SharePoint Online: Create Subsite with Unique Permissions using PowerShell

Requirement: Create a Subsite with Unique Permissions in SharePoint Online using PowerShell.

How to Create a Subsite with Unique permissions in SharePoint Online?

You can create a subsite with unique permissions in SharePoint Online to give specific people access to particular information on your site. This article will show you how to create a subsite with unique permissions in SharePoint Online.

  1. Login to your SharePoint Online site as Site collection Administrator >> Click on “Settings” >> Click on “Site Contents”.
  2. Click on the “New” button on the toolbar >> Choose “Subsite”.
  3. Provide a name and URL to your subsite. On the “Permissions” section, choose “Use unique permissions” and click on the “Create” button.Create a Subsite with Unique permissions in SharePoint Online
  4. On the next page, You’ll get the “Permission Setup” configurations for the SharePoint Online subsite that lets you create default groups for the site (URL: /_layouts/15/permsetup.aspx)
    Create Subsite with Unique permissions in SharePoint Online using PowerShell
  5. Create a group or select existing groups to create a subsite with unique permissions.

Once the subsite is created, you can manage its permissions by adding or removing users or groups from the site.

PowerShell to Create a Subsite with Unique permissions

PowerShell provides a great way to automate everyday SharePoint tasks. This blog post will show you how to create a subsite with unique permissions.

#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Function to create a subsite with unique permissions
Function New-SPOSubsite($SiteTitle, $SiteURL, $SiteTemplate, $ParentSiteURL)
{
    #Setup Credentials to connect
    $Cred = Get-Credential
    $Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)

    Try {
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($ParentSiteURL)
        $Ctx.Credentials = $Cred

        #Provide Subsite Parameters
        $WebCI = New-Object Microsoft.SharePoint.Client.WebCreationInformation
        $WebCI.Title = $SiteTitle
        $WebCI.WebTemplate = $SiteTemplate
        $WebCI.Url = $SiteURL
        $SubWeb = $Ctx.Web.Webs.Add($WebCI)
        $Ctx.ExecuteQuery()

        Write-host "Subsite Created Successfully!" -ForegroundColor Green

        #Break Inheritance
        $SubWeb.BreakRoleInheritance($False, $False)
        $SubWeb.Update()
        $Ctx.ExecuteQuery()
    }
    catch {
        write-host -f Red "Error:" $_.Exception.Message
    }
}

#Variables for processing
$SiteTitle = "Sales Portal"
$SiteTemplate = "STS#0" #Team Site
$SiteURL ="sales"
$ParentSiteURL = "https://Crescent.sharepoint.com"

#$WCI.Language = "1033"
#Call the function with parameters
New-SPOSubsite -SiteTitle $SiteTitle -SiteURL $SiteURL  -SiteTemplate $SiteTemplate -ParentSiteURL $ParentSiteURL

This script creates a subsite with unique permissions. But wait, we are not yet done! As we require Unique permissions, we need to create default permission groups: Owners, Members, and Visitors for the site.

PowerShell to Create Default Groups in SharePoint Online:

Here is how to use PowerShell to automatically create default groups with the membership assigned.

#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Function to Create a Group
Function Create-SPOGroup([Microsoft.SharePoint.Client.Web]$Web, $GroupName, $PermissionLevel)
{
    Try {
        $Ctx = $Web.Context
        #Get Existing Groups
        $Groups = $Web.SiteGroups
        $Ctx.Load($Groups)
        $Ctx.ExecuteQuery()

        #Check if the Group Exists already
        $Group = $Groups | Where { $_.Title -eq $GroupName}
        If(-Not $Group)
        {
            $GroupInfo = New-Object Microsoft.SharePoint.Client.GroupCreationInformation
            $GroupInfo.Title = $GroupName
            $Group = $Web.SiteGroups.Add($GroupInfo)
            $Ctx.ExecuteQuery()

            #Assign permission to the group
            $RoleDefinition = $web.RoleDefinitions.GetByName($PermissionLevel)
            $RoleDefBinding = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
            $RoleDefBinding.Add($RoleDefinition)
            $Ctx.Load($Web.RoleAssignments.Add($Group,$RoleDefBinding))
            $Ctx.ExecuteQuery()
            Write-host -f Green "Created Group $GroupName and Assigned Permissions $PermissionLevel"
        }
        Return $Group
    }
    catch {
        write-host -f Red "Error:" $_.Exception.Message
    }
}

#Function default "Owners, Members and Visitors Group
Function Create-SPODefaultGroups($SiteURL)
{
    #Setup Credentials to connect
    $Cred = Get-Credential
    $Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)

    Try {
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $Cred

        #Get the Web
        $Web=$Ctx.Web
        $Ctx.Load($Web)
        $Ctx.ExecuteQuery()

        #Set Group Names
        $OwnersGroupName = $Web.Title + " Owners"
        $MembersGroupName = $Web.Title + " Members"
        $VisitorsGroupName = $Web.Title + " Visitors"

        #Create Default Groups
        $OwnersGroup = Create-SPOGroup -Web $Web -GroupName $OwnersGroupName -PermissionLevel "Full Control"
        $MembersGroup = Create-SPOGroup -Web $Web -GroupName $MembersGroupName -PermissionLevel "Edit"
        $VisitorsGroup = Create-SPOGroup -Web $Web -GroupName $VisitorsGroupName -PermissionLevel "Read"

        #Associate Default Groups
        $web.AssociatedOwnerGroup  = $OwnersGroup
        $web.AssociatedOwnerGroup.Update()
        $web.AssociatedMemberGroup = $MembersGroup
        $web.AssociatedMemberGroup.Update()
        $web.AssociatedVisitorGroup = $VisitorsGroup
        $web.AssociatedVisitorGroup.Update()
        $web.Update()
        $Ctx.ExecuteQuery()   
    }
    catch {
        write-host -f Red "Error:" $_.Exception.Message
    }
}

#Call the function to create default site groups
Create-SPODefaultGroups "https://Crescent.sharepoint.com/sales"

And the Result:

powershell create site with unique permission in sharepoint online

PnP PowerShell to Create New Subsite with Unique Permissions in SharePoint Online

We can also use the PnP PowerShell cmdlet New-PnPWeb to add a subsite with unique permissions and set up default user groups for the SharePoint Online site. Let’s see how to use PnP PowerShell to create a new subsite with unique permissions:

#Variables for processing
$SiteTitle = "Purchase Portal"
$SiteTemplate = "STS#3" #Modern Team Site
$SubSiteURL ="purchase"
$SiteURL = "https://Crescent.sharepoint.com"

#Get Credentials to connect
$Cred = Get-Credential

Try {
    #Connect to PnP Online
    Connect-PnPOnline -Url $SiteURL -Credentials $Cred

    #Create new subsite with broken permission
    $Web = New-PnPWeb -Title $SiteTitle -Url $SubSiteURL -Template $SiteTemplate -BreakInheritance  -ErrorAction Stop
    Write-host -f Green "New Subsite '$SiteTitle' created with Unique Permissions..."
    
    #Connect to newly created subsite
    Connect-PnPOnline -Url $Web.Url -Credentials $Cred
    
    #Set Group Names
    $OwnersGroupName = $Web.Title + " Owners"
    $MembersGroupName = $Web.Title + " Members"
    $VisitorsGroupName = $Web.Title + " Visitors"

    #Setup Default Groups
    $OwnersGroup = Get-PnPGroup -Identity $OwnersGroupName -ErrorAction SilentlyContinue
    If(-Not $OwnersGroup)
    {
        $OwnersGroup = New-PnPGroup -Title $OwnersGroupName
        Write-host -f Green "Created Owners Group '$OwnersGroupName'"
    }
    Set-PnPGroup -Identity $OwnersGroup -SetAssociatedGroup Owners -AddRole "Full Control"

    #Members Group
    $MembersGroup = Get-PnPGroup -Identity $MembersGroupName -ErrorAction SilentlyContinue
    If(-Not $MembersGroup)
    {
        $MembersGroup = New-PnPGroup -Title $MembersGroupName
        Write-host -f Green "Created Members Group '$MembersGroupName'"
    }
    Set-PnPGroup -Identity $MembersGroup -SetAssociatedGroup Members -AddRole "Edit"

    #Visitors Group
    $VisitorsGroup = Get-PnPGroup -Identity $VisitorsGroupName -ErrorAction SilentlyContinue
    If(-Not $VisitorsGroup)
    {
        $VisitorsGroup = New-PnPGroup -Title $VisitorsGroupName
        Write-host -f Green "Created Visitors Group '$VisitorsGroupName'"
    }
    Set-PnPGroup -Identity $VisitorsGroup -SetAssociatedGroup Visitors -AddRole "Read"

}
Catch {
    write-host -f Red "Error:" $_.Exception.Message
} 

By using unique permissions for a subsite, you can grant or restrict access to specific users or groups, giving you greater control over who can view or edit the content in the site. To create multiple subsites, use: How to Bulk Create Subsites in SharePoint Online using PowerShell?

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

7 thoughts on “SharePoint Online: Create Subsite with Unique Permissions using PowerShell

  • With “-Setasociatedgroup” it gives me denied access error and my groups have simple names “Owners”, “Test Members” and “Test Visitors”

    Reply
  • Set-PnPGroup gives the access denied error.

    Use Set-PnPGroupPermissions instead
    Set-PnPGroupPermissions -Identity $VisitorsGroup -AddRole “Read” -Web $Web

    Reply
    • With that you are not associating the default groups to the subsite?

      Reply
  • Hi VisitorsGroupName’ while executing Set-PnPGroup -Identity $VisitorsGroup –SetAssociatedGroup Visitors -AddRole “Read” , I am getting access denied. Group is getting created and not associated with the subsites. Has anyone faced similar issues??

    Reply
    • Right! This was caused by a special character “–” and fixed the same.

      Reply
  • This is really good information. I’m trying to loop thru a CSV file to pull the Subsite names and add Unique Groups with as well as put a user in the Owner Group. These may help I just gotta see if I can step thru a CSV file.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *