Table of Contents
The Need for Restricted Site Creation
In January 2026, I reported about the beta version of the create Site Graph API and how the API can be used by apps to create SharePoint Online sites. The API still cannot create sites connected to Microsoft 365 groups, which is a pity, but other Graph APIs exist to fill the gap.
Since the introduction of Teams in 2017, we’ve seen an explosion in the number of SharePoint sites. The profusion of sites doesn’t make it any easier to manage the storage of important corporate information, but unless they take steps to restrict group creation, tenants must learn to manage large quantities of sites.
SharePoint Online Restricted Site Creation by Apps
Which brings me to a new capability to restrict the creation of SharePoint Online sites by apps, part of the SharePoint advanced management suite (and also available to tenants with Microsoft 365 Copilot licenses). The restricted site creation policy is currently in preview and is slated to reach general availability “soon.”
The new policy allows administrators to configure SharePoint Online to allow or block app creation of different categories of sites:
- All (any type of site, including OneDrive for Business).
- All (excluding OneDrive for Business).
- Team (group-connected and classic SharePoint team sites).
- Communication.
You can’t have different creation policies for different types of sites. The restricted site creation policy works across all site types.
SharePoint Online allows first-party Microsoft apps to create sites even when restrictions are in place. That is, if the software knows about first-party apps, which it sometimes doesn’t (as we’ll see).
Creating a Restricted Site Creation Policy for Apps
To create a restricted site creation policy for apps, run the Set-SPORestrictedSiteCreationForApps cmdlet to enable the restriction and choose the mode (allow or deny):
Set-SPORestrictedSiteCreationForApps –Enabled $True -Mode Allow
The app list to restrict or allow is passed as a comma separated string containing the app identifiers. Oddly, the RestrictedSiteCreationApps parameter doesn’t accept an array of strings. If you do something like use PowerShell to find apps that call the Site Create API to include the apps in the allow list and use an array to hold the app identifiers, you must convert the array to a string before calling the Set-SPORestrictedSiteCreationForApps cmdlet. Update the allow or deny list is an overwrite, so be sure to include all the apps that you want to allow/restrict in the value passed.
# Convert the array of app identifiers to a string to use with Set-SPORestrictedSiteCreationForApps [string]$Apps = $ListOfAllowedApps -join "," $Apps 14d82eec-204b-4c2f-b7e8-296a70dab67e,3f1f1167-3205-4c00-980e-700d7d6b9100 Set-SPORestrictedSiteCreationForApps –SiteType "All" -RestrictedSiteCreationApps $Apps Confirm There are apps already configured for SiteType All which will be overwritten by this command. Are you sure you want to proceed? [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
Use the Get-SPORestrictedSiteCreationForApps cmdlet to see the policy settings:
Get-SPORestrictedSiteCreationForApps
RunspaceId : 7fe071d9-c4d8-4c89-921f-62783a072587
AppConfigurations : {[Communication, ], [SharePoint, ], [OneDrive, ], [Team, ]…}
Enabled : True
Mode : Allow
Context : Microsoft.Online.SharePoint.PowerShell.CmdLetContext
Tag :
Path : Microsoft.SharePoint.Client.ObjectPathMethod
ObjectVersion :
ServerObjectIsNull : False
TypedObject : Microsoft.Online.SharePoint.TenantAdministration.SPORestrictedSiteCreationConfigurationForApps
The details of the the app list are revealed by examining the AppConfigurations property:
(Get-SPORestrictedSiteCreationForApps).AppConfigurations Name Value ---- ----- Communication SharePoint OneDrive Team All 14d82eec-204b-4c2f-b7e8-296a70dab67e,3f1f1167-3205-4c00-980e-700d7d6b9100
It’s good to make sure that the list of application identifiers given to SharePoint Online are accurate. To validate the set of identifiers in the allow or deny list, you could use code like this (the code only handles apps that can create all types of sites):
$Mode = (Get-SPORestrictedSiteCreationForApps).Mode
[array]$AppIdList = ((Get-SPORestrictedSiteCreationForApps).AppConfigurations | Select-Object -ExpandProperty All).Split(",")
ForEach ($App in $AppIdList) {
Try {
$AppDetails = Get-MgServicePrincipal -Filter "AppId eq '$App'" -ErrorAction Stop
Write-Output ("The {0} app is in the {1} list for SharePoint site creation" -f $AppDetails.DisplayName,$Mode)
} Catch {
Write-Output ("Can't find service principal for appid {0}" -f $App)
}
}
Testing Restricted Site Creation for Apps
To test how the restricted site creation policy for apps works, I first tried to use the Graph create site API with delegated permissions in an interactive Microsoft Graph PowerShell SDK session signed in with a SharePoint administrator account. Originally, the allowed app list didn’t include the identifier for the Microsoft Graph Command Line Tools enterprise app, which is how interactive Microsoft Graph PowerShell SDK sessions are authenticated, so attempts to create a site resulted in this kind of error:
Invoke-MgGraphRequest: POST https://graph.microsoft.com/beta/sites/
HTTP/2.0 500 Internal Server Error
Cache-Control: no-store, no-cache
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: b7a1a6e3-4f21-4360-837d-3f13a3e590f4
client-request-id: 78ec8d28-553b-4cb3-b23d-0952f78042b5
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"010","RoleInstance":"DB1PEPF00045AF9"}} splogid: 7a8702a2-f07e-a000-54ac-6d283dc640b6
Date: Sun, 22 Mar 2026 16:04:55 GMT
Content-Type: application/json
{"error":{"code":"generalException","message":"General exception while processing","innerError":{"date":"2026-03-22T16:04:56","request-id":"b7a1a6e3-4f21-4360-837d-3f13a3e590f4","client-request-id":"78ec8d28-553b-4cb3-b23d-0952f78042b5"}}}
A 500 “internal server error” is a rather blunt way of signaling a problem, but’s that what you get. Adding the identifier (14d82eec-204b-4c2f-b7e8-296a70dab67e) to the allowed apps list solved the problem. Obviously, the Microsoft Graph Command Line Tools app is not one of the first-party apps that the restrict site creation feature knows about.
It must be hard to keep track of every first-party app used within Microsoft 365 that might perform an action. Although Microsoft will probably fix the issue with the Microsoft Graph Command Line Tools app, the situation might happen in the future. If it does, find the application identifier for the app’s service principal and add the identifier to the allow list.
The same error occurs when a third-party app that isn’t on the approved list attempts to create a site. To test this scenario, I created a registered app for the tenant and assigned it the Site.Create.All permission. I then used an X.509 certificate loaded into the app to sign into an app-only interactive session before trying (and failing) to create a site.
I think it’s most likely that the feature will use an allow list to define the set of apps permitted to create sites. The feature also supports a deny list for apps not allowed to create sites.
Hard to Know How the Policy Will Be Used
It’s hard to know how the restricted site creation policy will be used by Microsoft 365 tenants. Most sites created by third-party apps are likely because of creating Microsoft 365 groups or teams, so I don’t know of any great demand for such a policy. However, Microsoft isn’t in the habit of writing software without a reason, so they are likely aware of some customer demand that I’ve never heard of. In any case, we now have the capability, and it will be interesting to see how it is used.
Learn about managing SharePoint Online and the rest of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.