The best administration process for any organization is to implement multiple levels of support with varying roles within a SharePoint tenant. The role and access at each support level will directly correlate with the knowledge and abilities for those in the level. This structure may need to be adapted depending on the size of the organization, but the general rules and recommendations will fit any size company.
Why Implement Administration Processes?
SharePoint is an extremely powerful tool that necessitates varying degrees of access and administrative capabilities. Since the SharePoint tool is connected to the Microsoft cloud platform, there are built-in roles that should be used in addition to the permission levels provided on each site.
Knowing when to provide roles for support users is one of the most important things to know for your organization. If you do not understand the roles and abilities around each role, the risk for malicious attacks or inadvertent changes being made by admin users increases. Adding support levels and training for these levels based on the assigned roles is one of the best things you can do to protect your SharePoint environment in Microsoft 365.
5 Steps for SharePoint Success
The steps below represent the best ways to implement administration into your SharePoint environment. It’s important to note you may need to make some adjustments depending on the size of your company.
# 1 Enable Audit Logs
Before you set up any administrative procedures, enable the audit logs in your tenant. These logs track the activities of admins and are the best way to maintain a history of who is making changes. If something goes wrong within your tenant, the logs show a history of what has been modified so you or an admin can revert the changes and restore order to the tenant.
To enable the audit logs, you must first be a Global Admin or be assigned the Audit Logs role in Exchange Online. Once you have this role, you can go to the Compliance Admin Center > Audit and, if the labels are not enabled, you will see a blue button that enables the logs. Alternatively, you can also use PowerShell to turn auditing on.
#2 Set Up Levels of Support - Help Desk, Tier 2 Support, and Beyond
Every organization should have varying levels of technical support. Support usually starts with some form of a help desk where users can inquire for help with common technical challenges. In smaller organizations, the help desk may be the IT department and be composed of a few individuals whose knowledge and skills may surpass that of a common help desk role.
In larger organizations, the help desk is a team within the IT department whose focus is to support basic technical user requests. If a ticket goes beyond the scope of the help desk, it is then escalated to the next level of support, which we’ll call Tier 2 Support.
Tier 2 Support would have additional administrative abilities and knowledge beyond the help desk, which allows them to provide deeper support for user needs. In larger organizations, there may be additional levels of support past Tier 2, which may include Global Administrators and/or developers, who can customize the tenant and know the full scope of what is possible within Microsoft’s cloud platform.
Within your organization, you’ll need to determine how many levels are needed to support your users. A smaller organization may consolidate all their support levels into one and train their IT department to handle any type of request. Larger organizations will need multiple levels and the training required will vary based on the support level. Regardless, the recommended support levels explained below can be adapted to any organizational need to better protect your SharePoint environment.
The help desk should be provide blanket access to view SharePoint sites and permissions. This can be done by assigning the Global Reader* role to each member of the help desk and will allow them to view the SharePoint admin center, a list of all sites, and user permission to sites. However, Global Reader does not allow users to make any changes.
*Note: The Global Reader role will provide the assigned user view-only access to almost all admin centers.
Tier 2 Support
Tier 2 Support should be provided per the SharePoint Admin role within the tenant. This will give them complete control to view all SharePoint sites and control user access. They will also be able to set tenant-wide settings around Sharing, guest access within SharePoint, and much more. These users should be trained to understand how to fix common SharePoint permission issues and the risks associated with the SharePoint admin role. In addition to being able to view and gain access to all SharePoint sites, they will be able to access the Microsoft 365 admin center and update the access groups within the organization. This is an important feature for the role because Team site permissions are best maintained on the Microsoft 365 Group level.
This is your last line of support defense, and therefore should be given the highest administrative roles. This would include giving additional Azure roles beyond the SharePoint admin role, and, for a select group of users, the Global Admin role. The Global Admin role should be provided to 2-4 users who have a complete understanding of the Microsoft cloud platform and the potential risks involved.
#3 Enable Privilege Identity Management (PIM)
When assigning admin roles to support personnel, you may also want to consider enabling PIM to further control when these admin roles are used. PIM requires users who have been assigned an admin role to apply the role for a specific period of time. This means the user could assign the role to their user for four hours andmake changes in the tenant. The admin role would be turned off after the four-hour period. This ensures your administrators make purposeful changes and do not always have blanket admin access so you can prevent inadvertent changes.
#4 Restrict Creation of SharePoint Sites and Microsoft 365 Groups
Now that you have a process in place for those who oversee SharePoint administration, you’ll now want to maintain order within your tenant. One of the best ways to do this is to limit the site and group creation processes to a select group of users.
SharePoint Site Creation
You can prevent users from creating SharePoint sites by going to the SharePoint admin center > Settings > Site creation and unchecking the option shown below.
You can also restrict whether users are able to create sub sites. JourneyTEAM recommends moving away from using sub sites, and disabling the option to create them, as Microsoft is providing more manageable site structure options such as a hub site. If you would like to disable the creation of subsites, go to the SharePoint admin center > Settings > classic settings page > Subsite Creation > Disable subsite creation for all sites.
#5 Set up Group or SharePoint Site Creation Request Process
Now that users no longer have access to create Microsoft 365 Groups or SharePoint sites, you can implement a governance process around creating sites and groups.
If you would like to learn more about the best ways to do this, please contact a JourneyTEAM representative. We’ll help you understand the best way to implement these processes for your organization.
Written By: Ben Taylor