Create a Communication Site from code in SharePoint Online using PowerShell

Lately Microsoft released the new  and long awaited modern site template for publishing sites in SharePoint Online (Office 365). The site templates is named “Communication Site” and is the second template released after the modern “Team Site”. This site template can be created if you have permissions from the SharePoint Home page using the “Create a site” form:

cpcomsite1

This approach is fine if you have permissions to create sites and are happy with the default setup. For my case this is almost never the case. Often the tenants I work with have restricted who can create new sites/groups, and also requires additional configuration after it has been created. This can be accomplished for the new “Team site” template, so I was curious how this can be done for the Communication site.

At the time of writing Microsoft have not released any documentation on how to do this, so this was done by re-creating the steps of the “Create a site” wizard (found by using Fiddler). I assume and hope that we sooner or later will find official documentation from Microsoft on how to do this. They might provide us with a bit more elegant way to use their API’s. But if you are familiar with using general REST API’s, this is pretty straight forward as soon you get authenticated with SharePoint.

 

PowerShell script for creating a Communication site

This script requires the “SharePoint Online Client Components” to be installed.

Disclaimer: This approach is not documented by Microsoft, so assume that this will change in the future and only use for testing at this time.

Summary

With the modern sites Microsoft has created several new REST based API’s used in their own wizards. These API’s can be used as long as you have a user authenticated context.

This code demonstrates how you can create the new Communication Site from code. After the site have been created you are free to connect to the site and apply customizations using in example the PnP PowerShell framework.

Problem with connecting to SharePoint Online in Office 365 with PowerShell, SharePoint Designer and other 3. party tools

You are not any longer able to log into SharePoint using PowerShell, SharePoint Designer and other 3. party tools (ex. ShareGate, SharePoint Search Query Tool etc). The error message states something that you are “Unauthorized” and “…the web site does not support SharePoint Online credentials” even though you username and password is fine.

Example: Error while logging in with PnP PowerShell

Connect-PnPOnline : Cannot contact web site ‘https://TENANTID.sharepoint.com/‘ or the web site does not support SharePoint Online credentials. The response status code is ‘Unauthorized’.  The response headers are ‘X-SharePointHealthScore=0, X-MSDAVEXT_Error=917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.,

Example: Stuck while logging in with SharePoint Designer

Reason

SharePoint Online has a setting named “LegacyAuthProtocolsEnabled” with the purpose “Prevents Office clients using non-modern authentication protocols from accessing SharePoint Online resources .”.

By default this is allowed in all tenants. But as an administrator it is possible to tighten up the security and disallow us to login with these non-modern approaches.

More details can be found here: https://technet.microsoft.com/en-in/library/fp161390.aspx

Solution

1. Start using modern authentication (recommended)

Check if your application support the use of modern authentication through either WebLogin or using application credentials (ClientId/ClientSecret) authentication. This is advice to be the recommended and a more secure approach.

Not all tools, like SharePoint Designer, supports this modern authentication and if you are required to continue to use these apps further on, you might have to re-enable the support as described in the next point.

2. Re-enable support for legacy apps (temporary fix)

Note: Your company might have performed a security hardening and disabled this by purpose. If so it would not be advisable to continue without verifying the reason for this change.

Using “SharePoint Online Management Shell” login in with “Connect-SPOService”.


Connect-SPOService -Url "https://TENANTID-admin.sharepoint.com"

Verify the value of “LegacyAuthProtocolsEnabled”.


$TenantSettings = Get-SPOTenant

$TenantSettings.LegacyAuthProtocolsEnabled

If this value is “False”, then this issue will be solved by setting this to “True”.


Set-SPOTenant -LegacyAuthProtocolsEnabled $True

Updating you SharePoint Online tenant settings does not take immediate effect. So you need to while a while, exact how long can be from from minutes to 24 hours with the different settings, before you retry.

Summary

Changing the value of “LegacyAuthProtocolsEnabled” can cause issues for some existing applications. Checking if you can start using more modern authentication options will solve the issue in many apps, but for  some you might still need to keep this support open.

“Create a team” is missing in Microsoft Teams

I came across a rare scenario when I was going to convert an existing Office 365 group to a Team. In Microsoft Teams ( https://teams.microsoft.com) I was unable to find the “Create a team” button. In my case I was logged on as a Global Admin and thought that I ruled the whole world, but then again no.

Scenario

In Microsoft Teams:

  1. Selected “Add team” in the lower right
  2. Expected to find the “Create a team” button (but where is it?)

Solution

In this tenant the creation of Office 365 groups had been restricted for the end-users. This includes setting a AD group with the users allowed to do this.

Tips: How to restrict Office 365 Groups creation

My Global Admin user was not added to this AD group. It turns out a requirement for also converting existing group to teams also are affected by this policy. So simply by adding my user into this group I was able to see the missing button:

Summary

When restricting creation of Office 365 Groups, admin users must also explicit be added to this group to maintain full control over Groups and Teams creation.