Accessing user’s OneDrive with Global Administrator or SharePoint Administrator role.

Introduction

Being a Global Administrator [GA] in Microsoft 365 portal gives you unlimited permissions to access and configure all of its components and settings. SharePoint Administrator on the other hand allows you to administer and configure everything that is related to SharePoint platform, including OneDrive of course.

Note
You should not use either of the roles on a daily basis and ideally take advantage of Privileged Identity Management [PIM] for elevated tasks.

In this blog post, I am going to examine a situation where there is a valid request to access someone’s OneDrive [of course, it is approved by legal and HR department to do that].

General Checks

In the Contoso demo tenant, there are few accounts with roles assigned for the purpose of this article. Let’s take a closer look.

• Admin is an account with Global Administrator role assigned.

• Allan is an account with SharePoint Administrator role assigned.

• Adele is a regular user, with no additional roles assigned. This is the account whose OneDrive we will be accessing.

Time to check permissions on Adele’s OneDrive, by opening OneDrive web version [onedrive.com], then select the gear in top right and click on OneDrive settings.

Then go to More settings -> Site collection administrators.

Site collection administrators are displayed here. Every OneDrive user can check it, and it doesn’t require any additional permissions, as by default OneDrive user is an owner of all the content stored there.

After checking the site collection administrators, we can clearly see that Adele is the only administrator of her OneDrive. When looking at random files or folders, we can further examine and manage its access. In OneDrive web version, highlight desired file/folder, go to three dots, click and select Manage access.

Below we can see some random folder and file access, which confirm that Adele is the only owner listed.

Requesting OneDrive access

Imagine a situation, when there is a valid request to access someone’s OneDrive. We can achieve it, using either Global Administrator or SharePoint Administrator role.

Applying the principle of least privilege, we start with SharePoint Administrator – Allan.

After signing in into the M365 portal, I go to Users -> Active users, search for Adele and click on the account. Properties page should appear, and select OneDrive tab.

One OneDrive tab, click on “Create link to files” under “Get access to files”.

The link to access the files is generated within few seconds:

Behind the scenes, Allan has been set as owner of all files and folders on Adele’s OneDrive. We check the access as before:

Similarly, we check Site Collection Administrators:

Time to repeat the steps with an admin account which has a Global Administrator role assigned.

Clicking on the “Create link to files” generates the same URL as previously.

Time to check the permissions one more time. Since the user “admin” just requested the access to OneDrive, that account is already listed as the owner of content stored. When we check the permissions, we see that all three accounts are listed.

Similarly, a view on “Site collection administrators” page:

These short exercises showed that with enough permissions, an administrator may view and edit any user’s files on OneDrive. Let me remind you that this should only happen when there is a valid reason to do so. Note, that the actual owner of OneDrive is not notified that someone got access to his/her OneDrive.

Requesting access is one thing. The other is revoking it. And here is a catch – the requested access will not be revoked by itself, and the requestor(s) must remove themselves or user can do it, providing that the user is aware of additional owner. I have checked that access 11 days after requesting, and access to Adele’s OneDrive is still possible with the generated link.

Note: in a situation, when you need to access OneDrive data of a deleted user who left the company, you have 30 days since the deletion took place. After that time, the account and associated data is removed permanently.

Revoking the Access

Every time an admin with the appropriate permissions requests access to someone’s OneDrive, must remember to revoke granted access, as this does not happen automatically.

Revoking access can be done in two ways. Either the requestor can remove the permissions, or the actual OneDrive owner can do it. Either way of course works 😊

Removing unwanted owner(s) by actual OneDrive owner

While on OneDrive web page, in the top right part select as before the gear icon, and click on “OneDrive settings”, then More settings -> Site collection administrators. Remove the admins except yourself and click on OK.

Adele is not the only site collection administrator:

And you are done.

Adele is now the only Owner of content:

Removing ownership by the requestor

The person who requested access to someone’s OneDrive must remember to revoke the access when it is no longer needed. To do this, go to SharePoint online portal – URL is different for every tenant, but it is always in the following form:

https://<YourRegisteredDomain>-admin.sharepoint.com/, so for example https://mycoolcompany-admin.sharepoint.com

Then navigate to “More features”, select “User profiles” —> Open.

When “User profiles” opens in new tab, select “Manage user profiles” [this is a legacy part of SharePoint online platform, hopefully the UI will be updated to modern look, coherent with the rest of Microsoft’s cloud portals].

Search for the user where you want to remove yourself from the site owners’ group. Select “Manage site collection owners”

Remove yourself from “Site Collection Administrators” section and click OK.

Either way the removal of additional owner in OneDrive is accomplished, the changes take place immediately and all folders and files have only one owner.

Summary

Described functionality, i.e. accessing someone’s OneDrive, should happen only in very specific circumstances: someone has left the company, or legal reasons.

Certain roles in M365 provide different possibilities. Always use them with caution, comply with internal processes, and do not overuse them. And in the end, revoke the access you granted yourself.