Microsoft has recently started to officially state that the best practice for O365 tenants is to have a flat hierarchy by sticking to site collections rather than a single site collection with sub sites. If you have administered SharePoint for any amount of time you will realize that sites will multiply even if you create all of them yourself. Unless you are more disciplined than I am, there will be site collections created for testing or for short term projects that never get deleted and before you know it you will have 60, 80 or 120 site collections or more, commonly referred to as Sprawl. This article will show you how to help control the sprawl with SharePoint Site Classifications.

So there is no real issue with having this many site collections, if they do not have content they do not really take away from your storage (I know there is a certain amount of storage used by default but I am painting a picture here, bear with me) so they are not really doing any harm to the Production environment. And while there may be no harm to the environment, there is a feeling of “out of control”ness that the admin gets when they look at the sprawl of site collections.


Microsoft is working to change the admin console to allow views that can be filtered which will certainly help the problem. I would like to add an option to your toolbox that you might not have considered before. As talented SharePoint admins we know that there are site policies that will allow sites to be closed and deleted however, it is rarely used because business users fairly never want their site and content automatically deleted. We have a way to use Site Classifications in such a way as to set a site policy automatically based on the specific site type. So if you can get the business to agree, then you can start maintaining sites automagically, and I will discuss how these can be implemented.

SharePoint PnP

If you have read my blogs before you will know I am a big fan of PnP for PowerShell. So as a first step, you will need to make sure that you have the SharePoint PnP module installed. To install go read my blog here. Once installed, you will go to your tenant and then to your content type hub as a Global admin or SharePoint Admin. To access your content type hub go to https://{yourtenantname} which is a hidden site collection in your tenant. Once there, go to Site Settings – Site Collection Administration – Site Policies. In site policies add 3 site policies with the names “HBI”, “LBI” and “Top Secret”. Each policy should have different options set. I usually set up HBI with the options below in that if it is a High Business Impact site I do not want to close or delete it automatically. As with all things SharePoint, when you choose a different option you get different options:

When I create the “LBI” option I select “Close and delete sites automatically” as shown below:

The difference between “Close and delete sites automatically” and “Delete sites automatically” is that the former is an automatic function that is determined by the created date. While it can be delayed by the site owner, it will eventually occur as long as the policy is in effect. The latter, “Delete sites automatically”, can be automatic based on site creation date but can be manual based on the close date. The site owner or Tenant admin decides when the site should be closed so the process does not start without human intervention.

Publish the Policies

Once the 3 site classification policies are created then I publish them to all site collections. If you have not done content type publishing before then see this info on it. The hub can also publish our site policies as shown below:

So now that the policies are published they wont apply to any site collections unless associated with the site collection in site settings – site closure and deletion as shown below:

Enable the Classifications

As you can see there is no policy applied by default and a site owner can manually close the site from this page as well. We will now take a look at the PoSH to set the site policy so that as you create site collections you can make sure that the sites are automagically classified.

Connect-PnPOnline -Url
Connect-PnPOnline -Scopes “Directory.ReadWrite.All”
Enable-PnPSiteClassification -Classifications “HBI”,”LBI”,”Top Secret” -DefaultClassification “LBI”
Connect-PnPOnline -Url
Set-PnPSite -Classification “HBI”
#need to set up a site policy in the content hub by this name, “HBI”, before running the following command
Set-PnPSitePolicy -Name “HBI”

First we connect to the admin site then we set our scope to allow us Read-write to the Microsoft Graph for the tenant. Next, we run the “Enable-PnPSiteClassification” command to set the 3 classifications that we defined earlier.

We then connect to the specific site and run the “Set-PnPSite -Classification” command with the name of the level to set the site policy. This sets a propertybag setting called “PolicyName” to the level we set. To see the value run “Get-PnPPropertyBag -Key PolicyName” This will then show up in the site closure and deletion:


And of course, since you are doing this with PoSH you can iterate through all the sites from a CSV and set each according to the sensitivity they should have.


One thing to keep in mind is that when you implement this classification in this way then it will implement the classification dropdown in every area in which you create or edit new sites. In the case of Teams as shown below:

Or when editing an existing Group:


If you can sell the reasoning to your business users then you can certainly do yourself a lot of good by setting these site policies. I always prefer to let system automation be the big bad useless site policeman than my having to do so, it makes it so much easier to walk down the hall.

Updated: Thanks to Mark Wilson for pointing out that although I explained the site closure policies I did not include the code needed to implement the classifications in Azure AD and make them show up in Teams as I indicated above. To the end of being thorough here is that code.

#First install the module, if you already have AzureAD installed you may have to use the -force parameter:
Install-Module -Name AzureADPreview
#Next Connect to Azure AD:
#Now we get the template
$Template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b
#Create the Settings
$Setting = $template.CreateDirectorySetting()
#set the usage guidelines
$setting[“UsageGuidelinesUrl”] = “”
#set the classification list
$setting[“ClassificationList”] = “HBI”,”LBI”,”Top Secret”
#set the default classification, in this case Low business impact
$setting[“DefaultClassification”] = “LBI”
#set the descriptions of each classification
$setting[“ClassificationDescriptions”] = “LBI:no restrictions,HBI:all internal users can access,TopSecret:only special users can access”
#create new settings object based on the settings above
New-AzureADDirectorySetting -DirectorySetting $setting

To check that these settings have been applied:
$myid = Get-AzureADDirectorySetting -All $True
(Get-AzureADDirectorySetting -Id $myid.Id).values

If you feel this blog post is of interest or use to you, all I ask is that you please comment.

Live Long and Prosper,


Hits: 2220