Allow or prevent custom script
As a SharePoint Administrator in Microsoft 365, you can allow custom script as a way of letting users change the look, feel, and behavior of sites and pages to meet organizational objectives or individual needs. If you allow custom script, all users who have Add and Customize Pages permission to a site or page can add any script they want. (By default, users who create sites are site owners and therefore have this permission.)
Note
For simple ways to change the look and feel of a site, see Change the look of your SharePoint site.
By default, script is not allowed on most sites that admins create using the SharePoint admin center and all sites created using the New-SPOSite PowerShell command. Same applies to OneDrive, sites users create themselves, modern team and communication sites, and the root site for your organization. For more info about the security implications of custom script, see Security considerations of allowing custom script.
Important
If SharePoint was set up for your organization before 2015, your custom script settings might still be set to Not Configured even though in the SharePoint admin center they appear to be set to prevent users from running custom script. In this case, users won't be able to copy items between SharePoint sites and between OneDrive and SharePoint. On the Settings page in the SharePoint admin center, to accept the custom script settings as they appear, select OK, and enable cross-site copying. For more info about copying items between OneDrive and SharePoint, see Copy files and folders between OneDrive and SharePoint sites.
To allow custom script on OneDrive or user-created sites
Note
This feature will be removed during H1 calendar year 2024. Once removed, it will no longer be possible to allow custom script on OneDrive sites.
In the SharePoint admin center, you can choose to allow users to run custom script on OneDrive (referred to as personal sites) or on all classic team sites they create. For info about letting users create their own sites, see Manage site creation in SharePoint.
Caution
Before you allow custom script on sites in your organization, make sure you understand the security implications.
Go to Settings in the SharePoint admin center, and sign in with an account that has admin permissions for your organization.
Note
If you have Office 365 operated by 21Vianet (China), sign in to the Microsoft 365 admin center, then browse to the SharePoint admin center and open the Settings page.
At the bottom of the page, select classic settings page.
Under Custom Script, select:
Allow users to run custom script on personal sites.
Allow users to run custom script on self-service created sites.
Note
Because self-service site creation points to your organization's root site by default, changing the Custom Script setting allows custom script on your organization's root site. For info about changing where sites are created, see Manage site creation in SharePoint.
Select OK. It can take up to 24 hours for the change to take effect.
To allow custom script on other SharePoint sites
Caution
Before you allow custom script on sites in your organization, make sure you understand the security implications.
To allow custom script on a particular site (previously called site collection) immediately, follow these steps:
Download the latest SharePoint Online Management Shell.
Note
If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall SharePoint Online Management Shell.
Connect to SharePoint as a SharePoint Administrator in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell.
Run the following command.
Set-SPOSite <SiteURL> -DenyAddAndCustomizePages 0
or with the PnP.PowerShell cmdlet Set-PnPSite
Set-PnPSite -Identity <SiteURL> -NoScriptSite $false
If you change this setting for a classic team site, it will be overridden by the Custom Script setting in the admin center within 24 hours.
Note
You cannot allow or prevent custom scripts to an individual user's OneDrive.
Manage custom script from SharePoint admin center
Note
If you do not see the new options in SharePoint tenant admin center, the feature is not enabled in your tenant yet. Every customer will have this new set of capabilities enabled by end of June 2024
Tenants administrators have a set of tools available in SharePoint tenant administration to manage custom script within their organization. Specifically, tenant administrators can:
- verify custom script status
- change custom script settings
- persist custom script settings
Verify custom script status
A new Custom script column is now available in the Active sites page under Sites.
The column can be added to any view. A new Custom script allowed sites is also available to provide an easy access to all the sites where custom script is enabled:
Change custom script settings
In the Active sites page, upon selecting a site, under settings, a Custom scripts setting is available for administrators:
Administrators can control custom script settings for a specific site; deciding if they want to allow or block custom script on a specific site:
By default, any changes to custom script settings for a specific site only last for a maximum of 24 hours. After that time, the setting will reset to its original value for that specific site.
Persist custom script settings
To prevent SharePoint in resetting custom script settings to its original value to the whole tenant follow these steps:
Download the latest SharePoint Online Management Shell.
Note
If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall "SharePoint Online Management Shell."
Connect to SharePoint as a SharePoint Administrator in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell.
Run the following command.
Set-SPOTenant -DelayDenyAddAndCustomizePagesEnforcement $True
Note
This setting affects all sites. There are no options to preserve changes to custom script settings only on some specific sites. This parameter will be available until November 2024. After that date, it will no longer be possible to prevent SharePoint in resetting custom script settings to its original value for all sites. Running the command where Multi-Geo capabilities on OneDrive and SharePoint are configured, will only affect the current geo from which you ran the command. To persist custom script settings across the entire tenant you must run the command on each geo.
Features affected when custom script is blocked
When users are prevented from running custom script on OneDrive or the classic team sites they create, site admins and owners can't create new items such as templates, solutions, themes, and help file collections. If you allowed custom script in the past, items that were already created will still work.
The following site settings are unavailable when users are prevented from running custom script:
Site feature | Behavior | Notes |
---|---|---|
Save Site as Template | No longer available in Site Settings | Users can still build sites from templates created before custom script was blocked. |
Save document library as template | No longer available in Library Settings | Users can still build document libraries from templates created before custom script was blocked. |
Save list as template | No longer available in List Settings | Users can still build lists from templates created before custom script was blocked. |
Theme Gallery | No longer available in Site Settings | Users can still use themes created before custom script was blocked. |
Help Settings | No longer available in Site Settings | Users can still access help file collections available before custom script was blocked. |
Sandbox solutions | Solution Gallery is no longer available in Site Settings | Users can't add, manage, or upgrade sandbox solutions. They can still run sandbox solutions that were deployed before custom script was blocked. |
SharePoint Designer | Pages that are not HTML can no longer be updated. Handling List: Create Form and Custom Action will no longer work. Subsites: New Subsite and Delete Site redirect to the Site Settings page in the browser. Data Sources: Properties button is no longer available. |
Users can still open some data sources. To open a site that does not allow custom script in SharePoint Designer, you must first open a site that does allow custom script. |
Uploading files that potentially include script | The following file types cannot open from a library .asmx .ascx .aspx .htc .jar .master .swf .xap .xsf |
Existing files in the library are not impacted. |
Uploading Documents to Content Types | Access denied message when attempting to attach a document template to a Content Type. | We recommend using Document Library document templates. |
Publishing of SharePoint 2010 Workflows | Access denied message when attempting to publish a SharePoint 2010 Workflow. |
Updating Site property bag is by default not allowed when users are prevented from running custom script. Tenant Administrators can change that behavior by running the following command
Set-SPOTenant -AllowWebPropertyBagUpdateWhenDenyAddAndCustomizePagesIsEnabled $True
For more information see AllowWebPropertyBagUpdateWhenDenyAddAndCustomizePagesIsEnabeld option
The following web parts and features are unavailable to site admins and owners when you prevent them from running custom script.
Web part category | Web part |
---|---|
Business Data | Business Data Actions Business Data Item Business Data Item Builder Business Data List Business Data Related List Excel Web Access Indicator Details Status List Visio Web Access |
Community | About This Community Join My Membership Tools What's Happening |
Content Rollup | Categories Project Summary Relevant Documents RSS Viewer Site Aggregator Sites in Category Term Property Timeline WSRP Viewer XML Viewer |
Document Sets | Document Set Contents Document Set Properties |
Advanced | Embed |
Forms | HTML Form Web Part |
Media and Content | Content Editor Script Editor Silverlight Web Part Page Viewer (can't set web page URL) |
Search | Refinement Search Box Search Navigation Search Results |
Search-Driven Content | Catalog-Item Reuse |
Social Collaboration | Contact Details Note Board Organization Browser Site Feed Tag Cloud User Tasks |
Master Page Gallery | Can't create or edit master pages |
Publishing Sites | Can't create or edit master pages and page layouts |
Furthermore, SharePoint Framework web parts that have the requiresCustomScript value set to true, will behave as following:
- The web part is not available in the web part picker
- Every instance of the web part that was added to the page while custom scripts that were allowed to run, will no longer surface in those pages. Author will still be able to remove them while editing the page
Best practice for communicating script setting changes to users
Before you prevent custom script on sites where you previously allowed it, we recommend communicating the change well in advance so users can understand the impact of it. Otherwise, users who are accustomed to changing themes or adding web parts on their sites will suddenly not be able to and will see the following error message.
Communicating the change in advance can reduce user frustration and support calls.