Recently, I wanted to dig into whom had full access to one of our SharePoint sites. I noticed that by default it seems that the groups named Company Administrator and SharePoint Service Administrator get access to the SharePoint site by default. This was a potential security risk, given the sensitive nature of some of the folders within this site it could potentially give a SharePoint Service Administrator access to a folder that we didn’t want them to have access to.
After some digging, and asking Google I could find no way within the GUI to enumerate these groups to see whom access to the SharePoint site. I found by sheer luck I think, a neat way of doing this within PowerShell. First step is to connect to your Office 365 tenancy:
$cred = Get-Credential Connect-MsolService -Credential $cred
Once connected, you can then start digging into the groups and whom the members are of said groups:
$role = Get-MsolRole -RoleName "Company Administrator" Get-MsolRoleMember -RoleObjectId $role.ObjectId | FT $role = Get-MsolRole -RoleName "Sharepoint Service Administrator" Get-MsolRoleMember -RoleObjectId $role.ObjectId | FT
This should output a nice table with a list of the names and E-Mail addresses of those users that currently populate those groups.
There are loads of other groups that you can check the security membership of – if you type the below command, it will bring back all the available groups:
Get-MsolRole | FT Name