Microsoft Mission Critical Blog

13 MIN READ

Create an Organizational Assets Library (including Multi-Geo & Information Barriers guidance)

mikeleemsft

Microsoft

Feb 23, 2026

Overview

This guide walks through a practical approach to setting up SharePoint Online (SPO) Organizational Assets Libraries (OAL). It includes optional guidance for more complex tenants—such as Multi-Geo and Information Barriers (IB) - because those scenarios are often under-documented.

What you’ll accomplish: Create and register Organizational Assets Libraries so templates, fonts, and brand images are available in Office apps, with notes for Multi-Geo, Information Barriers, Brand Center, and Copilot integration where applicable.

Applies to: Standard (single-geo) tenants, Multi-Geo tenants, tenants with Information Barriers, and environments using Brand Center and/or Copilot features for organizational assets.

Quick start (standard single-geo tenant)

Create a SharePoint site to host Organizational Assets Libraries (often the Brand Center site).
Create three document libraries (typical): ImageAssets, DocumentAssets (templates), FontAssets.
Grant your intended audience Read access (commonly Everyone except external users via the site’s Visitors group).
Enable the SharePoint Online Public CDN (tenant setting).
Add a Public CDN origin for each library path (one origin per library).
Upload approved assets (images, templates, fonts) into their respective libraries.
Register each library with Add-SPOOrgAssetsLibrary (repeat per library).
Validate registration and end-user experience, then allow up to 24 hours for Office apps to reflect changes.

If you’re Multi-Geo or using Information Barriers: follow the same flow, but repeat per geo and complete registration while the site is in Open IB mode (details below).

Key constraints and gotchas

Multi-Geo: plan a repeatable per-geo pattern (typically one Org Assets site + matching libraries per geo) and keep naming consistent.

Information Barriers (IB): Add-SPOOrgAssetsLibrary cannot be run when the target site is segmented—create and register libraries first (site in Open mode), then segment if needed.
The “Everyone except external users” principal may be hidden by default, but it’s still commonly used for broad read access.
Brand Center: many orgs host Org Assets Libraries in the Brand Center site; if Brand Center is created after libraries exist, it typically detects and uses them automatically.
A public CDN must be enabled to support Organizational Assets Libraries.

The “Everyone except external users” principal may be hidden by default, but it’s still commonly used for broad read access.
Brand Center: many orgs host Org Assets Libraries in the Brand Center site; if Brand Center is created after libraries exist, it typically detects and uses them automatically.
A public CDN must be enabled to support Organizational Assets Libraries.

Implementation steps

Prerequisites: SharePoint Online Management Shell access (or equivalent), permission to manage tenant settings, and the ability to create sites and libraries in each geo.

Create a site to host your Organizational Assets Libraries (many orgs use a communication site). For ease of support, keep the site name, library names, and structure consistent over time.

Note: A Communication site is recommended, but a Team site can also work.

Example site URLs: In a standard tenant you’ll have one site; in Multi-Geo you’ll typically use one per geo.

- Primary geo: https://contoso.sharepoint.com/sites/BrandCenter
- EUR geo: https://contosoEUR.sharepoint.com/sites/BrandCenter
- APC geo: https://contosoAPC.sharepoint.com/sites/BrandCenter

If your tenant uses Information Barriers, keep each site in Open IB mode while creating the Org Assets Libraries. You can segment the site later (if required) after libraries are created.

Configure a public CDN (required)

To use Brand Center and Organizational Assets Libraries, configure SharePoint Online to use a Public CDN.

Set-SPOTenantCdnEnabled -CdnType Public -Enable $true

Example output:

Public CDN enabled locations:

SITES/BRANDCENTER/FONTS

*/MASTERPAGE (configuration pending)

*/STYLE LIBRARY (configuration pending)

*/CLIENTSIDEASSETS (configuration pending)

Note: You will see the new CDN is in a pending state until complete. This will take some time.

Wait for the CDN to finish provisioning. Re-run the status/list commands until “pending” entries clear.

Get-SPOTenantCdnEnabled -CdnType Public
Get-SPOTenantCdnOrigins -CdnType Public

Add CDN origins for each library

Add allowed CDN origins for each asset library path (typically one origin per library).

Example:

Add-SPOTenantCdnOrigin -OriginUrl sites/BrandCenter/ImageAssets -CdnType Public
Add-SPOTenantCdnOrigin -OriginUrl sites/BrandCenter/TemplateAssets -CdnType Public
Add-SPOTenantCdnOrigin -OriginUrl sites/BrandCenter/FontAssets -CdnType Public

Set permissions (required for broad consumption)

To ensure most users can consume the assets, grant Everyone except external users (often abbreviated as EEEU) Read access (commonly via the site’s Visitors group).

Example: add Everyone except external users to the Visitors group of the Organizational Assets site.

Connect-SPOService -Url 'https://contoso-admin.sharepoint.com'
$tenant = "9cfc42cb-51da-4055-87e9-b20a170b6ba3"
$site = Get-SPOSite -Identity "https://contoso.sharepoint.com/sites/BrandCenter"
$group = Get-SPOSiteGroup $site -Group "BrandCenter Visitors"
Add-SPOUser -LoginName ("c:0-.f|rolemanager|spo-grid-all-users/" + $tenant) -Site $site -Group $group.Title

Note: Organizational Assets Libraries respect SharePoint security trimming. If you need a narrower audience, grant Read to the appropriate groups instead of tenant-wide access. In many environments, Everyone except external users is required during registration (Add-SPOOrgAssetsLibrary) so Office can enumerate the library—test and confirm in your tenant before removing broad access.

Create libraries and upload assets

Create a document library for each asset type you plan to publish (for example: images, Office templates, fonts).

For example:

Upload your assets into the appropriate libraries.

Example:

Register each library using Add-SPOOrgAssetsLibrary. For this to work, Everyone except external users must already have access to the site (for example, via the Visitors group).

Office Template Library Example:

Add-SPOOrgAssetsLibrary -LibraryUrl 'https://contoso.sharepoint.com/sites/BrandCenter/DocumentAssets' -OrgAssetType OfficeTemplateLibrary

Image Document Library Example:

Add-SPOOrgAssetsLibrary -LibraryUrl 'https://contoso.sharepoint.com/sites/BrandCenter/ImageAssets' -OrgAssetType ImageDocumentLibrary

Font Document Library Example:

Add-SPOOrgAssetsLibrary -LibraryUrl 'https://contoso.sharepoint.com/sites/BrandCenter/FontAssets' -OrgAssetType OfficeFontLibrary -CdnType Public

Optional: Enable Copilot support for an image library (only applicable to ImageDocumentLibrary).

Set-SPOOrgAssetsLibrary -LibraryUrl 'https://contoso.sharepoint.com/sites/BrandCenter/ImageAssets' -OrgAssetType ImageDocumentLibrary -CopilotSearchable $true

Multi-Geo mini runbook (recommended pattern)

Use this as a simple tracking sheet so each geo ends up with a complete, consistent setup.

Geo	Site URL	Libraries	CDN origins added	Libraries registered
Primary	https://<tenant>.sharepoint.com/sites/<BrandCenterOrAssetsSite>	ImageAssets / DocumentAssets / FontAssets	Yes/No	Yes/No
EUR	https://<tenant>EUR.sharepoint.com/sites/<BrandCenterOrAssetsSite>	ImageAssets / DocumentAssets / FontAssets	Yes/No	Yes/No
APC	https://<tenant>APC.sharepoint.com/sites/<BrandCenterOrAssetsSite>	ImageAssets / DocumentAssets / FontAssets	Yes/No	Yes/No

Naming standard (strongly recommended): keep the same site path and the same library names in every geo (for example, always ImageAssets, DocumentAssets, FontAssets). This minimizes per-geo scripting differences and reduces support effort.

Wrap-up

At this point, each geo should have its own site, libraries, CDN origins, and registered Organizational Assets Libraries. From here, focus on governance (who can publish/approve assets), naming standards, and ongoing lifecycle management (retire old templates/fonts and keep branding current).

Validate configuration

Admin checks (PowerShell)

Confirm the Public CDN is enabled.
Confirm CDN origins include one entry per assets library path.
List registered Org Assets Libraries and verify each URL + type is present.

Get-SPOTenantCdnEnabled -CdnType Public
Get-SPOTenantCdnOrigins -CdnType Public
Get-SPOOrgAssetsLibrary

End-user checks (Office apps)

In PowerPoint/Word, confirm organizational templates appear in the template picker (if you registered an OfficeTemplateLibrary).
In Office font lists, confirm your org fonts appear (if you registered an OfficeFontLibrary).
For image libraries, confirm approved brand images appear in supported pickers; if you enabled -CopilotSearchable, confirm images are discoverable as expected.

Timing: New registrations and updates can take up to 24 hours to appear in Office apps. If you updated content, run Set-SPOOrgAssetsLibrary for each changed library, then wait for propagation.

Updating content in existing Org Assets Libraries

If you already have Organizational Assets Libraries registered and you need to publish updated templates, fonts, or images, use the process below. The high-level flow is: update content → run Set-SPOOrgAssetsLibrary (per library) → wait for propagation.

Replace or update content in each library. Upload the new versions of templates/fonts/images into the appropriate library (and remove/retire older versions if needed).
If Multi-Geo applies, repeat per geo. Update the matching libraries in each geo’s site so users in each geo get the same (or intentionally regional) set of assets.
Run Set-SPOOrgAssetsLibrary for each updated library. Execute the cmdlet against the library URL to refresh the configuration after content changes (run it once per library you updated).
Wait for Office app propagation. Allow up to 24 hours for updates to begin showing in Office apps.

Example:

Set-SPOOrgAssetsLibrary -LibraryUrl 'https://contoso.sharepoint.com/sites/BrandCenter/DocumentAssets' -OrgAssetType OfficeTemplateLibrary

Notes:

If your site is segmented by Information Barriers, confirm the cmdlet behavior in your environment before making changes, and prefer performing registration/updates while the site is in Open mode when possible.
For image libraries, if you are using Copilot integration settings (for example -CopilotSearchable), keep the setting consistent when you run Set-SPOOrgAssetsLibrary.
Make sure the intended audience still has Read access to the site/library; otherwise users may not see updates due to security trimming.

Please note: After registering (or updating) your assets libraries, it can take up to 24 hours before changes become available in Office apps.

Once fully enabled, Office apps will surface your templates and fonts. Below is an example.

Example of interacting with Org Assets from M365 Apps

Org Fonts from PowerPoint:

From SharePoint:

From Office Apps:

Troubleshooting tips

If Add-SPOOrgAssetsLibrary fails, confirm the site is not segmented by Information Barriers (Open mode during setup).
If assets don’t appear in Office apps, wait for propagation (up to 24 hours) and re-check that the library was registered successfully.
If CDN commands show “pending”, allow time for provisioning and re-run the status command.
If users can’t see assets, verify the site/library permissions include Everyone except external users (or the intended audience group).

Guidance: Using the SharePoint Online Public CDN

Enabling the SharePoint Online Public CDN is a required and supported configuration for Organizational Assets Libraries, Brand Center, and related Office experiences. While the word “public” can sound concerning, it’s important to understand what is (and is not) exposed.

We take great care to protect the data that runs your business. Data stored in the Microsoft 365 CDN is encrypted both in transit and at rest, and access to data in the Microsoft 365 SharePoint CDN is secured by Microsoft 365 user permissions and token authorization. Requests for data in the Microsoft 365 SharePoint CDN must be referred (redirected) from your Microsoft 365 tenant or an authorization token won't be generated. See: Content delivery networks - Microsoft 365 Enterprise | Microsoft Learn

What “Public CDN” actually means

Only explicitly approved library paths are cached

The CDN does not expose your entire tenant.
Administrators must explicitly register CDN origins (specific library paths).
If a library is not registered as a CDN origin, it is not served via the CDN.

No new content types are exposed

The CDN is intended for static, non-sensitive assets such as:

Brand images
Office templates
Fonts

It is not designed for documents containing confidential or regulated data.

Why Microsoft requires a Public CDN for Org Assets?

Performance and reliability

Office clients worldwide retrieve assets faster using geographically distributed edge caching.
This avoids repeated downloads from SharePoint origin sites.

Consistent Office app experiences

PowerPoint, Word, Excel, and Copilot rely on CDN-backed delivery to surface:

Templates
Fonts
Brand images

Without a public CDN, these features may not function correctly or at all.

Best practices

Use the practices below to keep Organizational Assets Libraries reliable, secure, and easy for end users to adopt. Where relevant, notes call out additional considerations for Multi-Geo, Information Barriers, Brand Center, and Copilot.

Governance and ownership checklist

Owners/publishers: named group who can add/change assets (limited membership).
Approvals: defined review/approval step before publishing new templates/fonts/images.
Versioning/retention: how you retire old assets and prevent outdated branding from appearing in pickers.
Rollback plan: how to revert a bad template/font/image quickly.
Change communication: how you notify users about new/updated assets and expected timing (up to 24 hours).

Assign clear owners (typically Brand/Comms) and a small admin group (typically IT) for each geo’s library and site.
Decide what is “approved” vs “draft” content, and enforce it with a simple publishing process (for example, a review checklist or an approvals flow).
Version and retire assets deliberately: keep one “current” template set and archive old assets to prevent users from picking outdated branding.

Information architecture and naming

Keep library names and structures consistent across geos (same library names, same folder conventions) to simplify support and documentation.
Use descriptive filenames users can recognize in pickers (for example, “Contoso_Proposal_Template_v3”).
Prefer a small number of clearly defined libraries by asset type (images, templates, fonts) rather than many small libraries.

Permissions and access

Ensure your intended audience has at least Read access to the site and libraries; Organizational Assets still follow SharePoint security trimming.
If you use broad access (for example, Everyone except external users), document it and pair it with tight contributor permissions so only approved publishers can change assets.
Avoid breaking inheritance in ways that make troubleshooting difficult—keep permissions simple and predictable whenever possible.

CDN configuration

Plan CDN changes ahead of time: enabling and provisioning can take time, and changes may not be immediate.
Register only the origins you need (one per assets library path) and keep them consistent across environments.
After changes, allow for propagation time before validating in Office apps.

Multi-Geo and Brand Center

Use a repeatable pattern: one site + matching libraries per geo, with the same structure and operational runbook.
Be aware Brand Center is created in the primary geo; confirm how your org wants to manage global vs regional assets.
Document which assets are global (shared everywhere) vs regional (geo-specific) to avoid confusion for publishers and users.

Information Barriers (IB) sequencing

Create and register Org Assets Libraries before segmenting the site when IB is enabled (create while the site is in Open mode, then segment later if required).
After segmentation, re-validate that the right audience can still read the libraries (and that publishers can still manage content).

Copilot readiness (image libraries)

Use consistent, high-quality metadata for images (titles, descriptions, and tags). Copilot search quality depends heavily on this.
If enabling image tagging integration, standardize on a tagging vocabulary (for example, brand terms, campaigns, departments, regions) so results are predictable.
Only enable Copilot searchable settings on libraries where content is approved and intended for broad reuse.

Q&A

Q: What is an Organizational Assets Library (OAL)?
A: It’s a SharePoint document library (or set of libraries) that you register so Office apps can surface approved templates, fonts, and images to users directly within the app experience.

Q: Do I need SharePoint Brand Center to use OAL?
A: No. You can use Organizational Assets Libraries without Brand Center. Brand Center can make asset management more accessible, for example, allowing SharePoint sites to use organizational branding, but OAL can be configured on its own.

Q: Why is a “Public CDN” required, and is it safe?
A: Office experiences rely on CDN-backed delivery for performance and reliability. “Public CDN” does not mean your whole tenant is exposed—only the specific library paths you register as CDN origins are cached. Access is still governed by Microsoft 365 authentication, token authorization, and SharePoint permissions.

Q: Can I use this guide in a standard (single-geo) tenant?
A: Yes. In a standard tenant you usually create one site and one set of libraries. The Multi-Geo guidance is only needed if your tenant is Multi-Geo (in which case you’ll typically repeat the pattern per geo).

Q: How do Information Barriers (IB) affect setup?
A: If a site is segmented, Add-SPOOrgAssetsLibrary cannot register the library. Create the site and register the libraries while the site is in Open mode, then segment afterward if required.

Q: Why does “Everyone except external users” (EEEU) matter?
A: In many environments, EEEU is required during library registration so Office can enumerate the library. However, OAL still respects SharePoint security trimming. If broad internal availability is the goal, a common pattern is to grant EEEU Read (often via the Visitors group) so Office apps can surface the assets to most internal users. If you need a narrower audience, use a group instead.

Q: How long until assets show up (or update) in Office apps?
A: It can take up to 24 hours for new registrations or updates to propagate. If you replaced content in an existing library, run Set-SPOOrgAssetsLibrary for each updated library, then allow time for Office apps to refresh.

Q: How do I update content in an existing Org Assets Library?
A: Replace the files in the library (and repeat across geos if applicable), then run Set-SPOOrgAssetsLibrary against each library you updated. After that, allow up to 24 hours for the updated assets to start showing in Office apps.

Q: Do I need to run Set-SPOOrgAssetsLibrary every time I replace files?
A: If you want Office apps to reliably pick up changes, run Set-SPOOrgAssetsLibrary after you update content (especially when publishing new/updated templates, fonts, or images). Treat it as the “refresh” step, then wait for propagation.

Q: When should I enable Copilot support (CopilotSearchable) for an image library?
A: Enable it only for libraries that contain approved, broadly reusable images and have strong metadata (title/description/tags). This helps ensure search results are on-brand and reduces the chance of surfacing unreviewed content.

Q: Can I undo this later?
A: Yes. You can unregister an Organizational Assets Library using SharePoint Online PowerShell (for example, Remove-SPOOrgAssetsLibrary) and remove CDN origins if you no longer need them. Plan governance so you can retire assets cleanly without disrupting users.

Q: Users can’t see the assets (or updates)—what should I check first?
A: Start with (1) permissions to the site/library (security trimming), (2) successful registration via Add-SPOOrgAssetsLibrary, (3) if you’re expecting an update, confirm you ran Set-SPOOrgAssetsLibrary for that library, (4) CDN provisioning status and configured origins, and (5) propagation time (up to 24 hours).