Review Auto-Assign as Site Collection Administrator Process
Review the way Sharegate uses the auto-assign feature
- Handle differently per type of site (OneDrive, Groups, Team sites)
- Setting per tenant / farm / connection
- Option to auto-remove after each operations
- Handle special cases (eDiscovery sites, NO ACCESS or Read-only)
Since the default is now disabled. It should prevent most situation some of you are describing.
We still feel like the Auto-Assign as site collection administrator is a useful option in certain case.
If you encounter an issue you can always refer to this documentation to fix it. https://support-desktop.sharegate.com/hc/en-us/articles/115000647528-Can-I-remove-myself-as-an-administrator-after-I-have-auto-assigned-myself-as-one-
I recently ran a report on my tennet and was horrified to learn my ID was now on all the onedrive accounts please can you design a method to make this impossible. It really was not clear this would happen now I have my name on 26000 onedrive accounts and security are not happy,
Feedback sent from the Remove Admin view.
We have an issue with security currently - on how these tasks/reports are run. anything that requires auto-assign to site collection administrator group. the issue is on a large tenant it takes many hours to complete a report and then to run a task to remove the reporting account from site collection admin group - the minimum time can be more than 24 hrs. Having the reporting account with high level access to one drives for example for such a long period of time causes concern in our security team and also with our users who log tickets and escalate the fact that an unknown account has access to their data. We are now stopped from using this tool even though there is abusiness need to get the information. Thinking about a solution I wonder if the report could be set to do things in a different order. for example to check to see if SC admin needs assigning - if yes do it - collect report info on the object - if SC admin was granted to thereporting account remove it now - then move onto the next object. this would slow things down I realise but it would probably make it acceptable to our security team (who are theones wh are asking for most of these reports in the first place. I hope you also think this is a good idea.
Feedback sent from the Migration report view.
Joerg K. commented
Hello, please reconsider and start working on an "Option to auto-remove after each operation" in connection the "Auto-Assign as site collection administrator". Mostly admin need to use a personalized account and in larger enterprises there is not just one admin. This will result in multiple admin accounts appearing in personal OneDrives and also Site Colelctions. Bear in mind that users are sensitiv on who has access to their data and that data needs to be protected, there is data that might be very sensitive and confidential and should not be available to anybody else than the owner. Only with the explicit approval of the owner such folders or libraries where such data is stored should be accessed. I understand that the Site Collection Admin permissions are required to gather information especially for reports etc. However, it would ease an admin life if after any operation (report, discovery, support case and other requests) the auto-permissions would also be auto-removed. It is a security concern within our Enterprise and it might end up that security will not longer allow us to use ShareGate!
Many thanks for reading and considering to bring such a highly requested feature!
Separate the setting that automatically adds site collection admin to Site and OneDrive.
Rather than having the Sharegate account added to all OneDrives and Sites. Have two options, one for sites and one for OneDrives.
Feedback sent from the Tasks view.
I installed ShareGate and make a connection to our tenant. At the connection the option "auto-assign as administrator" was enabled and now I am explicit site collection admin on all sitecollections. I am not happy with this option. Could you please remove this option from the connection page and mark it red that it will make you sitecollection admin. It needs to be more visible what it will do.
Feedback sent from the Explorer view.
To anonymous 12 april 2019: yes, it is. My Admin account was added to all OneDrives due to that setting. I unchecked the setting and used Powershell to remove my account from all OneDrive's - except my own, of course.
Is it possible that Sharegate causes the problem that Global Admin Showing up with Access to All Users OneDrive for Business?
Hello, We use ShareGate Desktop, we used explorer feature on your Office 365 tenant and we have detected that ShareGate Explorer add Admin user Office 365 use to explorer our tenant. We have a bad surprise on all OneDrive user, admin user has been added as site collection admin, and admin user has been added as owner on all documents libraries.
Can you please, help us to understood why we have this result and confirm us it is a bug on your side.
I ran a Permission Matrix report for a particular SharePoint site.
I had the Auto Assign as Administrator option in Settings activated.
This appears to have resulted in me being added as a co-owner to the one drive for anyone on the Permissions Matrix report.
There were 15,000 users whos OneDrive now contains me as a co-owner.
Is there an issue with ShareGate?
Would it be possible to specify a group rather than adding the Sharegate service account to all site collections?
We have a SharePoint admin group that includes the Sharegate account.
I was added as the OneDrive Site Collection Administrator to all OneDrive accounts when I was running a SharePoint report, and it caused nothing but issues for us. The users were unhappy and perplexed, we had to change our security model and create a new third party application policy. This setting needs to change.
Because I installed ShareGate, I am in the list of all administrators of the personal OneDrives.
This is visible whaen the people are sharing there files/folders. Of course we do not want my name to appear in the personal OneDrives. Is there a good solution for this? I removed myselve from the Administrators list, but my name reappears :(.
Looking forward to a good solution,
Kris @ Thomas Cook Group commented
I've disabled the feature to add me as site admin to all sites but I keep getting added to sites that I'm not actually doing anything with. I'd understand it if I migrate a site or something, but this is old sites that I'm not even looking at or inventoring, now we even have a OneDrive that I'm the admin for??
Is/was this a reported bug??
So the feature to auto-assign admin permissions as needed is good, but it would be nice if ShareGate could track the permissions assigned and remove them when the task is done. We get a lot of feedback from users that are upset that are admin accounts show up as having access to their OneDrives after we've done a report.
Damari Trezub commented
I would appreciate a permament solution – a prompt with choices : Yes, No and a checkbox ‘Apply to all in the future’ would do, from my perspective.
I ran a few reports on External Users in SG on both site collections and OneDrive, to check if users are sharing files with external users from their OneDrive. This action (I presume), also added me as "Administrator" to every user's personal OneDrive. The issue is that the users, whenever they are looking at file Access Management from their OneDrive, will see my name also, unexpectedly to the users. Is there something we can do so the reporting will run without showing/adding me to the user's OneDrive?
Theresa Yu Chen
Auto-Assign as Administrator needs a filter so that I am not added to over 7000+ OneDrive accounts as Administrator as I experienced with this option. Users complained that they could see my administrator account in OneDrive when sharing - this was completely disastrous in terms of gaining trust from our user base. It took over 24 hours running Sharegate to remove myself from all 7000+ OneDrive accounts not to mention this throttled our tennant as a result and we had poor performance across Office 365. This has resulted in a Operational, Change and Communication Management nightmare that shoudl be easily avoided with the right deployment. Please don't assume that every customer is ready to hand over the governance reigns to an application functionality that has been poorly implemented by you the software vendor. Sharegate and my own reputation has suffered as a result. Please fix this option as you said you would.
Hello, I activated Auto Assign as Administrator and it assigned me to thousands of OneDrive Accounts at my organisation. This meant that I appeared on every OneDrive account automatically when documents were shared. Is there a way of activating it without auto assigning as Administrator on OneDrive accounts?
Jan K commented
From a security & compliance perspective, the current situation has undesired side effects. We had to explain several times why one of our IT guys was mentioned as an owner for all OneDrives. Our security officer was not very happy, as you can imagine. OneDrive is regarded being strictly personal, and shouldn't inadvertently be owned by somebody else due to reporting etc. I agree on all improvements mentioned above. Please put this on the very top of your to-do list!
Samuel Levesque commented
Totally agree that It should Auto-remove after each operation/batch, I just had justify what I did to the security guy from the company.