createDefaultAssociatedGroups throws exception for modern sites

[nbelyh]

Category

• Bug

Describe the bug

Summary
The SharePoint REST API method createDefaultAssociatedGroups throws exception "Access Denied" for modern sites (if the setting "No Script Site" is set to true, which is the default).

This is a duplicate of pnp/pnpjs#1575, please kindly read the discussion there before closing this one. It's not about pnp-js, it's about core share point API, reproducible with any client library (powershell, pnp, csom). I'm highlighting this because the previous issue has been closed as unrelated, and I have been told it's okay to create another one with proper example in REST API, so here it is basically.

Steps to reproduce (REST API)

#### create  a site
POST /_api/web/webs/add 
{"parameters":{
	"__metadata":{"type":"SP.WebCreationInformation"},
	"Url":"child",
	"Title":"My Site",
	"Description":"My Description",
	"Language":1033,
	"UseSamePermissionsAsParentSite":false,
	"WebTemplate":"STS#3"
	}
}

#### create default groups
POST /child/_api/web/createDefaultAssociatedGroups(userLogin='',userLogin2='',groupNameSeed='')  <<< 403 here

Basically, the issue is that the call to createDefaultAssociatedGroups results in 403: Access denied for farm admin.
Important notice: If you allow custom scripts (???), the call works.

The CSOM calls also behaves the same way:

Web newWeb = ctx.Web.CreateWeb("My Site", "child", "My Description", "STS#3", 1033, false);
ctx.ExecuteQuery();
newWeb.CreateDefaultAssociatedGroups("", "", "");
ctx.ExecuteQuery();  // <<< 403 here

For the pnp-js example please check the linked issue.

Expected behavior

The call to create default groups for a site works regardless of the scripting setting. For the farm (global) admin, at least.

If you do it from UI manually (using /_layouts/permsetup.aspx page) then it works regardless of the "custom scripts" setting.

Environment details (development & target environment)

• Target Environment: [SharePoint Online]
• Browser(s): [Chrome v88]

Additional information

Related issue on stackoverflow (for CSOM access)
https://sharepoint.stackexchange.com/questions/240933/why-would-createdefaultassociatedgroups-stop-to-serverunauthorizedaccessexceptio

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[github-actions]

Thank you for taking the time to file an issue. We periodically archive older or inactive issues as part of our issue management process, which automatically closes them once they are archived.

If you’d like to understand more about why and how we handle archived (closed) issues, please see Our approach to closed issues.

We appreciate your contribution and if this is still an active issue with the latest SPFx versions, please do resubmit the details. We needed to perform a cleanup, so that we can start with a clean table with a new process. We apologize for the inconvenience this might cause.