Microsoft MVP Drew Madelung explains what you can do with out-of-the-box SharePoint provisioning processes and when to go custom.
Collaboration and SharePoint go hand in hand. Your team is connected in a centralized environment, where documents are being shared and worked upon all the time. To make sure things go smoothly, workflow isn’t disturbed for anyone, and people actually enjoy working with one another in their digital workspace, the IT team needs to think long and hard about how they approach provisioning.
This is because, in SharePoint, your approach toward provisioning is directly proportional to how effective collaboration can be for everyone. It enables creating and configuring SharePoint sites, libraries, and any other related resources necessary for collaboration. At the same time, it requires knowing how your collaboration workspaces are built behind the scenes and the many options you can use.
If a team has to work together in SharePoint, but the administrator has limited their ability to do so by not providing the required permission controls, handing over an unsuitable site template, or generally just creating a SharePoint architecture without considering the impact of provisioning, the team will get frustrated and lose hope.
To ensure SharePoint provisioning is effective, we need to think about a few things. Here, we highlight some powerful practices that can make provisioning in SharePoint effective. We also take a look at the PnP provisioning engine, and how it can be leveraged to add an extra layer of configuration capabilities with SharePoint provisioning.
Table of contents
- Understanding SharePoint architecture
- Options for SharePoint provisioning
- Best practices for modern SharePoint provisioning
- How to get started with modern SharePoint provisioning with PnP provisioning solutions
- Modern SharePoint provisioning FAQ
|Name||What it is||Impact on provisioning|
|Site collections and subsites||Site collections are groups of sites with common settings, permissions controls, and related administrative features.|
Subsites are sites within site collections where content is stored and organized, with permissions and settings inherited from the site collection.
|The hierarchical structure of site collections and subsites impacts provisioning decisions, as it determines how sites are created and organized.|
|Lists and libraries||Lists are a collection of items (like contact lists, calender lists, task lists, etc.) organized in rows and columns.|
Libraries are collections of files (documents, images, videos, etc.) used to store content.
|The choice of lists and libraries, as well as their configurations, affect provisioning by influencing the management and storage of content.|
|Web parts||Commonly considered the basic building blocks within SharePoint, web parts are reusable, customizable, and interactive units that allow users to add functionality within SharePoint.||The selection and arrangement of web parts on SharePoint sites can impact the provisioning process, as they determine the functionality and user experience of a site.|
|Site templates||A site template is the ‘structure’ of a site, that contains pre-defined settings, web parts, content, and related functionalities. These are customizable around business needs.||The use of built-in or custom site templates streamlines the provisioning process by providing a consistent structure and design for sites.|
|Permissions and security||SharePoint permissions and security controls define who has access to what within the workspace. The configured permissions and security settings also stand as a measure of how well protected your SharePoint environment is.||SharePoint’s security architecture, which includes user and group permissions, impacts provisioning by determining access and control over various site components.|
|Content types and metadata||Content types help categorize all the different kinds of content within SharePoint, like documents, images, announcements, contacts, and so on.|
Metadata helps provide context to content, through attributes such as title, author, file size, modification date, keywords, and so on. This makes it easy to find what you’re looking for when you need it.
|The configuration of content types and metadata in SharePoint influences provisioning by dictating how content is categorized and managed.|
|Automation and Workflows||The practice of automation in SharePoint helps streamline processes by removing manual labor involved with certain tasks, improving efficiency as a result.|
Workflows are a consequence of automation, which use s defined steps to automatically execute tasks, such as approvals, notifications, status updates, and so on.
|The implementation of workflows and automation processes in SharePoint can affect provisioning by automating specific tasks and processes, improving efficiency.|
|Customizations and third-party solutions||Customizations are changes you make within SharePoint, because the configurations you’d like to make are not available out-of-the-box.|
Third-party solutions like ShareGate help solve a particular solution by providing capabilities that are not available out of the box.
|Customizations or integrations with third-party solutions can impact provisioning by adding complexity to the SharePoint environment and requiring additional configuration steps.|
A good way to break down all the options for provisioning is to think about them in terms of complexity.
There may be easy provisioning solutions to implement that will still satisfy the requirements you have already gathered. This can stop you from making the mistake of building an unnecessary custom solution that needs to be maintained. You start with a complete out-of-the-box scenario where you leave all default creation on by combining multiple solutions into one.
There are third-party solutions that can accommodate many of these scenarios. But regardless of where you end up on the provisioning complexity pyramid, we still want to start with something like a team or site template. Having said that, we also want to keep some provisioning best practices in mind that can save a lot of time and resources and help avoid common mistakes.
Most organizations run into common problems when approaching provisioning in SharePoint, like figuring out how to use templates properly and how to automate provisioning processes. Here are some thoughts and advice on how to approach this.
Jump to best practice…
- Provisioning templates are your friend
- Automate provisioning processes where you can
- Combine multiple solutions provision SharePoint sites and Microsoft teams
Best practice #1: Provisioning templates are your friend
What does your organization need in a Microsoft 365 (SharePoint) provisioning template?
You want to build a solution your end users need, not just what IT and security folks think they need. The best way to do this is to empower your end users to lead it.
Employees will find ways to get work done, and gathering this information in a workshop or meeting can be challenging.
It’s easy to discuss a design, but until you work with it, you don’t know if it’s really what you need. Empowering your users to work with the actual sites and teams might add more lists, libraries, tabs, or even change metadata they need to work with the content.
Once users have worked with the site or team, you can identify the gaps in the technology capabilities for different provisioning solutions. For example, we can’t use out-of-the-box provisioning or site templates if custom pages are needed. Once you’ve established an agreement with the organization on the template workspaces you provided them to build out, you can establish your “Primary” template. This primary template is what you can replicate for other sites, teams, or communities.
Modern provisioning doesn’t take actual copies of sites or teams but identifies the configurations or content that need to be applied after the back-end site or team is created. This ensures that in an evergreen environment, the core infrastructure can be updated without breaking ones that would be exact copies.
Picture a vehicle that has different models. At its core, there are no different cars, just different things added on after the same base of the car is used. For Microsoft 365 workspaces, this can be thought of as adding lists and libraries after the initial site was created versus being created as part of the site itself.
This means that the “Primary” site we had the users create has changes made to the out-of-the-box site or team they built. For modern provisioning, we want to extract the differences from the out-of-the-box site or, more specifically, identify the changes that occurred. Then we can take that extract and apply it to new or existing sites or teams.
Option 1: Built-in SharePoint templates
When to use out-of-the-box Microsoft 365 provisioning processes
Using Microsoft 365’s out-of-the-box solution doesn’t mean that you aren’t making any changes to provisioning, but that you’re just using high-level configurations available in different admin portals. This is nice because it’s the least complex provisioning option as you aren’t using anything custom. But then you’re limited to the options the admin configurations provide.
The main example is using the Microsoft 365 group creation controls to add some governance. These controls only affect the creation of teams and modern team sites backed by groups. They don’t affect communication sites or non-group-backed SharePoint sites. The options for managing group provisioning include the following:
- Limiting who can create groups and, therefore, who can create teams and modern SharePoint team sites
- Adding a naming standard, including a suffix or prefix
- Expiration after a period of time
Along with group controls, there are pre-built Microsoft templates for creating both teams and SharePoint sites that are available to everyone. These are great for offering your users more options to create workspaces that include more than the default lists, libraries, and channels. Users are prompted for these templates during creation, and can also be applied after creation.
Option 2: Using custom SharePoint site and team templates
As discussed above, we have Microsoft-provided team and SharePoint site templates that can be used. These are great starting points, but it’s normally necessary to need something specific to the actual business use cases or requirements you have gathered that the out-of-the-box options will not provide. In these scenarios, we can create custom templates for users.
Currently, the templates for SharePoint and Teams are completely separate and can’t interact with each other. For example, if I create a custom Team template, I can’t do things to the SharePoint site and vice versa when creating a custom SharePoint site template. Microsoft is planning to release connected templates to mitigate this issue, but it will be a long journey until these allow custom templates, not just those provided by Microsoft.
Where are team templates managed?
Modern SharePoint site templates are different from your old on-premises classic site templates. They may be called the same name, but they’re different, and you shouldn’t be using them in Microsoft 365.
Classic site templates take full copies of a site, which generates a custom site template behind the scenes and doesn’t get the benefits of the normal site templates, like STS#1, which are updated by Microsoft.
Modern site templates used to be called “Site Designs” and the configuration to set them up still uses this language.
A modern site template is a collection of actions called “Site Scripts.” You can have multiple site scripts as part of a site template. When you apply a site template, it executes the actions. Think of a site template as a container for the actions.
You can apply a site template:
- On-site collection creation
- Manually whenever you like
- When joining a hub
This logic does not take copies of the site but builds a configuration applied on top of the site. You can also extract existing configurations from a site to build your site scripts. You must use PowerShell to do this, but this allows you to use the “Primary” site that the users created and curated.
There is a large list of actions you can use site templates to apply, but some of the most popular include:
- Create libraries, lists, columns
- Apply a theme
- Add SPFx web parts
- Trigger a flow
Using custom site templates requires knowledge of PowerShell, JSON, and backend SharePoint architecture, so it’s more complex than using out-of-the-box solutions. But they can provide a good set of configurations as part of your provisioning architecture.
Best practice #2: Automating provisioning processes where you can
There are limits to what SharePoint site templates can do to your workspaces. They can only interact with the existing site to that they are being applied. What if you wanted to send an email, update a list item in an administrative list on another site, or query a different source system for data that will be used on the site?
One of the triggers for site templates is the ability to call a Power Automate flow using an HTTP trigger. Using this trigger gives you the full potential of Power Automate and its hundreds of connectors. This opens up the options to get exactly what you need added to the site or integrated into another system as part of your provisioning architecture.
This trigger solution can be as advanced as triggering other Azure automation or functions to run different types of code or using the API and connector options that Power Automate provides. This continues into the complexity pyramid and requires another solution to be managed in Power Automate.
This provisioning tier is the pivot point of using a configuration applied after site creation. A great point to be at if your requirements allow for it, but a limiting factor using SharePoint site templates and even the HTTP trigger in most advanced solutions is that it all occurs after creation. You can’t do any approvals or data gathering before creation.
Using third-party tools for automation
When there’s no option other than using a third-party tool because it’s an absolute necessity for your specific business processes, make sure you opt for an add-on that comes packed with solutions for every problem on top of automation.
There are tools like ShareGate that come packed with many capabilities like helping with migration, reporting, content management, provisioning, permissions management, etc. You want a tool that covers all limitations that are present with SharePoint out of the box.
Coming back to automation in SharePoint, the ideal third-party tool should cover the following:
- Streamlined processes—Third-party tools often provide a more efficient and user-friendly interface for SharePoint provisioning, simplifying complex tasks and reducing manual efforts.
- Consistency and governance—Many third-party tools offer built-in templates and governance features that help maintain consistency across sites, ensuring adherence to organizational policies and best practices.
- Automation and scalability—Third-party tools often support automation and bulk operations, enabling faster provisioning of multiple sites and improved scalability for large SharePoint deployments.
Best practice #3: Combining multiple solutions to provision SharePoint sites and Microsoft teams
It’s best to start at the top of the complexity pyramid—meaning the least complex—and work your way down as requirements drive you.
If you need data gathering up front, you can’t just use out-of-the-box solutions. If you need to move content around or interact with Teams, you need to add custom logic using Power Automate or PnP. Make sure you establish a matrix for your requirements versus these options.
These options don’t need to be used in a silo and can often work well together. Use the matrix to figure out scenarios like using out-of-the-box configurations to limit creation while applying a default site template to all sites and using PnP provisioning for only specific use cases.
A common way to mix and match these is to use the HTTP trigger from a site template to apply a PnP provisioning template on top of that site built from the ”primary” site from the users.
Creating SharePoint site and Microsoft teams provisioning templates is all about the requirements
Workspace provisioning can be simple or complex, and that will depend on the requirements you have. You will most likely align your requirements to subsets of users or all users with certain scenarios leading to a custom provisioning workflow. You still want to ensure you’re pushing self-service for your provisioning.
Microsoft Patterns & Practices (PnP) is a joint community and Microsoft open-source initiative where solutions are built that go beyond what’s available in the Microsoft products themselves. You should use these solutions if you’re a Microsoft 365 administrator or developer.
One of the most common is the PnP PowerShell module which allows you to configure more options than the Microsoft SharePoint or Teams PowerShell modules.
Using the PnP provisioning engine
Another solution is the PnP Provisioning engine. PnP provisioning allows you to take full extracts of sites, including content, and deploy it to an existing site. This can also be used to create sites as part of a package, an actual file that includes the configuration that can be applied to a site.
PnP provisioning uses a schema exported or created from a site and bundled into a file. That file is referenced when you apply that provisioning template to a SharePoint site.
Where are PnP provisioning solutions located?
PnP provisioning solutions are not managed through any GUI but are done via scripting or coding. Your provisioning files need to be located somewhere accessible. Then you would connect to the site and apply the provisioning file using PowerShell, which then applies the configuration and content to the site.
One of the most common reasons you would need to go to this level of complexity is that you’re working with content like pages, images, documents, or folders. No out-of-the-box option from Microsoft does this, and site templates do not support content management.
If you wanted to add a folder structure and have template or training documents pre-loaded for users, you would need to either use PnP provisioning, which can include the files, or use the HTTP trigger as part of site templates to work with files for an even more complex solution.
Once you get to this level of complexity, it can be easier to use PnP provisioning for all actions, but that requires some development knowledge to build.
Finally, we need to put the pieces of the provisioning strategy together
Ultimately, your entire provisioning strategy needs to empower end users so that they take charge and have a level of control over their workspace. We’re not looking to create a provisioning strategy that is overreaching. Rather, end users should have the freedom to collaborate with one another as they see fit.
But what does this mean exactly? Well, after figuring out the right approach towards provisioning in SharePoint, the next step is striking the right balance between provisioning and governance. In his ShareGate webinar, Microsoft MVP Richard Harbridge walks through Microsoft 365 and Teams provisioning best practices.
About the author
Drew Madelung (@dmadelung) is a Solutions Architect Consultant and a Microsoft MVP for SharePoint, OneDrive, and Microsoft 365, specializing in content management and business process improvement. Drew works with clients to develop and deploy comprehensive solutions on SharePoint and Microsoft 365, from architecture and design to rollout, adoption, and governance planning. To learn more, visit: drewmadelung.com
Do I need Microsoft 365 tenant templates?
Microsoft 365 tenant templates are built and deployed like PnP provisioning, but connect at a higher level. They aren’t as common as provisioning solutions, but if you have specific requirements that nothing above can meet, PnP tenant templates may be one of the more complex actions you can take.
PnP tenant templates allow you to provision SharePoint sites, teams, Azure AD entries, taxonomy, etc. These are great solutions if you need to automatically create multiple workspaces simultaneously between tenants. This can also be used to establish workspaces between test and production environments.
Also, PnP provisioning templates are limited to SharePoint sites and are applied by connecting to sites directly. This limits what can be created as you’re not connected at the tenant level, and there are logical API limits you’d have when connecting to sites directly. To manage Teams provisioning within PnP and larger scale creation, you can usePnP tenant templates
How does SharePoint governance help with provisioning?
An effective SharePoint governance plan is a powerful way to better organize and secure your SharePoint environment. You can use it to:
- Define the hierarchy of information within your environment
- Effectively regulate access and permissions. For example, you can create policies and guidelines for user and group permissions, resulting in better compliance with company policies and steps necessary for security.
- Streamline site creation. For example, you can create structured processes involved with templates and configurations for new sites, resulting in consistency and better organizational practices.
- Effectively organize and manage content. The better content is managed and stored, the easier it is for everyone on the team to find what they’re looking for and collaborate with one another.
- Monitor your SharePoint environment and make sure whether the governance policies you’ve created are being followed or not.
How can I automate the process of managing permissions during SharePoint provisioning?
While automation with out-of-the-box SharePoint features is limited for permissions management, you can use PowerShell scripts or third-party tools designed for SharePoint administration. These tools can help you create, modify, or remove permissions in bulk, saving time and ensuring consistency across your SharePoint environment.
What are some best practices for managing permissions in a SharePoint site hierarchy during provisioning?
Our experience shows that the following aspects of permissions management should be incorporated into your provisioning strategy:
- The principle of least privilege is a powerful way to minimize risk by only allowing the necessary access required for each user. Don’t go overboard, and grant more access than the user requires.
- Assign permissions to groups rather than individual users. This will simplify permission management by cutting out the manual labor of managing permissions for each user.
- Permissions should be inherited from parent sites wherever possible. This increases consistency and reduces complexity.
- Regular reviews and permission updates ensure that policies and user roles remain aligned.