SharePoint Online: Create Subsite with Unique Permissions using PowerShell
Requirement: Create a Subsite with Unique Permissions in SharePoint Online using PowerShell
Create Subsite with Unique permissions in SharePoint Online using PowerShell
#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
#Function to create a subsite with unique permissions
Function New-SPOSubsite($SiteTitle, $SiteURL, $SiteTemplate, $ParentSiteURL)
{
#Setup Credentials to connect
$Cred = Get-Credential
$Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
Try {
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($ParentSiteURL)
$Ctx.Credentials = $Cred
#Provide Subsite Parameters
$WebCI = New-Object Microsoft.SharePoint.Client.WebCreationInformation
$WebCI.Title = $SiteTitle
$WebCI.WebTemplate = $SiteTemplate
$WebCI.Url = $SiteURL
$SubWeb = $Ctx.Web.Webs.Add($WebCI)
$Ctx.ExecuteQuery()
Write-host "Subsite Created Successfully!" -ForegroundColor Green
#Break Inheritance
$SubWeb.BreakRoleInheritance($False, $False)
$SubWeb.Update()
$Ctx.ExecuteQuery()
}
catch {
write-host -f Red "Error:" $_.Exception.Message
}
}
#Variables for processing
$SiteTitle = "Sales Portal"
$SiteTemplate = "STS#0" #Team Site
$SiteURL ="sales"
$ParentSiteURL = "https://crescenttech.sharepoint.com"
#$WCI.Language = "1033"
#Call the function with parameters
New-SPOSubsite -SiteTitle $SiteTitle -SiteURL $SiteURL -SiteTemplate $SiteTemplate -ParentSiteURL $ParentSiteURL
This script creates a subsite with unique permissions. But wait, we are not yet done! As we specified Unique permissions, we need to create default permission groups: Owners, Members and Visitors for the site.
The Permission Setup page in SharePoint Online lets you create default groups for the site: https://crescent.sharepoint.com/sales/_layouts/15/permsetup.aspx
PowerShell to Create Default Groups in SharePoint Online:
#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
#Function to Create a Group
Function Create-SPOGroup([Microsoft.SharePoint.Client.Web]$Web, $GroupName, $PermissionLevel)
{
Try {
$Ctx = $Web.Context
#Get Existing Groups
$Groups = $Web.SiteGroups
$Ctx.Load($Groups)
$Ctx.ExecuteQuery()
#Check if the Group Exists already
$Group = $Groups | Where { $_.Title -eq $GroupName}
If(-Not $Group)
{
$GroupInfo = New-Object Microsoft.SharePoint.Client.GroupCreationInformation
$GroupInfo.Title = $GroupName
$Group = $Web.SiteGroups.Add($GroupInfo)
$Ctx.ExecuteQuery()
#Assign permission to the group
$RoleDefinition = $web.RoleDefinitions.GetByName($PermissionLevel)
$RoleDefBinding = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
$RoleDefBinding.Add($RoleDefinition)
$Ctx.Load($Web.RoleAssignments.Add($Group,$RoleDefBinding))
$Ctx.ExecuteQuery()
Write-host -f Green "Created Group $GroupName and Assigned Permissions $PermissionLevel"
}
Return $Group
}
catch {
write-host -f Red "Error:" $_.Exception.Message
}
}
#Function default "Owners, Members and Visitors Group
Function Create-SPODefaultGroups($SiteURL)
{
#Setup Credentials to connect
$Cred = Get-Credential
$Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
Try {
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = $Cred
#Get the Web
$Web=$Ctx.Web
$Ctx.Load($Web)
$Ctx.ExecuteQuery()
#Set Group Names
$OwnersGroupName = $Web.Title + " Owners"
$MembersGroupName = $Web.Title + " Members"
$VisitorsGroupName = $Web.Title + " Visitors"
#Create Default Groups
$OwnersGroup = Create-SPOGroup -Web $Web -GroupName $OwnersGroupName -PermissionLevel "Full Control"
$MembersGroup = Create-SPOGroup -Web $Web -GroupName $MembersGroupName -PermissionLevel "Edit"
$VisitorsGroup = Create-SPOGroup -Web $Web -GroupName $VisitorsGroupName -PermissionLevel "Read"
#Associate Default Groups
$web.AssociatedOwnerGroup = $OwnersGroup
$web.AssociatedOwnerGroup.Update()
$web.AssociatedMemberGroup = $MembersGroup
$web.AssociatedMemberGroup.Update()
$web.AssociatedVisitorGroup = $VisitorsGroup
$web.AssociatedVisitorGroup.Update()
$web.Update()
$Ctx.ExecuteQuery()
}
catch {
write-host -f Red "Error:" $_.Exception.Message
}
}
#Call the function to create default site groups
Create-SPODefaultGroups "https://crescenttech.sharepoint.com/sales"
and the Result:
PnP PowerShell to Create a Subsite with Unique Permissions in SharePoint Online:
#Variables for processing
$SiteTitle = "Purchase Portal"
$SiteTemplate = "STS#3" #Modern Team Site
$SubSiteURL ="purchase"
$SiteURL = "https://crescenttech.sharepoint.com"
#Get Credentials to connect
$Cred = Get-Credential
Try {
#Connect to PNP Online
Connect-PnPOnline -Url $SiteURL -Credentials $Cred
#Create new subsite with broken permission
$Web = New-PnPWeb -Title $SiteTitle -Url $SubSiteURL -Template $SiteTemplate -BreakInheritance -ErrorAction Stop
Write-host -f Green "New Subsite '$SiteTitle' created with Unique Permissions..."
#Disconnect Parent Web and connect to newly created subsite
Disconnect-PnPOnline
Connect-PnPOnline -Url $Web.Url -Credentials $Cred
#Set Group Names
$OwnersGroupName = $Web.Title + " Owners"
$MembersGroupName = $Web.Title + " Members"
$VisitorsGroupName = $Web.Title + " Visitors"
#Setup Default Groups
$OwnersGroup = Get-PnPGroup -Identity $OwnersGroupName -ErrorAction SilentlyContinue
If(-Not $OwnersGroup)
{
$OwnersGroup = New-PnPGroup -Title $OwnersGroupName
Write-host -f Green "Created Owners Group '$OwnersGroupName'"
}
Set-PnPGroup -Identity $OwnersGroup -SetAssociatedGroup Owners -AddRole "Full Control"
#Members Group
$MembersGroup = Get-PnPGroup -Identity $MembersGroupName -ErrorAction SilentlyContinue
If(-Not $MembersGroup)
{
$MembersGroup = New-PnPGroup -Title $MembersGroupName
Write-host -f Green "Created Members Group '$MembersGroupName'"
}
Set-PnPGroup -Identity $MembersGroup -SetAssociatedGroup Members -AddRole "Edit"
#Visitors Group
$VisitorsGroup = Get-PnPGroup -Identity $VisitorsGroupName -ErrorAction SilentlyContinue
If(-Not $VisitorsGroup)
{
$VisitorsGroup = New-PnPGroup -Title $VisitorsGroupName
Write-host -f Green "Created Visitors Group '$VisitorsGroupName'"
}
Set-PnPGroup -Identity $VisitorsGroup -SetAssociatedGroup Visitors -AddRole "Read"
}
Catch {
write-host -f Red "Error:" $_.Exception.Message
}
Set-PnPGroup gives the access denied error.
Use Set-PnPGroupPermissions instead
Set-PnPGroupPermissions -Identity $VisitorsGroup -AddRole “Read” -Web $Web
Hi VisitorsGroupName’ while executing Set-PnPGroup -Identity $VisitorsGroup –SetAssociatedGroup Visitors -AddRole “Read” , I am getting access denied. Group is getting created and not associated with the subsites. Has anyone faced similar issues??
Right! This was caused by a special character “–” and fixed the same.
This is really good information. I’m trying to loop thru a CSV file to pull the Subsite names and add Unique Groups with as well as put a user in the Owner Group. These may help I just gotta see if I can step thru a CSV file.
Sure, This should help: SharePoint Online: Bulk Import Users to Groups from a CSV File using PowerShell