Teams and SharePoint provisioning: What, why and how?
Last updated on September 3, 2023
Workspace provisioning solutions are one of the most common — if not the most common — type of customization built for Office 365. In fact, custom workspace provisioning solutions have been built for pretty much as long as SharePoint as a product has existed.
If we recall what the situation was in the cloud a couple of years ago, we can remember that we were still very much focused on provisioning SharePoint Online sites. At the time, it was more about getting customers to move away from classic SharePoint sites, and building provisioning solutions that targeted the new beautiful modern team and communication sites instead.
However, ever since the release of Microsoft Teams and it gaining enormous momentum and popularity, the balance has shifted more and more towards building solutions specifically for provisioning teams. SharePoint still has its well-earned place in this story, though — especially the modern team sites that are connected to the Teams teams via the underlying Office 365 groups.
There are so many things I can tell you about provisioning. This blog post aims to clarify the meaning and benefits of workspace provisioning solutions to those who are not yet that familiar with the topic, and explain why there is no one-size-fits-all solution to the problem.
Why do I need automated workspace provisioning?
There are several reasons why organizations might want to invest in a custom workspace provisioning solution. People in different roles can benefit from it, and the reasons depend on who do you ask.
Ain’t nobody got time for that!
Let’s look at things from an admin’s perspective first. Whenever a user creates a Planner plan, a modern SharePoint Online team site, or a Teams team, an Office 365 group is created in the background and added to Azure AD. That group then connects all those different services and assets for the group members to use in their collaboration.
Because creating Office 365 groups can happen in so many different ways, and from so many different places, it can quickly start to feel like things are getting out of control. Not all users necessarily even realize that such a group gets created whenever they, for example, create a new plan.
And it is not just about the number of groups but also about the settings in those groups. How is the group named? What kind of collaboration happens in the group? Is it used for confidential internal information or for collaborating with employees from other organizations? What kind of basic security settings are chosen? Should external sharing be limited or allowed? Et cetera.
Because of these concerns, organizations typically flip the switch and disable Office 365 group creation for everyone. Then they allow it via a security group to a small set of admins who know how things should be done, and that way take back control. Those admins are tasked to create groups for other users by following documented steps carefully — if they see the user’s request agreeable. But really, don’t those admins have better things to do? Is this the kind of work they are being paid for?
OK, that joke got old very fast
Automated workspace provisioning can also greatly benefit end-users. Quite often, there is a need to create a lot of workspaces with similar configurations. A typical example is a project workspace.
Whenever a new project starts, a new Teams team with specific channels is created. A Planner plan is constructed for the project tasks (often the exact same base tasks for every project), and the plan is then pinned as a tab on one of the channels in Teams. A predefined sub-folder structure needs to be created for storing project-related documents on the SharePoint site document library, and it needs to be done in the way that it shows up correctly on the Files tabs in Teams. Sometimes also a separate SharePoint Online communication site needs to be created for showcasing the project to other employees in the company or to external users who may be interested in the project outcome. And this is only the tip of the iceberg.
It is a lot of work to get done by hand for every single project, and quite often you might forget to do something. Wouldn’t it be nice if you didn’t need to spend the project budget and schedule for clicking around in the UI, and instead could get to work immediately?
Automated provisioning pipelines to the rescue!
As I mentioned at the beginning of this blog post, an automated workspace provisioning pipeline means a process, where the workspace is created and configured automatically in a pre-defined way. As with many other automated processes, there are two benefits:
- Reduces the amount of manual work. When all the steps are automated, an administrator is no longer needed to create teams or SharePoint sites in a controlled manner whenever users need them. And end-users don’t need to always do the exact same configurations for each workspace manually.Users can trigger the provisioning process themselves, and the creation and configuration of the workspace is done automatically (after a possible effortless approval step). This saves time (and hence money) for both the administrators and users to focus on the tasks that matter and can’t be as easily automated.
- Humans make mistakes. If all teams are configured manually, possibly by a lot of different people, things can easily get set up in an unintended way. When configurations are automated, all teams and sites get created consistently and correctly.
How is it implemented?
The automated provisioning pipeline can be implemented in many different ways, and choosing the right method always depends on the customer-specific requirements. The services and tools we can use include various kinds of forms, bots, SPFx solutions, custom web sites or APIs, Azure Functions, Logic Apps, WebJobs, the PnP Provisioning Engine, SharePoint site templates… the list goes on!
So far, I’ve built at least a dozen different provisioning solutions for Teams and SharePoint, and no two customers have ever wanted the exact same functionality. Customers always have their own internal working cultures, business-specific needs, challenges, and priorities. For some, a very light-weight solution with simple tweaks is enough, while some want very thorough and fully automated processes. This is most likely the reason why this kind of a controlled automatic provisioning process doesn’t exist out of the box. One size just doesn’t fit all.
The solution needs to be built in a way that it fulfills the requirements, is pleasant to use, and doesn’t annoy any of the different types of users involved. The implementation has to be done following the best practices when it comes to, for example, security, while at the same time keeping the customer’s money in mind. Typically there are several ways for accomplishing the desired outcome; hence, I always think:
- Which one of the possible options is the quickest for implementing the feature (lowest implementation cost)?
- Which one is the most cost-effective way in the long term? Let’s not do things in a quick and easy way if it means high licensing costs or Azure bills in the future.
Is it for me?
I may be a little bit strange consultant/developer/architect. I genuinely think what is the best solution for the customer also from their money perspective. And I don’t mean just by considering the implementation and maintenance costs I mentioned above. I also evaluate, does the solution create high enough return of interest to justify the investment for the customer?
- How many workspaces are created per week, per month, per year?
- How many different users need to create workspaces?
- How complex are those workspaces? How long does it take for each of those different users to create them and set them up the way they should be set up?
- How much time (and hence money) could be saved if the workspace creation was automated and the end-user only needed to fill in a simple order form? How much does it make in a year? What about in three or five years which is still a very realistic lifespan for a provisioning solution.
- What is currently the customer’s biggest problem related to workspaces; does the provisioning solution help to solve it?
Sometimes, especially for smaller organizations, it may be enough if we take advantage of the out of the box features and offer some high-quality training for the users. However, when the number of users increases, the gained control and time saved can easily justify — and in time, exceed — the initial investment to the workspace provisioning solution. There is always an opportunity cost. Could you spend this time making more money or creating more value for the company by doing something else than setting up yet another Teams workspace?
Want to know more?
I regularly speak about this topic from an architecture design and implementation perspective at different international conferences. Check out my Public Speaking page for the next conference near you!
Laura
Hi Laura,
Thanks for the detailed post.
From the provisioning architecture can we not just utilize the Azure Functions (Timmer) to run the entire process using pnp core.
From your experience are there any challenges with only using Functions. Looking for some guidance.
Looking forward for your reply.
Thanks,
Sunil
Hi Laura,
Thanks for the detailed post on the custom provisioning process. But i would like to understand, the best approach of provisioning a team by end user without admin intervention.
Currently have a solution withSPFx webpart as the front end user request form and a powershell script with pnp module creates the team. ( this ps scripts invoked by a task scheduler for every 5 mins )
So now i want to get rid of Powershell part and provision the team from SPFx webpart itself . The default team creation option is disabled for all user in my organization, so in this scenario is there any option of provisioning teams via spfx webpart ( like using graph api / or some thing which can elevate regular user privileges ?
Also if that is not possible, can we provision it via MS flow.? if yes, what permissions it requires.
Thanks
Purna
Hi Purna,
Provisioning a team is such a long-running operation that I don’t recommend doing it directly in the SPFx web part. If a user navigates away from the page, the execution stops. Also, it’s good to store the information the user submits via the form somewhere (e.g. a SharePoint list) in case an error occurs during the provisioning process and you need to retry.
You can definitely provision a team via Power Automate (previously known as Microsoft Flow), or even make it call the PowerShell script that does the provisioning. The latter option requires the PowerShell script to be hosted in Azure as an Azure function.
You can find information about the required permissions in the Microsoft Graph documentation: https://docs.microsoft.com/en-us/graph/api/team-put-teams?view=graph-rest-1.0&tabs=http
Laura