Working with the SharePoint Service Administrator Group in SharePoint Online

In this post we take a look at the SharePoint Service Administrator Group, what it is and how to use it in SharePoint Online.

In this post:

Background

Recently I had the task of creating, then modifying a few hundred sites in SharePoint Online. In our case we provisioned the Microsoft 365 group connected SharePoint sites using PnP PowerShell, but as part of this we set the primary owner as an individual admin.

During the process of updating the sites manually, it become more and more annoying that other SharePoint admins had to keep adding themselves into the recently provisioned sites in order to do anything – that is until I found the SharePoint Service Administrator group!

What is the SharePoint Service Administrator group?

The SharePoint Service Administrator is a security group that includes everyone that has been assigned the SharePoint Admin role in Microsoft 365. It’s also worth noting there is also a Company Administrator group also, which includes all users with the Global Admin role.

Greg Zelfond has provided a great write up of these roles over at SharePoint Maven. For the purposes of this post I will be focusing on the SharePoint Service Administrator group.

How to assign the SharePoint Service Administrator group to a site

Follow the steps below to add the SharePoint Service Administrator group as an additional admin of a SharePoint site:

  • Open the SharePoint admin center
  • Under Sites > Active sites > select the site you wish to add the SharePoint Service Administrator group to
  • Press Permissions > Manage additional admins
Select your site then press Permissions > Manage additional admins.
  • Under Add an admin > enter SharePoint Service Administrator
  • Press Save

Issues and troubleshooting

#1 Cannot add SharePoint Service Administrator as a group owner

If you are creating or editing Microsoft 365 group connected SharePoint team sites, you are unable to add security groups as owners or members of a M365 group. Security group driven M365 group membership has been a long-standing request of Microsoft, but Roadmap ID: 83113 added in May 2021 has group driven membership management as targeted for release in December 2022.

Workaround: When creating new sites, set the group owners/ members as you would normally (i.e. one or more individuals), then edit the site once created to add the SharePoint Service Administrator group as an additional admin.

For existing sites, just update the additional admin as per the guidance above.

#2 No SharePoint Service Administrator group to choose from

If you have not assigned the SharePoint admin role to anyone in your tenant yet, the SharePoint Service Administrator role will not be available to select from when trying to assign it as an additional admin. In the below example, this tenant only had one global administrator, but the SharePoint admin role had not been explicitly assigned.

When I tried to add the company administrator role it worked no problem.

Workaround: Assign the SharePoint admin role to those you want to be included in the SharePoint Service Administrator group, or use the Company Administrator group if you only have global admins in your tenancy.

Updating manage access requests

As a SharePoint administrator, you should be fairly familiar with this error message:

If you’re not, it could mean that your SharePoint’s site access requests aren’t going to the correct email address…or you might just be ignoring them! In any case if you find that you need to manage where these site access requests go you can do.

When a SharePoint site collection is provisioned, site access requests are configured to be sent to the email address(s) specified at the point which the site was created, but a site administrator can change this for each site within the site collection they administer. By default, when a sub-site is created the same email address(s) that are configured on the parent site are used for access requests to the sub site.

Follow the steps below to change these settings:

In Site Actions – Site Permissions

Select Manage Access Requests from the ribbon

Specify the email address to send requests to and click OK. Note: you can add multiple email addresses here, just separate each address with a semicolon.

Note: With manage access requests configured users can click a link on the access denied page when they are unable to access content. If no email address has been configured for this site, the link will not appear on the access denied page.