Table of Contents
New Create Site API Fills Gap in Graph Coverage for SharePoint Online
Some big news for SharePoint Online administrators appeared in the Developer Blog on November 24, 2025, with the announcement of a Graph API to create sites. The new API fills in a gap that existed in Graph support for SharePoint Online sites that forced developers to use other methods to create sites, such as the SharePoint REST service (here’s an expanded discussion).
As usual with newly-introduced Graph APIs, the create site API is currently available through the beta Graph endpoint. An equivalent cmdlet in the Microsoft Graph PowerShell SDK is unavailable, but this will come in time after the AutoRest procedure gets to process the metadata for the new API. Given build schedules and the recent holiday period, my best guess is that the cmdlet will appear in V2.35 of the SDK (the current version is 2.34).
Originally, Microsoft said that three templates would be available.
- Group: A team site connected to a Microsoft 365 group.
- Sts: SharePoint Online team site.
- Sitepagepublishing: A publishing or communication site.
However, experience gained in the beta proved that the group template simply didn’t work. Microsoft has decided to withdraw the group template, and all mention of the template will soon disappear from the create Site API documentation. Fortunately, new groups can be created using a variety of other methods, such as the New-MgGroup, New-MgTeam, and New-UnifiedGroup cmdlets.
API Permissions and the Rights to Create Sites
Alongside the create Site API, Microsoft introduced the Sites.Create.All permission. The delegated version of the permission allows the signed-in user to create new sites (if allowed to by the tenant) while the application version allows apps to create new sites without any check. To connect to the Graph and request the scope (permission), use a command like this.
Connect-MgGraph -Scopes Sites.Create.All -NoWelcome
Remember that running Connect-MgGraph interactively creates a session that uses delegated permissions. My account holds the SharePoint administrator role, so I can create new sites without constraint. This might not be the case for every user as the ability to create new sites is governed by SharePoint tenant settings (Figure 1).
The SharePoint admin center setting controls creation of team, publishing, and communication sites.
Using the Create Site Graph API
If your account holds the SharePoint administrator role, you can connect an interactive session to use the API. Alternatively, sign in with an app that has consent to use the Sites.Create.All permission. Lacking a cmdlet to call the API, we’ll use the Invoke-MgGraphRequest cmdlet.
This example shows how to create a new communications site. To create a new team site, change the template from sitepagepublishing to sts.
$Uri = "https://graph.microsoft.com/beta/sites/"
$Params = @{
name = "Corporate Executive Communication"
webUrl = "https://office365itpros.sharepoint.com/sites/CorpExecComms"
locale = "en-US"
shareByEmailEnabled = $false
description = "Communications site for Corporate Executive functions"
template = "sitepagepublishing"
ownerIdentityToResolve = @{email = "Tony.Redmond@office365itpros.com"}
}
Invoke-MgGraphRequest -Uri $Uri -Method POST -Body $Params
SharePoint Online doesn’t respond with a status following successful site creation, so to check that everything is good, we must try to retrieve the site.
Get-MgSite -Search "https://office365itpros.sharepoint.com/sites/CorpExecComms"
Because of caching, it takes about ten minutes before the Get-MgSite cmdlet can find the new site. It’s faster to check through the SharePoint admin center! The other thing to remember is that when signing in with your own account, delegated permissions are used and to access the new site, anaccount must be a site owner or member, which is why I included my account as a site owner.
Full Control for App
When a site is created using the API, the calling app receives the Sites.Selected permission with Full.Control access to the new site to enable the app to work with the site. For instance, the app could proceed to add assets like lists, site pages, or documents to the site. Regretfully, there’s no Graph API available to add site members, so this has to be done through the SharePoint admin center or the site (by a site owner).
To demonstrate what happens, I used some code from this article about using the Site.Selected permission to report the permissions for the newly-created communications site. As you can see, the Microsoft Graph PowerShell app has full control:
$Site = Get-MgSite -Search "https://office365itpros.sharepoint.com/sites/CorpExecComms"
[array]$Permissions = Get-MgSitePermission -SiteId $Site.Id
ForEach ($Permission in $Permissions){
$Data = Get-MgSitePermission -PermissionId $Permission.Id -SiteId $Site.Id -Property Id, Roles, GrantedToIdentitiesV2
Write-Host ("{0} permission available to {1}" -f ($Data.Roles -join ","), $Data.GrantedToIdentitiesV2.Application.DisplayName)
}
fullcontrol permission available to Microsoft Graph PowerShell
Microsoft Graph PowerShell is the internal name for the app used for interactive Microsoft Graph PowerShell SDK sessions. The app’s display name is Microsoft Graph Command Line Tools.
A Faltering Start
I’m puzzled why Microsoft pushed out the create Site API. The API doesn’t handle creation of the most common type of SharePoint Online site, and the SharePoint Graph APIs lack the ability to populate site membership. The API is in beta, so Microsoft might address some of the issues raised here by the time you read this article.
I guess the API will allow some organizations to replace current usage of the SharePoint REST API. Aside from that, I don’t see how this API will do much except act as a starting point for SharePoint to fully embrace all aspects of site creation. Time will tell if Microsoft delivers the missing pieces.
behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Just a quick question, how do you know that the group template will be removed ? I’m also getting the “generalException” when trying to create a group, but I’m wondering if there has been any official documentation.
Because I asked the developers…
Thanks for the info. Hopefully they change their mind :/
I’m not sure. There are already good APIs (ones that actually work) to create SharePoint sites for Microsoft 365 groups, so why recreate the wheel?
I don’t think there’s an api for app only site creation of teams sites, where you don’t need sites.fullcontrol.all.
You can use group.create to create the team site, but setting the app as owner only gives you permission to edit the group members, but not access sharepoint via sites.selected
Maybe I don’t understand. You can run New-MgGroup to create a new Microsoft 365 group. The SharePoint site is created automatically for the new group. You can then add whatever owners and members you want to the group membership, and then assign the Sites.Selected permission for the new site if required. This approach does need Groups.ReadWrite.All, but it does work and you can lock down the site afterwards. That’s what I meant by another method being available… and it makes sense for the SharePoint people to leave this area to the Groups developers, meaning that they can concentrate on the non-group connected sites. But we shall see… what do I know!
The scenario I was thinking about was this:
An event(webhook) triggers creation of a team site, performs some actions and adds some members to the site.
You have an azure app registration where the app, using a client id and certificate(app only, not delegated) creates a team site.
You then use that app to open the sharepoint site and add libraries and contenttypes(without user interaction).
The problem I have there is that to access the site after creation, i need sites.fullcontrol.all permission. Bit unusual flow I guess. Thanks for replying 😀
Why not get the app to grant you Sites.Selected permission to the new site?
To grant sites.selected the app would need sites.fullcontrol.all. Since this is a provisioning engine used across several tenants, where some admins are sceptical about granting more then sites.selected.
It’s a bit of a special case I guess.