Share via

Sharepoint Online - Access Rules

Jerry Xu-MSFT 7,961 Reputation points
2020-11-02T01:17:33.733+00:00

Hi all,

I need some help about grant permissions in Sharepoint online.

Im planning to use Sharepoint as a file server, but the main difference between file server onpremises and sharepoint online is that the IT department must not have access to other files besides their own.

The permissions for all sites can't be changed by any IT employee.

I know that I can change Office 365 permissions and not grant SHAREPOINT ADMIN RULE to IT employees and keep this rule applied only to me. But this means that I will be the person who will manage the sharepoint, and it is not what I am looking for.

I want IT support to administrate all the sharepoint but sites permissions.

So, the goal is, enable IT to support the whole O365 environment except for sharepoint site permission. Is there any way to grant Sharepoint Admin Rule to IT and remove this specific 'grant access feature' from the IT Team?

Thanks in advance.

Source Link from TechNet

Microsoft 365 and Office SharePoint For business Windows
Accepted answer
  1. trevorseward 11,711 Reputation points
    2020-11-03T18:34:49.737+00:00

    You cannot grant an administrator a role such as SharePoint admin or Global Admin and deny them the capability to alter permissions. Your best bet is to instead monitor the M365 Audit Log which will show all access to sites/content/permission modification actions.

    You can potentially look into Conditional Access Policies to block specific accounts from navigating to a site, but that won't prevent them from altering permissions. You could also look at using Labels to restrict content, but again someone with Global Admin can modify those labels -- the Audit log will come into play, here.

    Ultimately, you need to trust your admins to be doing the right thing. This is what we refer to as an "HR problem" rather than a technological problem.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Allen Xu_MSFT 13,861 Reputation points
    2020-11-03T03:31:19.67+00:00

    For granting users all permissions except managing site permissions, I suggest you to refer to the following steps.

    1.Grant IT employees SharePoint admin role in O365 admin center:
    Go to O365 admin center -> Users ->Active users -> click display name -> Manage roles -> Admin center access:
    37043-1-2.png

    2.Create a group and put IT employees into it:
    Go to O365 admin center -> Groups ->Active groups -> Add a group:
    37025-1-3.png

    3.Go to a site collection -> Settings -> Site permissions -> Advanced permission settings -> Permission Levels -> Add a Permission Level:
    Select All and uncheck Manage Permissions:
    36979-1-4.png

    4.Invite IT group and grant permission level:
    Grant Permissions:
    36980-1-5.png

    Invite IT employees group and select the Permission Level you create above to grant to the group:
    37051-1-6.png

    5.Repeat the operation in 4 in your other site collections.

    I hope this information has been useful, please let me know if you still need assistance.

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.