SharePoint Administrator Roles demystified
Do you have the lucky job of maintaining SharePoint in your organization? If that is the case, you probably ran into mysterious user roles and names like Company Administrator and SharePoint Service Administrator. What are all those things? Let me explain what these are and how you can take advantage of them.
Below are few images that explain what I am talking about (this functionality is accessible via SharePoint Admin Center > Site Collections)
What is Company Administrator?
Company Administrator is a default domain group that contains all the users who have global Office 365 Admin access. That is set up in Office 365 user panel. Once assigned Global privileges, your name is added to that domain group automatically.
Company Administrators (also known as Global Office 365 Administrators) have access to all the properties and functionalities of Office 365 – SharePoint, Exchange, Planner, Teams, Yammer, etc.
What is SharePoint Service Administrator?
SharePoint Service Administrator is yet another domain group, but this group contains only users who have been set up as SharePoint Administrators in Office 365.
SharePoint Service Administrators have access to just the SharePoint and OneDrive Admin centers within Office 365. Unlike Office 365 global admins above, they cannot mess around with any other properties like Exchange, Azure AD, etc. For example, when I do work for my clients, I am only given SharePoint Administrator role, so I can’t mess with or access Exchange Administration and other Office 365 properties.
Which group shall I assign to a site collection?
For a given site collection, you can add administrators by:
- Adding Company Administrator domain group
- Adding SharePoint Service Administrator domain group
- Adding Named resources (i.e. Greg Zelfond)
Most of the time, you would want to add either the Company Administrator or SharePoint Service Administrator domain groups. This will automatically grant access to all those who are admins to a given site collection. Please note that even if you do not add those domain groups to a particular site collection, any Global Administrator or SharePoint Service Administrator can easily add themselves (if they want to) as an Admin of any custom site collection (since both domain groups have default access to Site Collections screen in SharePoint Admin Center).
There might be situations when you need to add named resources instead. Maybe you have provisioned a custom site collection for a particular department, and you have one particular individual who you want to be in charge of it. You don’t really want to assign him or her a Global Admin or SharePoint Admin role in Office 365 since this will give them access to all site collections. In this case, you can add their name as an administrator for a particular site collection, and that’s all they will have access to.
How can I check who has Site Collection Admin access?
There are 2 ways to check who has Site Collection Administrative access to a given site collection:
Option 1: From SharePoint Admin Center
- From Site Collections Page in SharePoint Admin Center, click Owners > Manage Administrators
- Next screen will show you who is an Admin for this site collection (you would access the same screen to add/remove admins as well)
Option 2: From the Site Collection itself
If you are already in a given site collection or do not have access to SharePoint Admin page, do the following:
- Navigate to the root of the site collection
- Gear Icon > Site Settings > Site Collection Administrators
- You will now see the names and domain groups listed (by the way, just like above, you can also assign or remove users right in this screen too)