePoint administrator but is not every site collection administrator. For item, list and site collection, you could set unique permissions for each level. After setting unique permissions, even though global administrator, cannot access parts without permissions.

    2.For using alert policy, you need to have an E5 license, or an E1 or E3 license with a Microsoft Defender for Office 365 P2, Microsoft 365 E5 Compliance, or Microsoft 365 eDiscovery and Audit add-on subscription. Make sure the alert policy status is on and wait for 24 hours after creating or updating an alert policy before alerts can be triggered by the policy.

    Here are screenshots about my alert policy and test results.





    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

2 additional answers

Sort by: Most helpful
  1. Dieter Tontsch (GMail) 937 Reputation points

    Thanks, your input is vey helpful.
    A Global Admin is not a Site (Collection) Admin, but it is a SharePoint Admin. Therefor he/she can assign himself as a site admin, right? Probably there is nothing one can do about this regarding Global Admins. But, if this alerting would work on my side, would it also alert on such changes, site admin modifications? IN that case of course the URL would need to be instead of*?

    I did not have necessary licenses assigned, I only had a Microsoft E3. But now I have assigned myself (I am the one who should get the Alert notifications also a Microsoft Defender for Office 365 (Plan 2). I still do not get alerted.


    Licenses assigned to Alert Recipient

    Do you see any issues with this?

    1. Alert Recipient has Microsoft (not Office E3) + Microsoft Defender for Office 365 (Plan 2)
    2. If someone does permission modifications within* the recipient (which is me) does not get an alerting.
    3. you just answered me re. Site collection admin.

    But any idea why this doesn't work for me yet? Is my licensing not enough? I have to admit that the alert policy is in place since yesterday, but my Defender license assignment ist just since one hour. Or is it not about me as a alert recipient, to be licensed accordingly, but the one who does modifications?

  2. Dieter Tontsch (GMail) 937 Reputation points

    Hi, for a while it did not work as expected. I couldn't manage to get Permission-based Alert Policies to work in terms of notifications.
    I also contacted the MS Support. They pointed me to Activity Alerst instead of Alert Policies, I don't know the differenc.e
    We cold make it work (ore or less, with huge latency of many hours) to get notified like the following
    * SiteAdminAdded by certain user(s) --> Notify certain user(s) --> this worked somehow, but it's weak, huge latency and no detailed information about the particular activity. this stuff seems deprecated to me, the notifiy email even contains links to which then says it's decommissioned.


    Secondly, after a long time I also managed to work with an Alert Policy like this:

    The later works much better, but I am now confused why it didn't work before like this:

    The only difference is SiteCollectionPermissionAdded vs. SitePermissionModified Maybe it is because of Site collection vs. Site?

    Aned several other combinations also do not work like. Seems to me like a bit of a beta thing.

    0 comments No comments