❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️
❄️

Testing Microsoft Graph Sites.Create.All (beta)

Testing Microsoft Graph Sites.Create.All (beta)

Why this post

I tested the new Microsoft Graph Create Site API (beta) and the best part is the dedicated permission: Sites.Create.All. It lets you create sites without granting broad, risky permissions like Sites.FullControl.All. Below is what I learned and how I wired permissions for both delegated and app‑only flows.

Note: APIs under /beta can change and aren’t supported for production.

Delegated vs App‑only (quick refresher)

In short:

  • Delegated: the app acts on behalf of a signed‑in user. Actions respect the user’s permissions and show up as the user in audit logs.
  • App‑only: the app acts as itself (no user). You grant it application permissions and (ideally) restrict its scope via Sites.Selected.

Delegated vs App‑only

Caption: Source: Microsoft Learn — “App roles and delegated permissions” (app-privileges-illustration.png). https://learn.microsoft.com/en-us/graph/permissions-overview?tabs=http

What’s new: Sites.Create.All

From the docs, the Create Site API supports the following least‑privileged permissions:

  • Delegated (work or school): Sites.Create.All (or Sites.FullControl.All if absolutely required)
  • Application: Sites.Create.All (or Sites.FullControl.All if absolutely required)

This is the big improvement: you can enable creation without blanket full control over all sites.

My test setup and approach

I registered an app and used this combination:

  • Graph application permission: Sites.Create.All — to create sites without full control.
  • Graph application permission: Sites.Selected — to restrict app‑only access per site.
  • SharePoint resource‑specific permission: site.selected — used when SharePoint REST/CSOM or site‑level grants are needed.

Why this matters:

  • Delegated flow (OBO): the user on whose behalf you call the API becomes a Site Collection Owner of the created site (owner resolution via ownerIdentityToResolve).
  • App‑only flow: the app itself doesn’t get broad tenant access. Instead, grant Sites.Selected and then add the app to specific sites (post‑creation) with the minimal role it needs.

The goal is to get away from Sites.FullControl.All entirely.

Create Site: HTTP example (beta)

POST https://graph.microsoft.com/beta/sites
Content-Type: application/json
Authorization: Bearer {token}

{
  "name": "Communication Site Test",
  "webUrl": "https://contoso.sharepoint.com/sites/commsite1",
  "locale": "en-US",
  "shareByEmailEnabled": false,
  "description": "Test Site Description",
  "template": "sitepagepublishing",
  "ownerIdentityToResolve": {
    "email": "user@contoso.com"
  }
}

Expected: 202 Accepted and a Location header pointing to an operation status URL. Poll that URL until the operation succeeds.

  • With delegated access: use a user token including the appropriate sites delegated permission and the user you resolve as owner will be a Site Collection Owner.
  • With app‑only: use an app token with Sites.Create.All. The app can create the site, but it still needs explicit per‑site permission (via Sites.Selected/site.selected) if it should later read/write content there.

Granting per‑site app access (Sites.Selected / site.selected)

The best part is that user and app permissions can work seamlessly with the site. To grant per‑site access for app‑only, add the Sites.Selected application permission to the app registration.

Notes from the field

  • Delegated: OBO is great for traceability — the site owner is the user you specify, and actions are attributed to them.
  • App‑only: pair Sites.Create.All with Sites.Selected and grant the app only to sites it must touch.
  • Some operations still require SharePoint REST or CSOM today — that’s why site.selected is part of the picture.
  • Avoid Sites.FullControl.All unless you have a compelling, documented reason.

Personal opinion

This is a game changer for provisioning engines. With this approach, you can deploy with least privilege, and it’s a capability I wish had arrived sooner.

References