Share via


Restrict OneDrive and SharePoint site creation

The restricted site creation feature lets IT administrators use SharePoint Online Management Shell to designate which Microsoft Entra security groups in their tenant can create OneDrive and SharePoint sites.

You can choose between two ways to manage site creation within your tenant: deny mode (the specified groups are unable to create sites) and allow mode (only the specified groups are allowed to create sites). Once you enable this feature for your tenant, restricted site creation is set to deny mode by default.

Restricted site creation policies only control site provisioning capabilities and not site access permissions.

What do you need to restrict OneDrive and SharePoint site creation?

To restrict OneDrive and SharePoint site creation, you need:

  • Microsoft SharePoint Premium - SharePoint Advanced Management license - Available as a standalone purchase

    Note

    Restricted site creation policy is the only SharePoint Advanced Management feature not included with Microsoft 365 Copilot.

  • Microsoft SharePoint Online Management Shell - Download and install the latest version (version 16.0.25513.12000 or later)

Site types

Each restricted site creation policy includes a site type specifying the types of sites users in the specified groups are either allowed or denied from creating.

Site type Applies to
All OneDrive and all SharePoint sites
SharePoint All SharePoint sites (but not OneDrive)
OneDrive Only OneDrive
Team Only SharePoint team sites (group-connected and classic)
Communication Only SharePoint communication sites

Up to 10 Microsoft Entra security groups can be specified for each site type.

When restricted site creation is in allow mode, a user is only allowed to create a site if they are in a group configured with a site type which applies to the site they're attempting to create. For example, a user can create a OneDrive if they are in a security group configured with the All or OneDrive site types.

When restricted site creation is in deny mode, a user is blocked from creating a site if they are in any group configured with any site type which applies to the site they're attempting to create. For example, a user is blocked from creating a SharePoint communication site if they are in any group configured with the All, SharePoint, or Communication site types.

Note

The restricted site creation mode is shared across all site type policies. It is not possible to use deny mode for one site type and allow mode for a different site type.

Current limitations

  • Only Microsoft Entra security groups (mail-enabled or non-mail-enabled) are supported at this time.
  • You can configure up to 10 security groups per site type.
  • This feature is currently unavailable for government cloud environments such as GCCH/GCC-Moderate/DoD/Gallatin.

Manage restricted site creation

The Set-SPORestrictedSiteCreation and Get-SPORestrictedSiteCreation cmdlets in the SharePoint Online Management Shell allow the admin to configure and view the restricted site creation feature and policies for the tenant.

Important

You must use version 16.0.25513.12000 (published November 2024) or later of the SharePoint Online Management Shell for these commands to function properly. Earlier versions do not have the current list of site types and will not operate correctly.

Enable restricted site creation for your tenant

To enable restricted site creation, run the following command in the SharePoint Online Management Shell:

Set-SPORestrictedSiteCreation -Enabled $true

Restricted site creation starts in deny mode without any policies, and doesn't affect any users by default.

Set Allow or Deny mode

Once you enable the restricted site creation feature, consider whether you want to deny certain groups from creating sites or allow certain groups the ability to create sites.

For example, the following command sets restricted site creation to deny mode:

Set-SPORestrictedSiteCreation -Mode Deny

Important

Swapping between the two modes will remove all existing site type configurations. The restricted site creation feature only supports either all deny or all allow configurations.

Configure policies for site types

You can specify a comma separated list of up to 10 Microsoft Entra security groups for each site type. For example, if restricted site creation is in deny mode, the following command creates a policy blocking users in either of the following two groups from creating any SharePoint site.

Set-SPORestrictedSiteCreation -SiteType SharePoint -RestrictedSiteCreationGroups "00aa00aa-bb11-cc22-dd33-44ee44ee44ee,11bb11bb-cc22-dd33-ee44-55ff55ff55ff"

Note

Microsoft Entra security groups must be specified with the Object Id shown in the Microsoft Entra admin center.

To clear the configuration for site type, specify "" for the RestrictedSiteCreationGroups:

Set-SPORestrictedSiteCreation -SiteType All -RestrictedSiteCreationGroups ""

View configuration

Use the following command to view the existing restricted site creation configurations:

Get-SPORestrictedSiteCreation

User restriction

When a user is blocked from creating a site by a restricted site creation policy, they receive a message depending on the type of site they're creating and how they're creating it. See the following examples for reference:

When a user creates a communication site from the web, they see the error message "Due to organizational policies, you can't create this type of site."

Screenshot of failed communication site creation.

When first signing in to their OneDrive from the web, the user sees the error message "You can't make a OneDrive. If you need one, contact your administrator or help desk."

Screenshot of failed OneDrive site creation.

When a user creates a team site from the web, the user sees the message "We're still setting up the site for this group," but the site isn't created.

Screenshot of failed OneDrive site creation if created from admin UI.

When creating sites through the SharePoint Online Management Shell, the cmdlet fails with the exception "Due to organizational policies, you can't create this type of site."

Screenshot of failed OneDrive site creation if created from SharePoint admin center.