How to get started with modern Microsoft 365 provisioning

Featured Drew2

Microsoft MVP Drew Madelung explains what you can do with out-of-the-box Microsoft 365 provisioning processes and when to go custom.

Modern Microsoft 365 provisioning requires knowing how your collaboration workspaces are built behind the scenes and the many options you can use.

A workspace is another way to discuss a Team, team site, or Yammer Community. This ensures you’re thinking about all the technologies that bring collaboration to users. Microsoft 365 Groups powers the modern world. To learn more about how it affects provisioning, I break down the Microsoft 365 collaboration architecture in the first blog of this series.  

A good way to break down all the options for provisioning is to think about them in terms of complexity.

There may be easy provisioning solutions to implement that will still satisfy the requirements you have already gathered. This can stop you from making the mistake of building an unnecessary custom solution that needs to be maintained. You start with a complete out-of-the-box scenario where you leave all default creation on by combining multiple solutions into one.

Tools

There are third-party solutions that can accommodate many of these scenarios. But regardless of where you end up on the provisioning complexity pyramid, we still want to start with something like a template. 

What does your organization need in a Microsoft 365 provisioning template?

You want to build a solution your end users need, not just what IT and security folks think they need. The best way to do this is to empower your end users to lead it.

Employees will find ways to get work done, and gathering this information in a workshop or meeting can be challenging.  

Instead of gathering it all through communication, work with end users to build out actual SharePoint sites or Teams manually and let users work with them.

Drew Madelung, Microsoft MVP

It’s easy to discuss a design, but until you work with it, you don’t know if it’s really what you need. Empowering your users to work with the actual sites and teams might add more lists, libraries, tabs, or even change metadata they need to work with the content.  

Once users have worked with the site or team, you can identify the gaps in the technology capabilities for different provisioning solutions. For example, we can’t use out-of-the-box provisioning or site templates if custom pages are needed. Once you’ve established an agreement with the organization on the template workspaces you provided them to build out, you can establish your “Primary” template. This primary template is what you can replicate for other sites, teams, or communities.  

Modern provisioning doesn’t take actual copies of sites or teams but identifies the configurations or content that need to be applied after the backend site or team is created. This ensures that in an evergreen environment, the core infrastructure can be updated without breaking ones that would be exact copies.  

Picture a vehicle that has different models. At its core, there are no different cars, just different things added on after the same base of the car is used. For Microsoft 365 workspaces, this can be thought of as adding lists and libraries after the initial site was created versus being created as part of the site itself.  

This means that the “Primary” site we had the users create has changes made to the out-of-the-box site or team they built. For modern provisioning, we want to extract the differences from the out-of-the-box site or, more specifically, identify the changes that occurred. Then we can take that extract and apply it to new or existing sites or teams.  


When to use out-of-the-box Microsoft 365 provisioning processes

Using Microsoft 365’s out-of-the-box solution doesn’t mean that you aren’t making any changes to provisioning, but that you’re just using high-level configurations available in different admin portals. This is nice because it’s the least complex provisioning option as you aren’t using anything custom. But then you’re limited to the options the admin configurations provide.  

The main example is using the Microsoft 365 group creation controls to add some governance. These controls only affect the creation of teams and modern team sites backed by groups. They don’t affect communication sites or non-group-backed SharePoint sites. The options for managing group provisioning include the following: 

  • Limiting who can create groups and, therefore, who can create teams and modern SharePoint team sites 
  • Adding a naming standard, including a suffix or prefix 
  • Expiration after a period of time 

Along with group controls, there are pre-built Microsoft templates for creating both teams and SharePoint sites that are available to everyone. These are great for offering your users more options to create workspaces that include more than the default lists, libraries, and channels. Users are prompted for these templates during creation, and can also be applied after creation.  


Using Microsoft 365 SharePoint site and team templates

As discussed above, we have Microsoft-provided team and SharePoint site templates that can be used. These are great starting points, but it’s normally necessary to need something specific to the actual business use cases or requirements you have gathered that the out-of-the-box options will not provide. In these scenarios, we can create custom templates for users.  

Currently, the templates for SharePoint and Teams are completely separate and can’t interact with each other. For example, if I create a custom Team template, I can’t do things to the SharePoint site and vice versa when creating a custom SharePoint site template. Microsoft is planning to release connected templates to mitigate this issue, but it will be a long journey until these allow custom templates, not just those provided by Microsoft.

Where are team templates managed?

Modern SharePoint site templates are different from your old on-premises classic site templates. They may be called the same name, but they’re different, and you shouldn’t be using them in Microsoft 365.  

Classic site templates take full copies of a site, which generates a custom site template behind the scenes and doesn’t get the benefits of the normal site templates, like STS#1, which are updated by Microsoft.  

Modern site templates used to be called “Site Designs” and the configuration to set them up still uses this language.

A modern site template is a collection of actions called “Site Scripts.” You can have multiple site scripts as part of a site template. When you apply a site template, it executes the actions. Think of a site template as a container for the actions.  

You can apply a site template: 

  • On-site collection creation 
  • Manually whenever you like 
  • When joining a hub 
Site

This logic does not take copies of the site but builds a configuration applied on top of the site. You can also extract existing configurations from a site to build your site scripts. You must use PowerShell to do this, but this allows you to use the “Primary” site that the users created and curated.  

There is a large list of actions you can use site templates to apply, but some of the most popular include:

  • Create libraries, lists, columns 
  • Apply a theme 
  • Add SPFx web parts 
  • Trigger a flow 

Using custom site templates requires knowledge of PowerShell, JSON, and backend SharePoint architecture, so it’s more complex than using out-of-the-box solutions. But they can provide a good set of configurations as part of your provisioning architecture. 


Adding an HTTP trigger to custom SharePoint site templates

There are limits to what SharePoint site templates can do to your workspaces. They can only interact with the existing site to that they are being applied. What if you wanted to send an email, update a list item in an administrative list on another site, or query a different source system for data that will be used on the site? 

One of the triggers for site templates is the ability to call a Power Automate flow using an HTTP trigger. Using this trigger gives you the full potential of Power Automate and its hundreds of connectors. This opens up the options to get exactly what you need added to the site or integrated into another system as part of your provisioning architecture.  

This trigger solution can be as advanced as triggering other Azure automation or functions to run different types of code or using the API and connector options that Power Automate provides. This continues into the complexity pyramid and requires another solution to be managed in Power Automate.  

This provisioning tier is the pivot point of using a configuration applied after site creation. A great point to be at if your requirements allow for it, but a limiting factor using SharePoint site templates and even the HTTP trigger in most advanced solutions is that it all occurs after creation. You can’t do any approvals or data gathering before creation.  


Integrating PnP provisioning to create Microsoft Teams and SharePoint site provisioning templates

Microsoft Patterns & Practices (PnP) is a joint community and Microsoft open-source initiative where solutions are built that go beyond what’s available in the Microsoft products themselves. You should use these solutions if you’re a Microsoft 365 administrator or developer.

One of the most common is the PnP PowerShell module which allows you to configure more options than the Microsoft SharePoint or Teams PowerShell modules.

Using the PnP provisioning engine

Another solution is the PnP Provisioning engine. PnP provisioning allows you to take full extracts of sites, including content, and deploy it to an existing site. This can also be used to create sites as part of a package, an actual file that includes the configuration that can be applied to a site.  

PnP provisioning uses a schema exported or created from a site and bundled into a file. That file is referenced when you apply that provisioning template to a SharePoint site. 

Where are PnP provisioning solutions located? 

PnP provisioning solutions are not managed through any GUI but are done via scripting or coding. Your provisioning files need to be located somewhere accessible. Then you would connect to the site and apply the provisioning file using PowerShell, which then applies the configuration and content to the site.  

One of the most common reasons you would need to go to this level of complexity is that you’re working with content like pages, images, documents, or folders. No out-of-the-box option from Microsoft does this, and site templates do not support content management.  

If you wanted to add a folder structure and have template or training documents pre-loaded for users, you would need to either use PnP provisioning, which can include the files, or use the HTTP trigger as part of site templates to work with files for an even more complex solution.  

Once you get to this level of complexity, it can be easier to use PnP provisioning for all actions, but that requires some development knowledge to build. 


Do I need Microsoft 365 tenant templates? 

PnP provisioning templates are limited to SharePoint sites and are applied by connecting to sites directly. This limits what can be created as you’re not connected at the tenant level, and there are logical API limits you’d have when connecting to sites directly. To manage Teams provisioning within PnP and larger scale creation, you can use PnP tenant templates.  

PnP tenant templates allow you to provision SharePoint sites, teams, Azure AD entries, taxonomy, etc. These are great solutions if you need to automatically create multiple workspaces simultaneously between tenants. This can also be used to establish workspaces between test and production environments.  

These are built and deployed like PnP provisioning but connect at a higher level. They aren’t as common as provisioning solutions, but if you have specific requirements that nothing above can meet, PnP tenant templates may be one of the more complex actions you can take.


Combing multiple solutions together to provision SharePoint sites and Microsoft teams 

It’s best to start at the top of the complexity pyramid—meaning the least complex—and work your way down as requirements drive you.  

If you need data gathering up front, you can’t just use out-of-the-box solutions. If you need to move content around or interact with Teams, you need to add custom logic using Power Automate or PnP. Make sure you establish a matrix for your requirements versus these options.  

These options don’t need to be used in a silo and can often work well together. Use the matrix to figure out scenarios like using out-of-the-box configurations to limit creation while applying a default site template to all sites and using PnP provisioning for only specific use cases.  

A common way to mix and match these is to use the HTTP trigger from a site template to apply a PnP provisioning template on top of that site built from the ”primary” site from the users.  


Creating SharePoint site and Microsoft teams provisioning templates is all about the requirements

Workspace provisioning can be simple or complex, and that will depend on the requirements you have. You will most likely align your requirements to subsets of users or all users with certain scenarios leading to a custom provisioning workflow. You still want to ensure you’re pushing self-service for your provisioning.

Locks

Knowing the technical architecture of Microsoft 365 and all the options for provisioning, you can truly get started building out your modern Microsoft 365 provisioning solution

Next up in the series: 5 things to avoid in Microsoft 365 provisioning. Check it out!

What did you think of this article?

Recommended by our team

Getting started is easy

Try ShareGate free for 15 days. No credit card required.

Spot Icon Smiley Cool

MVP ROUNDTABLE Get expert insights to increase M365 productivity