Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Restricted Site Creation by Apps feature lets SharePoint Administrators use the SharePoint Online Management Shell to designate which third-party apps can create SharePoint sites in your organization.
You can choose between two ways to manage site creation for apps within your tenant:
- Deny mode (the specified apps are unable to create sites)
- Allow mode (only the specified apps are allowed to create sites).
When you enable restricted site creation for apps in your tenant, the default mode is set to deny.
Keep in mind that these policies only control which apps can create new sites; these policies don't affect site access permissions for users or apps.
Note
- The Restrict OneDrive and SharePoint site creation by apps feature is currently in preview.
- Admins can create separate configurations for the following categories of sites: All sites (including OneDrives), all SharePoint sites (not including OneDrives), OneDrives, Team sites (Group connected and classic), and Communication sites.
- The Restricted site creation for apps feature has a simulation mode parameter to test hypothetical scenario for policy configuration. -The Restricted site creation for apps feature only affects only non-Microosft (third-party) apps. First-party apps aren't affected.
Prerequisites for restricted site creation
- Your organization must have SharePoint Advanced Management Plan 1, an add-on for Microsoft 365. See Prerequisites for SharePoint Advanced Management, including requirements for the SharePoint Online PowerShell module
- Make sure you can configure apps that are allowed to create SharePoint sites.
To get App IDs
Some of the PowerShell commands you'll use call for App IDs. To create your list, follow these steps:
Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
Browse to Entra ID > Enterprise apps > All applications.
Select the application you want, and view its Application ID.
Connect to the SharePoint Online Management Shell
If you haven't already done so, download the latest SharePoint Online Management Shell.
Note
If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall "SharePoint Online Management Shell" first. Then, install the latest version.
Connect to SharePoint as a SharePoint Administrator or SharePoint Advanced Management Administrator. For more information, see Getting started with SharePoint Online Management Shell.
Use the restricted site creation PowerShell commands
To enable site access restriction
Set-SPORestrictedSiteCreationForApps –Enabled $true
To allow apps to create sites
Set-SPORestrictedSiteCreationForApps –Mode Allow
To prevent apps from creating sites
Set-SPORestrictedSiteCreationForApps –Mode Deny
To add or reconfigure the App ID list
Set-SPORestrictedSiteCreationForApps -SiteType <SiteType> -RestrictedSiteCreationApps <comma separated app IDs>
To view your Restricted Sites App list
Get-SPORestrictedSiteCreationForApps -SiteType <SiteType>
Site types for restricted site creation for apps
Specify SiteType parameter when you update and view the App ID list. Here's the SiteType parameter list:
| Site type | Applies to |
|---|---|
| All | OneDrive and all SharePoint sites |
| SharePoint | All SharePoint sites (but not OneDrive) |
| OneDrive | Only OneDrive |
| Team | Only SharePoint team sites (group-connected and classic) |
| Communication | Only SharePoint communication sites |
Note
All Sites includes all sites except for any template listed in the following table. The All Sites SiteType overrides all others.
| Type | Template Name | Template ID | Reason |
|---|---|---|---|
| SharePoint Embedded | CSPCONTAINER |
70 | SharePoint Embedded experience is managed separately |
| Redirect site | REDIRECTSITE |
301 | Critical SharePoint functionality |
| My Site Host | MYSITEHOST |
54 | Core site |
| Tenant Admin | TENANTADMIN |
16 | Core site |
How deny and allow modes work
The restricted site creation for apps mode is shared across all site type policies. It isn't possible to use deny mode for one site type and allow mode for a different site type.
When restricted site creation for apps is in deny mode, an app is blocked from creating a site if its App ID is in any list configured with any site type, which applies to the site it's attempting to create. For example, an app is blocked from creating a SharePoint communication site if its App ID is in any list configured with the All, SharePoint, or Communication site types.
When restricted site creation for apps is in allow mode, an app is only allowed to create a site if its App ID is in a list configured with a site type, which applies to the site it's attempting to create. For example, an app can create a OneDrive if its App ID is in a list configured with the All or OneDrive site types.
Note
Changing the mode from deny to allow prompts a message: "Are you sure you want to switch from Deny to Allow? Switching will remove all current configuration of restrictions." A similar message appears when you switch from allow to deny mode as well.
Specify the App IDs in the Restricted Sites App list
When you specify App IDs in the Restricted Sites App list, the command replaces the current list with the app IDs that you specify. You can't add or remove individual app IDs. Each time you run the command, it replaces the previous list with a new list for that site type.
To avoid removing access for other apps, always include all app IDs you want to allow in your command.
Here are some examples.
Example 1: Allow only one app to create sites
Suppose we want to allow only one app to create sites. The app has ID 281e395b-7316-4cb2-b5bb-8881426ee411. We'd use the following command:
Set-SPORestrictedSiteCreationForApps –SiteType "All" -RestrictedSiteCreationApps "281e395b-7316-4cb2-b5bb-8881426ee411"
This command replaces the existing list with just the specified app ID. Only this app is able to create sites of type "All".
Example 2: Update the list of apps that are allowed to create team sites
Suppose we want to update the list of apps that can create team sites. We'd use the following command:
Set-SPORestrictedSiteCreationForApps –SiteType "Team" -RestrictedSiteCreationApps "78159241-04a9-41d2-8dd4-ac568e9766a3,1f95829b-e1c8-4406-b2be-508c36f4bca5"
This command replaces the current list of allowed apps for Team sites with only the specified app IDs.