Restrict "Create Site" permissions to "Restricted Read" users

%3CLINGO-SUB%20id%3D%22lingo-sub-85873%22%20slang%3D%22en-US%22%3ERestrict%20%22Create%20Site%22%20permissions%20to%20%22Restricted%20Read%22%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85873%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20give%20all%20users%20of%20my%20tenant%20%22Restricted%20Read%22%20permissions%20on%20the%20root%20site%20collection%20so%20that%20they%20cannot%20create%20site%20collections%20and%20sub-sites%20in%20the%20tenant.%20When%20any%20such%20user%20logs%20into%20the%20sharepoint%20site%2C%20s%2Fhe%20cannot%20see%20the%20SharePoint%20link%20in%20the%20top%20bar%20that%20navigates%20to%20SharePoint%20page.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20when%20the%20user%20types%20in%20the%20browser%20window%20the%20direct%20URL%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmytenant.sharepoint.com%2F_layouts%2F15%2FSharePoint.aspx%22%20rel%3D%22nofollow%20noreferrer%20noopener%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fmytenant.sharepoint.com%2F_layouts%2F15%2FSharePoint.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Es%2Fhe%20can%20navigate%20to%20the%20page%20and%20can%20see%20the%20%22Create%20Site%22%20link%20at%20the%20top.%20Although%20s%2Fhe%20cannot%20create%20a%20site%2C%20but%20can%20still%20see%20the%20option.%20Am%20I%20missing%20adding%2Fremoving%20any%20specific%20permission%20or%20this%20is%20an%20expected%20bahvior%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-85873%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESites%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85907%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20%22Create%20Site%22%20permissions%20to%20%22Restricted%20Read%22%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85907%22%20slang%3D%22en-US%22%3E%3CP%3EAgreeed.%20However%20that's%20an%20alternate%20solution.%20What%20I%20am%20talking%20about%20is%20the%20default%20behavior.%20When%20restricted%20read%20permission%20level%20does%20not%20have%26nbsp%3B%22Use%20Self-Service%20Site%20Creation%22%20permissions%2C%20that%20how%20is%20the%20user%20still%20able%20to%20view%20the%20%22Create%20Site%22%20option.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85882%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20%22Create%20Site%22%20permissions%20to%20%22Restricted%20Read%22%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85882%22%20slang%3D%22en-US%22%3EAn%20option%20is%20to%20use%20a%20SharePoint%20List%2C%20Flow%20and%20Azure%20Function.%20Configure%20SharePoint%20settings%20as%20suggested%20and%20then%20create%20a%20list%20that%20only%20allowed%20users%20can%20add%20to%2C%20create%20a%20Flow%20for%20when%20an%20item%20is%20added.%20Create%20an%20Azure%20Function%20to%20create%20a%20SharePoint%20site%20or%20O365%20group.%20Get%20Flow%20to%20call%20the%20Azure%20Function.%20As%20a%20last%20step%2C%20you%20might%20want%20to%20email%20the%20user.%3CBR%20%2F%3EYou%20can%20also%20change%20the%20Create%20Site%20link%20to%20go%20to%20a%20custom%20page%20to%20create%20a%20list%20item%20but%20need%20to%20have%20some%20messaging%20for%20users%20who%20can't%20create%20items.%3CBR%20%2F%3EThere%20is%20a%20blog%20on%20this%20but%20I%20can't%20find%20the%20link.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85876%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20%22Create%20Site%22%20permissions%20to%20%22Restricted%20Read%22%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85876%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can%20do%20it.%20But%20I%20want%20specific%20userrs%20to%20have%20access%20to%20the%20same.%20Lets%20say%2C%20I%20have%20a%20security%20group%20which%20should%20have%20access%20to%20create%20site%20collections%20for%20users.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85875%22%20slang%3D%22en-US%22%3ERe%3A%20Restrict%20%22Create%20Site%22%20permissions%20to%20%22Restricted%20Read%22%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85875%22%20slang%3D%22en-US%22%3EYou%20need%20to%20disable%20self-service%20site%20creation%20in%20SharePoint%20Online%20configuration%3C%2FLINGO-BODY%3E
Occasional Contributor

I have give all users of my tenant "Restricted Read" permissions on the root site collection so that they cannot create site collections and sub-sites in the tenant. When any such user logs into the sharepoint site, s/he cannot see the SharePoint link in the top bar that navigates to SharePoint page.

 

However when the user types in the browser window the direct URL:

 

https://mytenant.sharepoint.com/_layouts/15/SharePoint.aspx

 

s/he can navigate to the page and can see the "Create Site" link at the top. Although s/he cannot create a site, but can still see the option. Am I missing adding/removing any specific permission or this is an expected bahvior?

4 Replies
You need to disable self-service site creation in SharePoint Online configuration

I can do it. But I want specific userrs to have access to the same. Lets say, I have a security group which should have access to create site collections for users. 

An option is to use a SharePoint List, Flow and Azure Function. Configure SharePoint settings as suggested and then create a list that only allowed users can add to, create a Flow for when an item is added. Create an Azure Function to create a SharePoint site or O365 group. Get Flow to call the Azure Function. As a last step, you might want to email the user.
You can also change the Create Site link to go to a custom page to create a list item but need to have some messaging for users who can't create items.
There is a blog on this but I can't find the link.

Agreeed. However that's an alternate solution. What I am talking about is the default behavior. When restricted read permission level does not have "Use Self-Service Site Creation" permissions, that how is the user still able to view the "Create Site" option.