Recently, I wanted to dig into whom had full access to one of our SharePoint sites.  I noticed that by default it seems that the groups named Company Administrator and SharePoint Service Administrator get access to the SharePoint site by default.  This was a potential security risk, given the sensitive nature of some of the folders within this site it could potentially give a SharePoint Service Administrator access to a folder that we didn’t want them to have access to.

After some digging, and asking Google I could find no way within the GUI to enumerate these groups to see whom access to the SharePoint site.  I found by sheer luck I think, a neat way of doing this within PowerShell.  First step is to connect to your Office 365 tenancy:

$cred = Get-Credential
Connect-MsolService -Credential $cred

Once connected, you can then start digging into the groups and whom the members are of said groups:

$role = Get-MsolRole -RoleName "Company Administrator"
Get-MsolRoleMember -RoleObjectId $role.ObjectId | FT

$role = Get-MsolRole -RoleName "Sharepoint Service Administrator"
Get-MsolRoleMember -RoleObjectId $role.ObjectId | FT

This should output a nice table with a list of the names and E-Mail addresses of those users that currently populate those groups.

There are loads of other groups that you can check the security membership of – if you type the below command, it will bring back all the available groups:

Get-MsolRole | FT Name