Web App Policy
There are support administrators that require access to be admins on all One Drive for Business sites that should NOT have access to SharePoint administration or any other SharePoint team sites.
Likewise, there are support administrators that will need to have access to all SharePoint team sites that should not have access to SharePoint Administrator or the One Drive for Business sites.
The only way to achieve this today is by scheduling a daily script to run against the target URLs to add the needed groups to the site collection administrators group, to ensure that newly created sites have the correct groups permissioned. This does not scale well, and has obvious points of failure.
Web application policies, as provided in an on premise environment, provides this capability to grant full control or full read access to accounts and groups per each web application. Having this same capability in SPO would be exceedingly helpful in management of permissions in the cloud environment.