Review Auto-Assign as Site Collection Administrator Process
Review the way Sharegate uses the auto-assign feature
- Handle differently per type of site (OneDrive, Groups, Team sites)
- Setting per tenant / farm / connection
- Option to auto-remove after each operations
- Handle special cases (eDiscovery sites, NO ACCESS or Read-only)
Since no decision has been made as to whether or not the process will be optimized I just want to mention that if you don’t want yourself to be added as an admin all the time, simply turn off the “Auto-Assign as Administrator” option in the settings menu of ShareGate Desktop. Also, note that you can always use the following procedure to remove yourself from the admins if it happens again: https://support-desktop.sharegate.com/hc/en-us/articles/115000647528-Can-I-remove-myself-as-an-administrator-after-I-have-auto-assigned-myself-as-one-
Hello, We use ShareGate Desktop, we used explorer feature on your Office 365 tenant and we have detected that ShareGate Explorer add Admin user Office 365 use to explorer our tenant. We have a bad surprise on all OneDrive user, admin user has been added as site collection admin, and admin user has been added as owner on all documents libraries.
Can you please, help us to understood why we have this result and confirm us it is a bug on your side.
I ran a Permission Matrix report for a particular SharePoint site.
I had the Auto Assign as Administrator option in Settings activated.
This appears to have resulted in me being added as a co-owner to the one drive for anyone on the Permissions Matrix report.
There were 15,000 users whos OneDrive now contains me as a co-owner.
Is there an issue with ShareGate?
Would it be possible to specify a group rather than adding the Sharegate service account to all site collections?
We have a SharePoint admin group that includes the Sharegate account.
I was added as the OneDrive Site Collection Administrator to all OneDrive accounts when I was running a SharePoint report, and it caused nothing but issues for us. The users were unhappy and perplexed, we had to change our security model and create a new third party application policy. This setting needs to change.
Because I installed ShareGate, I am in the list of all administrators of the personal OneDrives.
This is visible whaen the people are sharing there files/folders. Of course we do not want my name to appear in the personal OneDrives. Is there a good solution for this? I removed myselve from the Administrators list, but my name reappears :(.
Looking forward to a good solution,
Kris @ Thomas Cook Group commented
I've disabled the feature to add me as site admin to all sites but I keep getting added to sites that I'm not actually doing anything with. I'd understand it if I migrate a site or something, but this is old sites that I'm not even looking at or inventoring, now we even have a OneDrive that I'm the admin for??
Is/was this a reported bug??
So the feature to auto-assign admin permissions as needed is good, but it would be nice if ShareGate could track the permissions assigned and remove them when the task is done. We get a lot of feedback from users that are upset that are admin accounts show up as having access to their OneDrives after we've done a report.
Damari Trezub commented
I would appreciate a permament solution – a prompt with choices : Yes, No and a checkbox ‘Apply to all in the future’ would do, from my perspective.
I ran a few reports on External Users in SG on both site collections and OneDrive, to check if users are sharing files with external users from their OneDrive. This action (I presume), also added me as "Administrator" to every user's personal OneDrive. The issue is that the users, whenever they are looking at file Access Management from their OneDrive, will see my name also, unexpectedly to the users. Is there something we can do so the reporting will run without showing/adding me to the user's OneDrive?
Theresa Yu Chen
Auto-Assign as Administrator needs a filter so that I am not added to over 7000+ OneDrive accounts as Administrator as I experienced with this option. Users complained that they could see my administrator account in OneDrive when sharing - this was completely disastrous in terms of gaining trust from our user base. It took over 24 hours running Sharegate to remove myself from all 7000+ OneDrive accounts not to mention this throttled our tennant as a result and we had poor performance across Office 365. This has resulted in a Operational, Change and Communication Management nightmare that shoudl be easily avoided with the right deployment. Please don't assume that every customer is ready to hand over the governance reigns to an application functionality that has been poorly implemented by you the software vendor. Sharegate and my own reputation has suffered as a result. Please fix this option as you said you would.
Hello, I activated Auto Assign as Administrator and it assigned me to thousands of OneDrive Accounts at my organisation. This meant that I appeared on every OneDrive account automatically when documents were shared. Is there a way of activating it without auto assigning as Administrator on OneDrive accounts?
Jan K commented
From a security & compliance perspective, the current situation has undesired side effects. We had to explain several times why one of our IT guys was mentioned as an owner for all OneDrives. Our security officer was not very happy, as you can imagine. OneDrive is regarded being strictly personal, and shouldn't inadvertently be owned by somebody else due to reporting etc. I agree on all improvements mentioned above. Please put this on the very top of your to-do list!
Samuel Levesque commented
Totally agree that It should Auto-remove after each operation/batch, I just had justify what I did to the security guy from the company.
The new file manage access panel now shows all site collection admins. If the add current user as SCA is enabled, SG adds you to each ODFB. For our tenant, that is 100,000 ODFB. Our IT Help desk gets tickets asking why does this person have access to my personal ODFB. Adding someone as SCA should not be so easy. There should also be a means to remove a person that was added via SG from ODFB site collection excluding their own. Our scripts that inventory the tenant adds a person as SCA to run the scan then removes that person when the scan is done inventorying that site.
Michael Buckingham commented
I recently spent several hours getting an admin who was doing a migration removed as site collection admin of eveyone of our MySites. We were getting support tickets because she was showing up as owner of confidential files in user's OneDrives. All because she click yes when Sharegate offer to auto assign permissions. This is a half baked solution that needs to be refined immediately.
This should really be changed. I can thing of multiple things that could be done to make this better. Rather than setting this globally, it should be set per tenant/connection, or even per web app. I am typically connected to several tenants, and I don't want site collection admin access auto-applied everywhere. Furthermore, it would be ideal to be able to specify the account, or better yet - the group that we want to automatically grant site collection admin access. More often than not, more than one user performs these administrative tasks. I would rather grant site collection admin access to a group with a professional looking name than a bunch of individual user accounts.
Feedback sent from the OneDriveInfo view.
For governance reasons our team is not added to the site collection admin group, but as a SharePoint admin they can run reports on the data. Could there be an option to add a user as a site collection admin while running the report and removing them after it is completed?
Feedback sent from the Explorer view.
Dany Lavertu commented
One Drive is perceived to be completely private and can cause question when someone is assigned as admin.
Idea: option to have a dynamic way of giving onedrive permissions to a admin user for the duration of an action (repport or otherwise) and it will be removed after the action. This would be verry helpfull.