On your Microsoft 365 environment, you need to create multiple accounts with the "SharePoint Administrator" role, but by doing so, you take the risk that these user accounts will gain access of "sensitive" data stored in SharePoint sites collections.

Currently, you cannot prevent one or more of these user accounts to access specific SharePoint sites (that makes sense, they are SharePoint administrators) 🀨!

So, how to secure this specific SharePoint sites?

You cannot 😁... not in the true sense of the word!

You can configure alert policies such as "added site collection admin" to be notified Β or all activities in relation with sharing, users and group management of one of several SharePoint actions. You will be notified as soon as at least one Sharepoint criterion is met.

Please find now below the steps how to implement this kind of policy on your Tenant:

Set Up

  1. You have to be connected on your Microsoft 365 Central Admin as global admin
  2. Click on the Security & Compliance link from the left navigation of the central admin
  3. From the left navigation, expand the Alert section by clicking on it, and click on Alert Policy
  4. Click on the New alert policy button to launch the wizard and fill out the form
  1. Name your alert
    • Name: name of your policy (ex: SharePoint Administrator)
    • Description: it is recommanded (ex: notify me for any change about site collection administrator for a specific site)
    • Severity: to help with tracking and managing the alerts generated by a policy ("Assigning a higher severity to activities that can result in severely negative consequences, such as detection of malware after delivery to users, viewing of sensitive or classified data, sharing data with external users, or other activities that can result in data loss or security threats").
      Since in this case, the alert is created for security access, the severity will be high
    • Category: to help with tracking and managing the alerts generated by a policy.
      Since in this case, the alert is created when permission was changed, the category will be Permissions
  1. Create alert settings
    • Select an activity: use a filter to find quickly the type of activity. In our case, we want to be alerted when a site collection admin is added, so, we choose Added site collection admin.

    Important: if you site collection uses security groups rather than user accounts as site collection administrators, this kind of alert will does not work.

    • add a condition Site collection URL is: this alert can be concerned only for specific site(s). Add a condition to specify which site collections will be concerned (separate site collection URL by a comma)
    • add a condition User is: this alert can be concerned only for specific user(s). Add a condition to specify which user(s) will be concerned if necessary (you have to know in advance which user(s) and if this list of users has to be updated, you will have to edit this alert settings)
  1. Set your recipients
    • Email recipients: specify which user has to be notified by email when an alert occurs (up to 500 recipients)
  1. Review your settings
    • Keep Yes, turn it on right now selected if everything is ok

Test your alert

  1. Connect to your Microsoft 365 SharePoint admin center with another SharePoint Administrator account
  2. Select the targeted site collection(s) on which you have binded the alert
  3. Change the site collection administrators

Result

  1. The recipients receive an email
  1. From the Security & Service > Alerts > View Alert, a new alert was added
  1. From the Security & Service > Alerts > Dashboard, if you have added the Recent Alerts widget, the graph was updated with the latest alerts

You will find more details about severity, category, etc. on this Microsoft Documentation