No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

Unable to Remove Tenant_Users from Site Collection Administrators

This question is answered This question is answered
Recently (not sure when exactly but within the past month) Office 365 has decided to add the Tenant_Users Group to the Site Collection Administrators. As we use Office 365 to share certain information with users outside of our company, with their own personal user ID, this is a serious security breech as all of a sudden, external users whom we have given limited acess to their own sub-site, can now view our entire site which contains sesitive information.
Verified Answer
  • Hello,

    As a result of our recent service update, a very small number of tenants were affected.  Microsoft support and server operations responded quickly to ensure each tenant regained good health and was able to work with permissions properly.  All should have been resolved at this time.  Thanks for your patience and for raising this to our attention thru the community.  I apologize if there was a delay in the time taken to work thru your support case. 

    Kind Regards,

    Justin Ronan
    Microsoft Office 365 SharePoint Support

All Replies
  • Looking into this a bit furthr, to verify what is happening, I have created a new user, who is not a site administrator and has not been assigned any permissions to acess any of our Sharepoint site (Our site and all sub sites have unique permissions which are assigned on a per user basis). I went on another machine (just to make sure my browsers cache wasn't interfering) and logged on as the new user. This user can access every part of the site and perform administrative duties! I cannot believe that a company like Microsoft could allow this to happen. This is such a major breach of security, they may as well not have any for of login process if they can allow this to happen. I must get this rectified immediately or we will have to shut down our entire site at great cost. PLEASE CAN YOU HELP MICROSOFT!!!

  • I'm not sure if this is the same issue, but a few days after trimming permissions for sites/libraries, we also have users with limited access able to access everything. It was working fine initially. As far as I know the tenant_users group was already there. It was removed from secure areas but this made no difference.

    Having these kinds of problems with such a core feature on a released product is embarrassing. SkyDrive is more secure!!


  • I only noticed when I added a new customer and as I always do, I test to see if the new account can access the site assigned to them and only that site. We have a number of sub sites set up for customers, with links to them on the Top Bar. Normally when logging in with the customers ID, the only visible link on the Top Bar is the link to the site assigned to them. However on this occasion I noticed that ALL the links were visible and worse, available. I hunted around on the net and found that someone else had encountered the same issue, they mentioned that the Tenant_Users Group had been granted Site Collection Administrator rights. Lo and behold, the same has happened on our site. Every time I delete the Tenant_Users from the Site Collection Administrators, a few minutes later it re-appears, 'magically'. Definitely something wrong there!

    And yes, SkyDrive is more secure!

  • I was able to fix this and remove tenant users from site collection admins - I think by adding the tenant users group to team site and the site pages library. Then the owner removed a license and we had the exact same problem again. I've tried every combination of removing and adding the tenant users group. If you remove it from site collection admins, the restricted users have NO access. If you add it back, they have ALL access and assigning specific permissions does nothing..

    365 is supposed to make this type of administration easy and IT free. I've spent so much time trying to unravel the bizarre logic MSFT uses, it would have been cheaper to buy a server and hire an IT dept. Can someone please explain how to set up permissions that allow all users to see the team site but restricts certain libraries  / sub sites? 


  • Strange thing is this was all working absolutely fine a few weeks ago, no problems at all, then all of a sudden Tenant_Users Group is mysteriously added to the Site Collection Administrator role? AND to make matters worse, it cannot be removed. What have Microsoft done? They have obviously made some sort of 'enhancement' that has brought this bug about. Problem I have is that I am trying to manage a multi-million pound Engineering department that has now effectively had it's main artery cut. I am beginning to think that it will be cheaper and easier to to go down the route of Server/IT dept. This is giving me a bad name at work as the Office 365 idea was mine. thanks Microsoft, I am really impressed with your wisdom and engineering prowess.

  • Agreed - it was also working perfectly here when first set up. If the tenant user group is the problem it would be nice to have some notification about it before it wrecks carefully built permission structures. 

    What's even scarier is Sharepoint support doesn't seem to know anything about it either!

  • If you look a the attached .png it shows that the Tenant_Users Group has no permissions given (Top Line), then below it shows 'The Following Factors That Affect The Level Of Access' - Every single one has 'Allow' next to it!!! I still cannot believe that this could ever be allowed to happen. Come on Microsoft, get your act together.
  • Same here - can someone from MSFT please explain?
  • I looked in another P1 account and the TENANT USER GROUP DOESN'T EVEN EXIST!! And that site works is the tenant user group something that's created to make sure you still have access in a multi user account if you delete all the site collection admins or what? Surely someone can explain why this group exists and why it can't be deleted from SOME accounts?

    I'm awestruck that a service that sells itself on security and control seems to lack both.

  • Hello all,

    This is Justin with Microsoft Office 365 SharePoint Support.  Thanks for posting your question and responses.

    At this time, I have begun to see a small number of users reporting this issue.  To dive a bit deeper, have you recently been transitioned from the BPOS platform?

    Please ensure you have added yourself (individual user) to the site collection administrators and again attempt to remove the Tenant_Users group from the site collection administrators.  Once it has been removed, and verification of that has been completed, immediately navigate directly to, replacing domain with your own.  Check the group Tenant_Users and select delete from the Actions menu.

    As soon as I receive more information pertaining to this, I will be sure to repost here.


    Justin Ronan
    Microsoft Office 365 SharePoint Support

  • Justin,

    The account I'm dealing with was not a BPOS migration.

    It's a P1 account and has 2 individual site coll admins + the tenant users group that added itself. If I remove tenant users from site coll admin, it actually removes one of the users and puts itself back in its place. If I delete tenant users group, it just reappears in people and groups.  I can give you the support rep I was working with today if you like - he saw all that I'm describing here in a screen share. 

    As mentioned, in another P1 account, the group doesn't even exist and all is working there. . 

  • Tried exactly what you suggested and tenant users just reappears in people and groups and reappoints itself as a site coll admin. It can't be deleted.
  • Just to add if you look in Sharepoint Designer the tenant users group doesn't show up there either. I hope no one is using 365 for sensitive data because at this point there's no way to control permissions. 
  • Hi Justin, firstly, no we have not been transitioned from a BPOS platform, this is a P1 account, set up in September last year. Tried what you have suggested, Tenant_Users Group is now not displayed in the people and Groups, but it has re-appeared in the Site Collection Administrators.


    I cannot stress how important it is to resolve this quickly as we have a live operational site which is now effectively open to abuse by anyone with a login. To avoid this I will have to disable everybody's accounts, which means as a company, we are effectively cut off from our data.


    As mentioned previously this is a recent phenomenon, as only a few weeks ago (three probably) I added a new user and tested their access with no problems found. It was only yesterday when adding another user did I discover this vunerability. This would suggest that some parameter(s) in Sharepoint Online pertaining to security/user accounts has changed.


    What is more worrying is that for potentially several weeks our site has been vunerable to abuse by others outside our organization, which should never have happened as I have followed the guidelines for setting up permissions on our site and sub-sites.


    Please can you look to resolve this with a matter of urgency.


    Thank you


    Jon Dyson 

  • I'm surprised this isn't getting a quicker reaction. I imagine there are thousands of accounts out there who have no idea their once protected data is now accessible by all users. I had another screen share with SPO support today and they could neither explain how the tenant users group got there nor how to delete it. I can't expose customers to this so have no choice but to move them to a more reliable solution.