search

pnp / custom-learning-office-365

Microsoft Learning Pathways end user learning solution for Microsoft 365 customers.
MIT License
237 stars 212 forks source link

tenant admin privileges? #29

Closed stche closed 5 years ago

stche commented 5 years ago

Question: The provisioning service pages says the requirement is a "Tenant Admin", does this really must be a global tenant admin? or would it be sufficient to sign-in and use a dedicated "SharePoint Online Admin"?

Reason: Customer with a highly regulated environment and very restrictive "least privilege model" do have an issue with this sicne they may have only a dedicated set of Admins defiend as the global tenant admins and may limit down the SharePoint Admin tasks to only that subset of users.

If it really needs a global tenant admin, pls can you give us the details on why and what actually is installed/changed on a tenant level that requires these elevated permissions vs. what is it that a normal SharePoint admin would miss out while installing/provisioning the Custom learning sites.

Also does it means that even if the global tenant admin is required, that this is a one-off (just for installing it) requirement and a regular Sharepoint Admin would then be able to normally maintain and administer the portal?

Impact: There is a customer currently planning the deployment with 5k users very soon but might be blocked if that really needs a "global tenant admin" sicne they will not give to a SharePoint admin the global admin creds.

Thanks and kr Steve

juliemturner commented 5 years ago

The requirement is for the PnP Provisioning service and not custom learning. This forum cannot answer these questions for you, however the documentation here outlines what is meant by tenant admin and I believe it to mean sharepoint tenant admin. If you need further clarification please post your question in the https://github.com/SharePoint/sp-dev-docs repository where those supporting it can answer your questions.

stche commented 5 years ago

Thanks Julie, will do so and post it there.

VesaJuvonen commented 5 years ago

Actual tenant administrator permission is needed as Azure AD does not understand the difference between tenant admin and SharePoint Online admin roles. This is full permission ask in tenant level to be able to operate with app catalog, site designs, site scripts, themes, site collections etc. If the customer does not want to provide the needed permissions for the service, they can always use PnP PowerShell cmdlets to provision the templates to their tenants which would mean that they would not need to grant any external service high permissions. The actual engine behind the scenes is still the same.

MichaelCarr-MLC commented 5 years ago

This seems to works with Sharepoint Admin and Cloud App Admin roles assigned as far as my testing went. Cloud App Admin role is assigned through the Azure AD portal. It is not available through the O365 portal.

github-actions[bot] commented 3 years ago

This issue is locked for inactivity or age. If you have a related issue please open a new issue and reference this one. Closed issues are not tracked.