Need
Confirm a new site is necessary and an existing site, library, Team, or controlled folder cannot meet the requirement.
Govern how SharePoint sites enter the tenant: who may create them, which business need they serve, what site and identity model is correct, which owners are accountable, what protection and lifecycle defaults apply, and what evidence proves the result matches the approved request.

SharePoint sites are not created only from the SharePoint start page. A Microsoft 365 group, Microsoft Team, private or shared Teams channel, admin action, PowerShell command, REST or Graph workflow, migration tool, and third-party application can create or depend on a site. Disabling one SharePoint button does not close all of those paths.
Provisioning governance defines the approved workspace patterns, creation authorities, required request data, automation identity, policy defaults, validation evidence, exception handling, and lifecycle owner. The objective is not to block useful collaboration. It is to make every site intentional, supportable, discoverable, appropriately protected, and removable when its purpose ends.
Control boundary: the SharePoint “Users can create sites” setting controls creation from SharePoint, OneDrive, PnP PowerShell, and the REST API, but it does not stop users from creating Microsoft 365 groups or Teams that automatically create connected SharePoint sites. Govern group and Team creation as part of the same provisioning architecture.
Automation makes good decisions repeatable—and bad decisions repeat faster. Keep these decisions explicit even when the final provisioning action is fully automated.
Confirm a new site is necessary and an existing site, library, Team, or controlled folder cannot meet the requirement.
Select group-connected team site, communication site, Teams-connected site, channel site, or approved special pattern.
Define the Microsoft 365 group relationship, privacy, members, two owners, sponsor, and support responsibility.
Approve URL, name, template, libraries, metadata, content types, navigation, hub, storage, and integration boundaries.
Apply sensitivity, sharing, guest, unmanaged-device, default-link, retention, DLP, and restricted-access decisions.
Validate the result, record IDs and policy state, schedule owner attestation, inactivity review, archive, and deletion criteria.
| Creation path | What it creates | Primary control plane | Evidence to retain |
|---|---|---|---|
| SharePoint create-site experience | Communication site or Microsoft 365 group-connected team site, depending on tenant settings and user choice | SharePoint admin center site-creation settings, group-creation authority, sensitivity labels, naming and provisioning policy | Requester/creator, selected type, group and site IDs, URL, label, privacy, owners, template, validation |
| Microsoft Teams | Team, Microsoft 365 group, connected team site, and later separate sites for private/shared channels | Teams creation, Microsoft 365 group creation, naming/classification, sensitivity, channel policy, SharePoint defaults | Team/group/site relationship, owners, members/guests, label, privacy, channel sites, lifecycle linkage |
| Microsoft 365 group services | Group-connected SharePoint team site plus related mailbox, Planner, and other group resources | Entra/Microsoft 365 group creation controls, naming policy, sensitivity labels, expiration, owner governance | Group ID, site URL/ID, workload relationships, owners, alias, label, expiration and renewal state |
| Admin or workflow | Communication, group-connected, or nongroup site with selected settings and post-provisioning actions | SharePoint admin center, Graph/REST, SharePoint Online/PnP PowerShell, Power Automate/Azure automation identity | Request/approval, automation version, app or managed identity, parameters, output IDs, errors, retry and rollback |
| Migration or third-party app | Sites and structures created by migration tooling or app permissions, sometimes outside the normal request experience | Migration governance, app consent, restricted site creation by apps where licensed/supported, vendor configuration | App ID, permission scope, approved site types, batch manifest, exceptions, failed objects, post-migration validation |
Use when a defined membership collaborates on files, lists, tasks, and related Microsoft 365 group services. Manage membership through the associated group rather than building parallel direct SharePoint permissions. Decide whether a Team will also be needed before users create a duplicate workspace.
Use for broad publishing with a small author group and a larger reader audience. It is not connected to a Microsoft 365 group; use the standard SharePoint Owners, Members, and Visitors model and keep editorial responsibility explicit.
Private and shared channels create separate SharePoint sites with membership controlled through Teams. Do not provision or manage them like ordinary standalone sites. Record the parent Team, channel type, membership boundary, sensitivity inheritance, retention, and lifecycle relationship.
Architecture rule: hub association improves navigation, branding, content rollup, and search context; it does not grant access or replace permissions. Use the SharePoint hub site architecture guide for hub boundaries and association governance.
Record purpose, sponsor, audience, data categories, internal/external collaboration, expected volume, geography, integrations, search/Copilot expectations, records obligations, launch date, and sunset trigger. Reject duplicate or vague requests for clarification.
Check active sites, Teams, hubs, project portfolios, naming aliases, recent requests, and archived workspaces. Reuse or extend an existing governed space when ownership and information architecture make that safer than another site.
Choose team versus communication site, group-connected versus nongroup, Team requirement, channel relationship, privacy, member source, guest requirement, and whether access should be assigned through a group rather than individuals.
Apply business-friendly naming, blocked words, department/region/project conventions, alias uniqueness, URL-safe values, and privacy-conscious wording. Treat URLs as durable identifiers; later renames can affect integrations, bookmarks, sync, scripts, and user support.
Confirm at least two active owners where practical, an accountable sponsor, training, owner-removal workflow, support route, external-sharing responsibility, and periodic recertification. Do not accept a shared mailbox or departing contractor as the only owner.
Use an approved site template/site script version to create libraries, lists, content types, metadata, theme, navigation, and logging hooks. Record which actions completed, failed, or require a second-stage automation job.
Set sensitivity, privacy, external sharing, default link, unmanaged-device access, restricted access/discovery where approved, retention/DLP scope, storage quota, hub association, regional setting, time zone, and approved integrations.
Test owner/member/visitor/guest access, sharing links, unmanaged device behavior, search and navigation, template artifacts, Team/group membership synchronization, hub association, app access, retention/DLP signals, and audit/change evidence.
Provide the URL, purpose, support contact, approved membership/sharing model, label and retention explanation, owner duties, review schedule, prohibited customizations, request path, incident route, and archive/deletion process.
Record site/group/Team IDs, created timestamp, automation identity/version, exact policy state, exceptions, test evidence, owner acceptance, next attestation, and failback. Remove failed duplicate sites only after dependency and retention checks.
Current Microsoft behavior: modern SharePoint site templates and site scripts can automate consistent configuration for new and existing sites. Organization templates can be set as defaults, but the template experience cannot simply be disabled and default templates can be changed by the site owner. Treat templates as a controlled baseline plus validation—not an immutable security boundary.
| Control | Decision at provisioning | Validation evidence | Adjacent governance |
|---|---|---|---|
| Sensitivity and privacy | Container label, public/private state, guest access, external sharing, unmanaged-device access, default sharing link, conditional-access authentication context where used | Applied label ID/name, effective site/group settings, owner-visible behavior, test user/device result | Sensitivity labels for sites and Teams |
| Owners and membership | Minimum owner count, sponsor, member source, guest process, site-admin exception, owner replacement, review frequency | Object IDs, owners, group membership source, direct-permission exception, owner acceptance | Site owner access recertification |
| Sharing | Tenant/site external-sharing level, guest/Anyone eligibility, default link type and permission, domain restrictions, expiration and request route | Effective tenant/site setting, test links, recipient behavior, audit event, documented exception | SharePoint and OneDrive sharing security |
| Information protection | Data classification, retention policy/label, record requirement, DLP scope, eDiscovery/hold dependencies, content migration restrictions | Policy location/scope, simulation or test evidence, sample event, compliance owner approval | Microsoft Purview DLP configuration |
| Architecture and storage | Hub association, region, time zone, URL, storage baseline, versioning, library design, metadata, search, approved apps and integrations | Site properties, hub ID, template result, quota, library settings, search/navigation test | Storage quota and archiving |
| Lifecycle | Purpose end date, owner attestation, inactivity threshold, group expiration dependency, archive/read-only action, deletion approval, retention check, restore owner | Review date, policy scope, owner response, archive state, deletion record, restore test/process | Microsoft 365 Groups expiration |
Lifecycle is part of provisioning: a group-connected site inherits dependencies across the Microsoft 365 group, Team, mailbox, Planner, and other resources. Deleting and restoring one connected workload can affect the others. Record the authoritative lifecycle and retention path before launch, not when the owner leaves.
Treat these as architecture and evidence defects. A successful “site created” response does not prove the workspace is governed.
SharePoint self-service is restricted, but users, Teams, groups, migration tools, or apps continue creating connected sites outside the request process.
A project receives separate SharePoint, Team, and group workspaces because discovery and architecture decisions were skipped.
A communication need is placed in a collaboration site or a membership-driven workspace is built with direct SharePoint permissions.
The site launches with one owner, a service account, or a contractor and becomes unmanaged after role or employment changes.
The visible name, alias, or durable URL exposes a client, matter, investigation, acquisition, health condition, or other confidential subject.
The requested template was only partially applied, later changed, or replaced by a site owner, but no actual-state validation exists.
A sensitivity label is selected by habit rather than the site’s data, privacy, sharing, device, guest, and regulatory requirements.
Association is treated as access control even though hub relationships do not grant or remove site permissions.
A third-party app or migration identity can create sites broadly, but its app ID, permissions, output inventory, and cleanup process are unknown.
Users are granted directly to the site or files instead of the approved group/SharePoint role model, creating immediate review and removal gaps.
The request captures a launch date but no end date, inactivity policy, group expiration, archive condition, or owner attestation.
A partial workflow leaves a group, site, Team, alias, hub link, or app permission behind and retry creates duplicates.
Record site ID/URL/template, Microsoft 365 group ID, Team ID, channel/parent IDs, hub ID, owners, creator, and timestamps. Confirm there is no duplicate alias or orphaned companion object.
Test owner, member, visitor, guest, unapproved internal user, unmanaged device, and search/Copilot context as applicable. Validate group membership and direct-permission exceptions.
Create only approved test links, verify recipient authentication, expiration/default link behavior, external-domain controls, guest restrictions, and audit events, then revoke test access.
Verify libraries, lists, metadata, content types, theme, navigation, hub association, home page, time zone, quota, versioning, search, and supported integrations.
Confirm label and policy IDs, privacy, unmanaged-device behavior, retention/DLP scope, restricted-access/discovery decision, audit logging, and documented exceptions.
Preserve before/after tenant and workflow configuration, script/template version, created IDs, errors, approval, cleanup command, retention dependencies, and owner notification before rollback.
Deletion is not the first rollback: if the site contains real content, has a connected group/Team, is under retention or hold, or has integrations, assess dependencies before deletion. SharePoint deleted sites are retained for 93 days, but connected Microsoft 365 group resources have different recovery timing. Use a controlled restore and validation procedure.
IT Perfection can help Orange County and Southern California organizations define site types, request and approval fields, owner standards, naming and URL rules, templates, automation identities, sensitivity and sharing defaults, hub relationships, lifecycle controls, evidence, and support handoffs as part of Microsoft 365 managed services or a focused SharePoint governance project.
Use the Microsoft 365 resource center for the broader operational ecosystem. Learn about the experience behind these guides on Ali Hassani’s profile.
No. The SharePoint site-creation setting controls several SharePoint, OneDrive, PnP, and REST entry points, but Microsoft 365 groups and Teams can still create connected SharePoint sites. Govern group and Team creation, app/migration creation, and SharePoint self-service as one architecture.
No. A group-connected team site is appropriate for membership-driven collaboration and related Microsoft 365 services. A communication site is appropriate for broad publishing with a smaller author group. Private and shared Teams channels create specialized channel sites whose membership and lifecycle follow Teams.
No. Templates and site scripts provide a repeatable starting configuration, but actions can fail partially, owners can apply other templates, and later changes can create drift. Validate the effective label, sharing, permissions, libraries, settings, hub, and policy state after provisioning.
Use at least two active owners where practical, plus a sponsor and support route. Record the source of membership, owner responsibilities, owner replacement, recertification cadence, sharing accountability, and lifecycle action if ownership becomes noncompliant.
First inventory every object and action created: site, group, Team, channel, alias, hub association, permissions, app grants, and content. Check retention, hold, and integration dependencies. Remove or reverse only the failed components using the recorded cleanup plan, then verify there is no orphan or duplicate before retry.
Yes. IT Perfection can assess creation paths, define site patterns and request fields, build owner and naming standards, configure templates and automation controls, align protection and lifecycle defaults, test the effective result, and establish a lightweight evidence and review process.
IT Perfection can reconcile creation paths, site types, groups and Teams, owners, names and URLs, templates, automation identities, protection defaults, hub architecture, validation evidence, and lifecycle controls—without adding unnecessary plugins or database-heavy workflows.
This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal/privacy review, records-management decision, or tenant-specific Microsoft engineering engagement. Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, Microsoft infrastructure, networking, and business technology experience.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.