Review Auto-Assign as Site Collection Administrator Process
Review the way Sharegate uses the auto-assign feature
- Handle differently per type of site (OneDrive, Groups, Team sites)
- Setting per tenant / farm / connection
- Option to auto-remove after each operations
- Handle special cases (eDiscovery sites, NO ACCESS or Read-only)
Damari Trezub commented
I would appreciate a permament solution – a prompt with choices : Yes, No and a checkbox ‘Apply to all in the future’ would do, from my perspective.
I ran a few reports on External Users in SG on both site collections and OneDrive, to check if users are sharing files with external users from their OneDrive. This action (I presume), also added me as "Administrator" to every user's personal OneDrive. The issue is that the users, whenever they are looking at file Access Management from their OneDrive, will see my name also, unexpectedly to the users. Is there something we can do so the reporting will run without showing/adding me to the user's OneDrive?
Theresa Yu Chen
Auto-Assign as Administrator needs a filter so that I am not added to over 7000+ OneDrive accounts as Administrator as I experienced with this option. Users complained that they could see my administrator account in OneDrive when sharing - this was completely disastrous in terms of gaining trust from our user base. It took over 24 hours running Sharegate to remove myself from all 7000+ OneDrive accounts not to mention this throttled our tennant as a result and we had poor performance across Office 365. This has resulted in a Operational, Change and Communication Management nightmare that shoudl be easily avoided with the right deployment. Please don't assume that every customer is ready to hand over the governance reigns to an application functionality that has been poorly implemented by you the software vendor. Sharegate and my own reputation has suffered as a result. Please fix this option as you said you would.
Hello, I activated Auto Assign as Administrator and it assigned me to thousands of OneDrive Accounts at my organisation. This meant that I appeared on every OneDrive account automatically when documents were shared. Is there a way of activating it without auto assigning as Administrator on OneDrive accounts?
Jan K commented
From a security & compliance perspective, the current situation has undesired side effects. We had to explain several times why one of our IT guys was mentioned as an owner for all OneDrives. Our security officer was not very happy, as you can imagine. OneDrive is regarded being strictly personal, and shouldn't inadvertently be owned by somebody else due to reporting etc. I agree on all improvements mentioned above. Please put this on the very top of your to-do list!
Samuel Levesque commented
Totally agree that It should Auto-remove after each operation/batch, I just had justify what I did to the security guy from the company.
The new file manage access panel now shows all site collection admins. If the add current user as SCA is enabled, SG adds you to each ODFB. For our tenant, that is 100,000 ODFB. Our IT Help desk gets tickets asking why does this person have access to my personal ODFB. Adding someone as SCA should not be so easy. There should also be a means to remove a person that was added via SG from ODFB site collection excluding their own. Our scripts that inventory the tenant adds a person as SCA to run the scan then removes that person when the scan is done inventorying that site.
Glenn Heydolph commented
I recently ran into this same issue regarding OneDrive. If you wish to remove administrator access for a specific user from their OneDrive's heres the Sharegate link on how to do so below:
Michael Buckingham commented
I recently spent several hours getting an admin who was doing a migration removed as site collection admin of eveyone of our MySites. We were getting support tickets because she was showing up as owner of confidential files in user's OneDrives. All because she click yes when Sharegate offer to auto assign permissions. This is a half baked solution that needs to be refined immediately.
This should really be changed. I can thing of multiple things that could be done to make this better. Rather than setting this globally, it should be set per tenant/connection, or even per web app. I am typically connected to several tenants, and I don't want site collection admin access auto-applied everywhere. Furthermore, it would be ideal to be able to specify the account, or better yet - the group that we want to automatically grant site collection admin access. More often than not, more than one user performs these administrative tasks. I would rather grant site collection admin access to a group with a professional looking name than a bunch of individual user accounts.
Feedback sent from the OneDriveInfo view.
For governance reasons our team is not added to the site collection admin group, but as a SharePoint admin they can run reports on the data. Could there be an option to add a user as a site collection admin while running the report and removing them after it is completed?
Feedback sent from the Explorer view.
Dany Lavertu commented
One Drive is perceived to be completely private and can cause question when someone is assigned as admin.
Idea: option to have a dynamic way of giving onedrive permissions to a admin user for the duration of an action (repport or otherwise) and it will be removed after the action. This would be verry helpfull.