SharePoint Diary » Subsite » SharePoint Online: Create Subsite with Unique Permissions using PowerShell

SharePoint Online: Create Subsite with Unique Permissions using PowerShell

February 22, 2023 Salaudeen Rajack 5 Comments create sharepoint subsite with unique permissions

Requirement: Create a Subsite with Unique Permissions in SharePoint Online using PowerShell.

How to Create a Subsite with Unique permissions in SharePoint Online?

You can create a subsite with unique permissions in SharePoint Online to give specific people access to particular information on your site. This article will show you how to create a subsite with unique permissions in SharePoint Online.

Login to your SharePoint Online site as Site collection Administrator >> Click on “Settings” >> Click on “Site Contents”.
Click on the “New” button on the toolbar >> Choose “Subsite”.
Provide a name and URL to your subsite. On the “Permissions” section, choose “Use unique permissions” and click on the “Create” button.
On the next page, You’ll get the “Permission Setup” configurations for the SharePoint Online subsite that lets you create default groups for the site (URL: /_layouts/15/permsetup.aspx)
Create a group or select existing groups to create a subsite with unique permissions.

Once the subsite is created, you can manage its permissions by adding or removing users or groups from the site.

PowerShell to Create a Subsite with Unique permissions

PowerShell provides a great way to automate everyday SharePoint tasks. This blog post will show you how to create a subsite with unique permissions.

#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Function to create a subsite with unique permissions
Function New-SPOSubsite($SiteTitle, $SiteURL, $SiteTemplate, $ParentSiteURL)
{
    #Setup Credentials to connect
    $Cred = Get-Credential
    $Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)

    Try {
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($ParentSiteURL)
        $Ctx.Credentials = $Cred

        #Provide Subsite Parameters
        $WebCI = New-Object Microsoft.SharePoint.Client.WebCreationInformation
        $WebCI.Title = $SiteTitle
        $WebCI.WebTemplate = $SiteTemplate
        $WebCI.Url = $SiteURL
        $SubWeb = $Ctx.Web.Webs.Add($WebCI)
        $Ctx.ExecuteQuery()

        Write-host "Subsite Created Successfully!" -ForegroundColor Green

        #Break Inheritance
        $SubWeb.BreakRoleInheritance($False, $False)
        $SubWeb.Update()
        $Ctx.ExecuteQuery()
    }
    catch {
        write-host -f Red "Error:" $_.Exception.Message
    }
}

#Variables for processing
$SiteTitle = "Sales Portal"
$SiteTemplate = "STS#0" #Team Site
$SiteURL ="sales"
$ParentSiteURL = "https://Crescent.sharepoint.com"

#$WCI.Language = "1033"
#Call the function with parameters
New-SPOSubsite -SiteTitle $SiteTitle -SiteURL $SiteURL  -SiteTemplate $SiteTemplate -ParentSiteURL $ParentSiteURL

This script creates a subsite with unique permissions. But wait, we are not yet done! As we require Unique permissions, we need to create default permission groups: Owners, Members, and Visitors for the site.

PowerShell to Create Default Groups in SharePoint Online:

Here is how to use PowerShell to automatically create default groups with the membership assigned.

#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Function to Create a Group
Function Create-SPOGroup([Microsoft.SharePoint.Client.Web]$Web, $GroupName, $PermissionLevel)
{
    Try {
        $Ctx = $Web.Context
        #Get Existing Groups
        $Groups = $Web.SiteGroups
        $Ctx.Load($Groups)
        $Ctx.ExecuteQuery()

        #Check if the Group Exists already
        $Group = $Groups | Where { $_.Title -eq $GroupName}
        If(-Not $Group)
        {
            $GroupInfo = New-Object Microsoft.SharePoint.Client.GroupCreationInformation
            $GroupInfo.Title = $GroupName
            $Group = $Web.SiteGroups.Add($GroupInfo)
            $Ctx.ExecuteQuery()

            #Assign permission to the group
            $RoleDefinition = $web.RoleDefinitions.GetByName($PermissionLevel)
            $RoleDefBinding = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
            $RoleDefBinding.Add($RoleDefinition)
            $Ctx.Load($Web.RoleAssignments.Add($Group,$RoleDefBinding))
            $Ctx.ExecuteQuery()
            Write-host -f Green "Created Group $GroupName and Assigned Permissions $PermissionLevel"
        }
        Return $Group
    }
    catch {
        write-host -f Red "Error:" $_.Exception.Message
    }
}

#Function default "Owners, Members and Visitors Group
Function Create-SPODefaultGroups($SiteURL)
{
    #Setup Credentials to connect
    $Cred = Get-Credential
    $Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)

    Try {
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $Cred

        #Get the Web
        $Web=$Ctx.Web
        $Ctx.Load($Web)
        $Ctx.ExecuteQuery()

        #Set Group Names
        $OwnersGroupName = $Web.Title + " Owners"
        $MembersGroupName = $Web.Title + " Members"
        $VisitorsGroupName = $Web.Title + " Visitors"

        #Create Default Groups
        $OwnersGroup = Create-SPOGroup -Web $Web -GroupName $OwnersGroupName -PermissionLevel "Full Control"
        $MembersGroup = Create-SPOGroup -Web $Web -GroupName $MembersGroupName -PermissionLevel "Edit"
        $VisitorsGroup = Create-SPOGroup -Web $Web -GroupName $VisitorsGroupName -PermissionLevel "Read"

        #Associate Default Groups
        $web.AssociatedOwnerGroup  = $OwnersGroup
        $web.AssociatedOwnerGroup.Update()
        $web.AssociatedMemberGroup = $MembersGroup
        $web.AssociatedMemberGroup.Update()
        $web.AssociatedVisitorGroup = $VisitorsGroup
        $web.AssociatedVisitorGroup.Update()
        $web.Update()
        $Ctx.ExecuteQuery()   
    }
    catch {
        write-host -f Red "Error:" $_.Exception.Message
    }
}

#Call the function to create default site groups
Create-SPODefaultGroups "https://Crescent.sharepoint.com/sales"

And the Result:

powershell create site with unique permission in sharepoint online

PnP PowerShell to Create New Subsite with Unique Permissions in SharePoint Online

We can also use the PnP PowerShell cmdlet New-PnPWeb to add a subsite with unique permissions and set up default user groups for the SharePoint Online site. Let’s see how to use PnP PowerShell to create a new subsite with unique permissions:

#Variables for processing
$SiteTitle = "Purchase Portal"
$SiteTemplate = "STS#3" #Modern Team Site
$SubSiteURL ="purchase"
$SiteURL = "https://Crescent.sharepoint.com"

#Get Credentials to connect
$Cred = Get-Credential

Try {
    #Connect to PnP Online
    Connect-PnPOnline -Url $SiteURL -Credentials $Cred

    #Create new subsite with broken permission
    $Web = New-PnPWeb -Title $SiteTitle -Url $SubSiteURL -Template $SiteTemplate -BreakInheritance  -ErrorAction Stop
    Write-host -f Green "New Subsite '$SiteTitle' created with Unique Permissions..."
    
    #Connect to newly created subsite
    Connect-PnPOnline -Url $Web.Url -Credentials $Cred
    
    #Set Group Names
    $OwnersGroupName = $Web.Title + " Owners"
    $MembersGroupName = $Web.Title + " Members"
    $VisitorsGroupName = $Web.Title + " Visitors"

    #Setup Default Groups
    $OwnersGroup = Get-PnPGroup -Identity $OwnersGroupName -ErrorAction SilentlyContinue
    If(-Not $OwnersGroup)
    {
        $OwnersGroup = New-PnPGroup -Title $OwnersGroupName
        Write-host -f Green "Created Owners Group '$OwnersGroupName'"
    }
    Set-PnPGroup -Identity $OwnersGroup -SetAssociatedGroup Owners -AddRole "Full Control"

    #Members Group
    $MembersGroup = Get-PnPGroup -Identity $MembersGroupName -ErrorAction SilentlyContinue
    If(-Not $MembersGroup)
    {
        $MembersGroup = New-PnPGroup -Title $MembersGroupName
        Write-host -f Green "Created Members Group '$MembersGroupName'"
    }
    Set-PnPGroup -Identity $MembersGroup -SetAssociatedGroup Members -AddRole "Edit"

    #Visitors Group
    $VisitorsGroup = Get-PnPGroup -Identity $VisitorsGroupName -ErrorAction SilentlyContinue
    If(-Not $VisitorsGroup)
    {
        $VisitorsGroup = New-PnPGroup -Title $VisitorsGroupName
        Write-host -f Green "Created Visitors Group '$VisitorsGroupName'"
    }
    Set-PnPGroup -Identity $VisitorsGroup -SetAssociatedGroup Visitors -AddRole "Read"

}
Catch {
    write-host -f Red "Error:" $_.Exception.Message
}

By using unique permissions for a subsite, you can grant or restrict access to specific users or groups, giving you greater control over who can view or edit the content in the site. To create multiple subsites, use: How to Bulk Create Subsites in SharePoint Online using PowerShell?

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

5 thoughts on “SharePoint Online: Create Subsite with Unique Permissions using PowerShell”

AJ
October 17, 2020 at 12:41 PM
Permalink

Set-PnPGroup gives the access denied error.

Use Set-PnPGroupPermissions instead
Set-PnPGroupPermissions -Identity $VisitorsGroup -AddRole “Read” -Web $Web
Reply
Vasanth
April 21, 2020 at 1:19 AM
Permalink

Hi VisitorsGroupName’ while executing Set-PnPGroup -Identity $VisitorsGroup –SetAssociatedGroup Visitors -AddRole “Read” , I am getting access denied. Group is getting created and not associated with the subsites. Has anyone faced similar issues??
Reply
- Salaudeen RajackPost author
  April 21, 2020 at 10:40 AM
  Permalink
  
  Right! This was caused by a special character “–” and fixed the same.
  Reply
Unknown
May 24, 2019 at 7:27 PM
Permalink

This is really good information. I’m trying to loop thru a CSV file to pull the Subsite names and add Unique Groups with as well as put a user in the Owner Group. These may help I just gotta see if I can step thru a CSV file.
Reply
- Salaudeen RajackPost author
  May 25, 2019 at 1:08 AM
  Permalink
  
  Sure, This should help: SharePoint Online: Bulk Import Users to Groups from a CSV File using PowerShell
  Reply

SharePoint Diary