One of the other things you probably need to check in your tenant is exactly who is a Site Collection administrator in your SharePoint sites in Office 365.
Site Collection administrators have full access to that SharePoint site and can only be removed by another Site Collection administrator. Also, they generally don’t appear inside the permission settings inside a site. So, knowing who has full rights to your SharePoint sites is a good thing I feel.
You can find the script to display all your SharePoint sites and Site Collection administrators inside those sites in my GitHub repository here:
https://github.com/directorcia/Office365/blob/master/o365-spo-admins.ps1
The interesting thing I discovered when I ran the script was that I have a number of site with no Site Collection administrator (most likely deleted sites it seems) and a number of sites I didn’t have access to (again, seems to have something to do with becoming orphaned during deletion). So, I have some further work to do now to clean all this up.
The script won’t fix or deal with any errors, but it will tell you about them and you can go investigate further.
Run it and see what it turns up for you!
CIAOPS 