Is it safe/supported operation to remove the Office 365 admin from being our root site collection administrator
https://sharepoint.stackexchange.com/questions/260809
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Inside our office 365 tenant, our employees who work as exchnage admins or sharepoint admins have access to the Office 365 username/password admin@ourtenant.com. and when we got our root site collection, the Office 365 admin username is already defined as a site collection admin. so now using the Office 365 admin username, i have remove himself from the site collection admin group and i added my username (i am the sharepoint admin employee):-
so now let say an employee who is not a sharepoint developer/admin such as our exchnage admin employees, login using office 365 admin username to do some work on exchange online, and then they access the root site by mistake/intentionally, they will NOT be able to modify the site setting which might cause the site collection to crash. of course i know that using the Office 365 admin username they can go to SP central admin, then add the office 365 admin back to the site collection admin group... but not all of them will do so unless they intentionally want to access the sharepoint site with admin permission.
so my question is, if removing the office 365 admin username from been inside the root site collection admin group, is valid/supported? or it can cause issues? for example we define our audit reports to trim the report each 90 days as follow:-
so will this operation be able to work if the office 365 admin is not inside the site collection group..
Solution
Their is no need to put the Tenant admin inside the SharePoint root site collection. Their is no such requirement listed or So far I experienced which required global admin inside the root site collection of tenant.
Audit operation, tenant admin account is not responsible for it. as you know it is back-end timer service of SharePoint which is executing these types of work in Office 365 and no customer have access to it.
for separation of duties, it is always recommended to assign only the required permissions. i.e. Exchange admin need exchange admin center access, compliance access, audit logs access etc.
