While the Graph API has a good coverage of “end user” endpoints, which cover most client scenarios, the “admin” part of the experience remains largely non-existent. Especially when it comes to the various Microsoft 365 workloads. So it is with a great pleasure that I can announce the availability of the /settings endpoint for querying and managing (some of) SharePoint Online and OneDrive for Business tenant-wide settings. Let’s dig in.
First things first, this is currently only available under the /beta endpoint, and as such the experience is a subject to change – do not use this in production or do so at your own peril. The settings themselves are exposed as part of the microsoft.graph.tenantAdmin.settings resource, which you can access under the /beta/admin/sharepoint/settings endpoint. Use a GET operation to query the current values and a PATCH one to update them. The permissions needed are SharePointTenantSettings.Read.All for the former and SharePointTenantSettings.ReadWrite.All for the latter, with both delegate and application permissions supported.
To query the currently configured values, use a GET request against the /beta/admin/sharepoint/settings endpoint:
GET https://graph.microsoft.com/beta/admin/sharepoint/settings
As you can see from the output, only a handful of settings are currently supported, compared to the 100+ properties available within the SharePointOnline admin center or returned by the Get-SPOTenant cmdlet. For the sake of completeness, here’s the list of currently supported settings:
| Property | Description | |
|---|---|---|
| allowedDomainGuidsForSyncApp | Collection of trusted domain GUIDs for the OneDrive sync app. | |
| availableManagedPathsForSiteCreation | Collection of managed paths available for site creation. Read-only. | |
| deletedUserPersonalSiteRetentionPeriodInDays | The number of days for preserving a deleted user’s OneDrive. | |
| excludedFileExtensionsForSyncApp | Collection of file extensions not uploaded by the OneDrive sync app. | |
| imageTaggingOption | Specifies the image tagging option for the tenant. Possible values are: disabled, basic, enhanced. | |
| isCommentingOnSitePagesEnabled | Indicates whether comments are allowed on modern site pages in SharePoint. | |
| isFileActivityNotificationEnabled | Indicates whether push notifications are enabled for OneDrive events. | |
| isLoopEnabled | Indicates whetherif Fluid Framework is allowed on SharePoint sites. | |
| isMacSyncAppEnabled | Indicates whether files can be synced using the OneDrive sync app for Mac. | |
| isResharingByExternalUsersEnabled | Indicates whether guests are allowed to reshare files, folders, and sites they don’t own. | |
| isSharePointMobileNotificationEnabled | Indicates whether mobile push notifications are enabled for SharePoint. | |
| isSharePointNewsfeedEnabled | Indicates whether the newsfeed is allowed on the modern site pages in SharePoint. | |
| isSiteCreationEnabled | Indicates whether users are allowed to create sites. | |
| isSiteCreationUIEnabled | Indicates whether the UI commands for creating sites are shown. | |
| isSitePagesCreationEnabled | Indicates whether creating new modern pages is allowed on SharePoint sites. | |
| isSitesStorageLimitAutomatic | Indicates whether site storage space is automatically managed or if specific storage limits are set per site. | |
| isSyncButtonHiddenOnPersonalSite | Indicates whether the sync button in OneDrive is hidden. | |
| isUnmanagedSyncAppForTenantRestricted | Indicates whether users are allowed to sync files only on PCs joined to specific domains. | |
| personalSiteDefaultStorageLimitInMB | The default OneDrive storage limit for all new and existing users who are assigned a qualifying license. Measured in megabytes (MB). | |
| sharingAllowedDomainList | Collection of email domains that are allowed for sharing outside the organization. | |
| sharingBlockedDomainList | Collection of email domains that are blocked for sharing outside the organization. | |
| sharingCapability | Sharing capability for the tenant. Possible values are: disabled, externalUserSharingOnly, externalUserAndGuestSharing, existingExternalUserSharingOnly. | |
| sharingDomainRestrictionMode | Specifies the external sharing mode for domains. Possible values are: none, allowList, blockList. | |
| siteCreationDefaultManagedPath | The value of the team site managed path. This is the path under which new team sites will be created. | |
| siteCreationDefaultStorageLimitInMB | The default storage quota for a new site upon creation. Measured in megabytes (MB). | |
| tenantDefaultTimezone | The default timezone of a tenant for newly created sites. |
Among the things currently missing are the IP-based restriction settings, conditional access controls, the various claims controls, link expiration, to name a few. Another thing to keep in mind is that not all of these are set-able. The table below covers all the settings you can currently modify via a PATCH request:
| Property | Description | |
|---|---|---|
| allowedDomainGuidsForSyncApp | Collection of trusted domain GUIDs for the OneDrive sync app. | |
| deletedUserPersonalSiteRetentionPeriodInDays | The number of days for preserving a deleted user’s OneDrive. | |
| excludedFileExtensionsForSyncApp | Collection of file extensions not uploaded by the OneDrive sync app. | |
| imageTaggingOption | Specifies the image tagging option for the tenant. Possible values are: disabled, basic, enhanced. | |
| isCommentingOnSitePagesEnabled | Indicates whether comments are allowed on modern site pages in SharePoint. | |
| isFileActivityNotificationEnabled | Indicates whether push notifications are enabled for OneDrive events. | |
| isLoopEnabled | Indicates whether Fluid Framework is allowed on SharePoint sites. | |
| isMacSyncAppEnabled | Indicates whether files can be synced using the OneDrive sync app for Mac. | |
| isResharingByExternalUsersEnabled | Indicates whether guests are allowed to reshare files, folders, and sites they don’t own. | |
| isSharePointMobileNotificationEnabled | Indicates whether mobile push notifications are enabled for SharePoint. | |
| isSharePointNewsfeedEnabled | Indicates whether the newsfeed is allowed on the modern site pages in SharePoint. | |
| isSiteCreationEnabled | Indicates whether users are allowed to create sites. | |
| isSiteCreationUIEnabled | Indicates whether the UI commands for creating sites are shown. | |
| isSitePagesCreationEnabled | Indicates whether creating new modern pages is allowed on SharePoint sites. | |
| isSitesStorageLimitAutomatic | Indicates whether site storage space is automatically managed or if specific storage limits are set per site. | |
| isSyncButtonHiddenOnPersonalSite | Indicates whether the sync button in OneDrive is hidden. | |
| isUnmanagedSyncAppForTenantRestricted | Indicates whether users are allowed to sync files only on PCs joined to specific domains. | |
| personalSiteDefaultStorageLimitInMB | The default OneDrive storage limit for all new and existing users who are assigned a qualifying license. Measured in megabytes (MB). | |
| sharingAllowedDomainList | Collection of email domains that are allowed for sharing outside the organization. | |
| sharingBlockedDomainList | Collection of email domains that are blocked for sharing outside the organization. | |
| sharingCapability | Sharing capability for the tenant. Possible values are: disabled, externalUserSharingOnly, externalUserAndGuestSharing, existingExternalUserSharingOnly. | |
| sharingDomainRestrictionMode | Specifies the external sharing mode for domains. Possible values are: none, allowList, blockList. | |
| siteCreationDefaultManagedPath | The value of the team site managed path. This is the path under which new team sites will be created. | |
| siteCreationDefaultStorageLimitInMB | The default storage quota for a new site upon creation. Measured in megabytes (MB). | |
| tenantDefaultTimezone | The default timezone of a tenant for newly created sites. |
And here’s an example of using a PATCH request to modify the value of the isLoopEnabled setting:
PATCH https://graph.microsoft.com/beta/admin/sharepoint/settings
Interestingly enough, success is designated by 200 OK response and a refreshed list of the settings:
And that’s pretty much all there is to managing SPO tenant settings via the Graph, for now 🙂