Review Auto-Assign as Site Collection Administrator Process
Review the way Sharegate uses the auto-assign feature
- Handle differently per type of site (OneDrive, Groups, Team sites)
- Setting per tenant / farm / connection
- Option to auto-remove after each operations
- Handle special cases (eDiscovery sites, NO ACCESS or Read-only)
Since the default is now disabled. It should prevent most situation some of you are describing.
We still feel like the Auto-Assign as site collection administrator is a useful option in certain case.
If you encounter an issue you can always refer to this documentation to fix it. https://support-desktop.sharegate.com/hc/en-us/articles/115000647528-Can-I-remove-myself-as-an-administrator-after-I-have-auto-assigned-myself-as-one-
When following the steps to run a report of all OneDrive sites (per https://support-desktop.sharegate.com/hc/en-us/articles/115000647528-Can-I-remove-myself-as-an-administrator-after-I-have-auto-assigned-myself-as-one), one of the filters is Administrators [contains/does not contain].
When attempting to enter a filter for "Administrators [contains] user-goes-here", we are unable to resolve a user and even after several hours the dropdown continues to show "[spinning icon] Showing 0 results."
When entering any type of user login (email@example.com, i:firstname.lastname@example.org, or even a general string value like "admin"), it still spins and says "Showing 0 results." without ever returning any names.
When selecting names in the following "Remove from Site Collection Administrators" process - there is no issue with returning names. Just when using the Administrators filter on the prior step to generate the report.
Can this be looked at as a bug?
We have tens of thousands of OneDrive sites and trying to pull a FULL report and then remove Site Collection Admins from that report can take days between generating the report and then processing through it.
If there's a Powershell script that you support to do the same thing, please let us know.
Also - our team seconds the idea of a sub-setting to Auto-Assign as SC Admin, with the ability to ONLY set that for SP sites/Group or Team Sites/OneDrive/etc.
It's useful - just terrifying if mis-applied. A better description, perhaps with a link to this thread or the remediation steps would be helpful to know what we're getting into before toggling that setting.
Nathan Kidd commented
It would be very helpful it you could expand the options for the Auto-assign as administrator option. For example, the ability to turn this on for SharePoint site collections and off for OneDrive. Currently, I am unable to use this feature because employees in my company get very nervous when they see my name listed as having access to their OneDrive. This however is not a problem for SharePoint sites (since personal documents are only saved in OneDrive, not SharePoint in my company). If I were able to turn the auto-assign admin feature on for just SharePoint site collections, that would be very nice.
JAMES FERGUSON commented
Is there any way to then disable someone from accidently checking that checkbox on the main page (i.e. any way to disable this feature entirely then)?
i.e. the autoassign access checkbox on the main page of Sharegate?
I would like to run a report on the SPO sites for all of the Teams sites in my tenant but I don't want to be added to all of those sites as an admin and it looks like I would need to do that if I want to run a report on those sites. I don't want to make such a widespread change to the model that they usually have. If my roles include the SharePoint Admin role, I would like to be able to run reports without being added as an admin on the individual site. Is that something that you have considered adding?
Feedback sent from the Security view.
Steve Delap commented
I can only re-interate the last few comments this HAS to change. Our security team will also tell us we cant use this app if it carries on. we need as has been stated, the ability that it assigns the user to the site collection admins for the duration of the report and removes it after the report has completed.
I recently ran a report on my tennet and was horrified to learn my ID was now on all the onedrive accounts please can you design a method to make this impossible. It really was not clear this would happen now I have my name on 26000 onedrive accounts and security are not happy,
Feedback sent from the Remove Admin view.
We have an issue with security currently - on how these tasks/reports are run. anything that requires auto-assign to site collection administrator group. the issue is on a large tenant it takes many hours to complete a report and then to run a task to remove the reporting account from site collection admin group - the minimum time can be more than 24 hrs. Having the reporting account with high level access to one drives for example for such a long period of time causes concern in our security team and also with our users who log tickets and escalate the fact that an unknown account has access to their data. We are now stopped from using this tool even though there is abusiness need to get the information. Thinking about a solution I wonder if the report could be set to do things in a different order. for example to check to see if SC admin needs assigning - if yes do it - collect report info on the object - if SC admin was granted to thereporting account remove it now - then move onto the next object. this would slow things down I realise but it would probably make it acceptable to our security team (who are theones wh are asking for most of these reports in the first place. I hope you also think this is a good idea.
Feedback sent from the Migration report view.
Joerg K. commented
Hello, please reconsider and start working on an "Option to auto-remove after each operation" in connection the "Auto-Assign as site collection administrator". Mostly admin need to use a personalized account and in larger enterprises there is not just one admin. This will result in multiple admin accounts appearing in personal OneDrives and also Site Colelctions. Bear in mind that users are sensitiv on who has access to their data and that data needs to be protected, there is data that might be very sensitive and confidential and should not be available to anybody else than the owner. Only with the explicit approval of the owner such folders or libraries where such data is stored should be accessed. I understand that the Site Collection Admin permissions are required to gather information especially for reports etc. However, it would ease an admin life if after any operation (report, discovery, support case and other requests) the auto-permissions would also be auto-removed. It is a security concern within our Enterprise and it might end up that security will not longer allow us to use ShareGate!
Many thanks for reading and considering to bring such a highly requested feature!
Separate the setting that automatically adds site collection admin to Site and OneDrive.
Rather than having the Sharegate account added to all OneDrives and Sites. Have two options, one for sites and one for OneDrives.
Feedback sent from the Tasks view.
I installed ShareGate and make a connection to our tenant. At the connection the option "auto-assign as administrator" was enabled and now I am explicit site collection admin on all sitecollections. I am not happy with this option. Could you please remove this option from the connection page and mark it red that it will make you sitecollection admin. It needs to be more visible what it will do.
Feedback sent from the Explorer view.
To anonymous 12 april 2019: yes, it is. My Admin account was added to all OneDrives due to that setting. I unchecked the setting and used Powershell to remove my account from all OneDrive's - except my own, of course.
Is it possible that Sharegate causes the problem that Global Admin Showing up with Access to All Users OneDrive for Business?
Hello, We use ShareGate Desktop, we used explorer feature on your Office 365 tenant and we have detected that ShareGate Explorer add Admin user Office 365 use to explorer our tenant. We have a bad surprise on all OneDrive user, admin user has been added as site collection admin, and admin user has been added as owner on all documents libraries.
Can you please, help us to understood why we have this result and confirm us it is a bug on your side.
I ran a Permission Matrix report for a particular SharePoint site.
I had the Auto Assign as Administrator option in Settings activated.
This appears to have resulted in me being added as a co-owner to the one drive for anyone on the Permissions Matrix report.
There were 15,000 users whos OneDrive now contains me as a co-owner.
Is there an issue with ShareGate?
Would it be possible to specify a group rather than adding the Sharegate service account to all site collections?
We have a SharePoint admin group that includes the Sharegate account.
I was added as the OneDrive Site Collection Administrator to all OneDrive accounts when I was running a SharePoint report, and it caused nothing but issues for us. The users were unhappy and perplexed, we had to change our security model and create a new third party application policy. This setting needs to change.
Because I installed ShareGate, I am in the list of all administrators of the personal OneDrives.
This is visible whaen the people are sharing there files/folders. Of course we do not want my name to appear in the personal OneDrives. Is there a good solution for this? I removed myselve from the Administrators list, but my name reappears :(.
Looking forward to a good solution,
Kris @ Thomas Cook Group commented
I've disabled the feature to add me as site admin to all sites but I keep getting added to sites that I'm not actually doing anything with. I'd understand it if I migrate a site or something, but this is old sites that I'm not even looking at or inventoring, now we even have a OneDrive that I'm the admin for??
Is/was this a reported bug??
So the feature to auto-assign admin permissions as needed is good, but it would be nice if ShareGate could track the permissions assigned and remove them when the task is done. We get a lot of feedback from users that are upset that are admin accounts show up as having access to their OneDrives after we've done a report.
Damari Trezub commented
I would appreciate a permament solution – a prompt with choices : Yes, No and a checkbox ‘Apply to all in the future’ would do, from my perspective.