SharePoint & OneDrive · Advanced Management
Restricted Site Creation Administration
Responsibility profile, not a standalone Microsoft role. SharePoint Administrators or SharePoint Advanced Management Administrators configure these policies with SharePoint Online PowerShell.
Scope: Organization-wide site creation policies
Permissions
- User restrictions - Allow/deny groups for site creation
- App restrictions - Allow/deny third-party apps for site creation
- Site types - Configure policies per site type (Team, Communication, OneDrive)
- PowerShell management - Full Set/Get-SPORestrictedSiteCreation access
Common use cases
- Preventing site sprawl
- Controlling shadow IT
- Centralizing site provisioning
- Meeting compliance requirements
Best practices
- Start in deny mode with specific groups blocked
- Document approved site creation processes
- Combine with site design templates
- Monitor site creation audit logs
Security considerations
- Restricting in SharePoint doesn't restrict Teams or Groups creation
- Users may create sites through other paths (Teams, Groups)
- Overly restrictive policies reduce productivity
- Need consistent policy across M365 services
Common questions
When should I assign the Restricted Site Creation Administration role?
Assign Restricted Site Creation Administration when you need to: Preventing site sprawl; Controlling shadow IT; Centralizing site provisioning; and Meeting compliance requirements. It is part of SharePoint & OneDrive and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Restricted Site Creation Administration role do?
The Restricted Site Creation Administration role grants permissions including: User restrictions - Allow/deny groups for site creation; App restrictions - Allow/deny third-party apps for site creation; Site types - Configure policies per site type (Team, Communication, OneDrive); and PowerShell management - Full Set/Get-SPORestrictedSiteCreation access. See the Permissions section above for the full list.
What are the security risks of the Restricted Site Creation Administration role?
Key considerations when assigning Restricted Site Creation Administration: Restricting in SharePoint doesn't restrict Teams or Groups creation; Users may create sites through other paths (Teams, Groups); Overly restrictive policies reduce productivity; and Need consistent policy across M365 services. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.