Forum Discussion
Allow or prevent custom script at different scopes and levels
I was reading this article about "Allow or prevent custom script" https://docs.microsoft.com/en-us/sharepoint/allow-or-prevent-custom-script. but i got confused on how we need to manage this from sharepoint.
Question 1:- on the link they mentioned the following:-
By default, script is allowed on sites that admins create. It is not allowed on OneDrive, on sites users create themselves, and on the root site for your organization.
but does this mean if the global admin or a sharepoint admin created a new modern team site or modern communication site, then custom scripts will be enabled by default? while if end users created a new modern team site or modern communication site, then the custom scripts will be disabled?
Question 2:- Inside sharepoint admin center >> settings >> there are 2 settings as follow:-
but it is not clear if these settings are only related to end users, or to sharepoint and global admins as well? so let say i am preventing custom scripts (as shown above), then even SP admins and Global admins can not run custom scripts on the sites?
Question 3: inside the link they mentioned the following if we disable cusotm scripting on site collection basis:-
If you change this setting for a user's OneDrive or a user-created site, it will be overridden by the Custom Script setting in the admin center within 24 hours.
so does this mean if i am allowing custom script on the admin level, but i have disabled on the site collection level (or Vice versa ), then the admin center settings will be applied to all the site collection within 24 hour? so in a way or another, at the end all the site collections will be following the same setting regarding custom scripting (as define in the SP admin center) ??
Thanks in advance for any help on my above 3 questions
5 Replies
Hi John,
First of all I just wanted to appreciate the level of analysis you put in for every questions you post here. very detailed and well articulated.
Question 1: does this mean if the global admin or a SharePoint admin created a new modern team site or modern communication site, then custom scripts will be enabled by default? while if end users created a new modern team site or modern communication site, then the custom scripts will be disabled?
Answer: It is miss leading but by default custom scripts is enabled for global admin or a SharePoint admin , it is determined based on the permission level that user has. If admins want to disable custom scripting they can restrict it on the site collection collection level.
For end users created sites by default custom scripts will be not allowed until admin check "allow users to run the custom script personal / self-service created sites" options
Question 2: but it is not clear if these settings are only related to end users, or to SharePoint and global admins as well? so let say i am preventing custom scripts (as shown above), then even SP admins and Global admins can not run custom scripts on the sites?
Answer : This setting is applied to both Admin as well as end users . As I mentioned above by default custom scripting is allow for admins, if they want to allow custom scripting for end users they allow here. by default its not allowed for end users and admin has to allow or prevent.
Question 3:
does this mean if i am allowing custom script on the admin level, but i have disabled on the site collection level (or Vice versa ), then the admin center settings will be applied to all the site collection within 24 hour? so in a way or another, at the end all the site collections will be following the same setting regarding custom scripting (as define in the SP admin center) ??
Answer : for example globally if you are allowing any end users to run custom script, which means any site collection created will be able to run the custom scripts. For some site collection if I want to restrict the custom scripting doesn't matter if it was created by the global admin by the end user.
Hope this helps!
Thuyavan
Thuyavan Ganesan wrote:Hi John,
First of all I just wanted to appreciate the level of analysis you put in for every questions you post here. very detailed and well articulated.
Question 1: does this mean if the global admin or a SharePoint admin created a new modern team site or modern communication site, then custom scripts will be enabled by default? while if end users created a new modern team site or modern communication site, then the custom scripts will be disabled?
Answer: It is miss leading but by default custom scripts is enabled for global admin or a SharePoint admin , it is determined based on the permission level that user has. If admins want to disable custom scripting they can restrict it on the site collection collection level.
For end users created sites by default custom scripts will be not allowed until admin check "allow users to run the custom script personal / self-service created sites" options
Question 2: but it is not clear if these settings are only related to end users, or to SharePoint and global admins as well? so let say i am preventing custom scripts (as shown above), then even SP admins and Global admins can not run custom scripts on the sites?
Answer : This setting is applied to both Admin as well as end users . As I mentioned above by default custom scripting is allow for admins, if they want to allow custom scripting for end users they allow here. by default its not allowed for end users and admin has to allow or prevent.
Question 3:
does this mean if i am allowing custom script on the admin level, but i have disabled on the site collection level (or Vice versa ), then the admin center settings will be applied to all the site collection within 24 hour? so in a way or another, at the end all the site collections will be following the same setting regarding custom scripting (as define in the SP admin center) ??
Answer : for example globally if you are allowing any end users to run custom script, which means any site collection created will be able to run the custom scripts. For some site collection if I want to restrict the custom scripting doesn't matter if it was created by the global admin by the end user.
Hope this helps!
Thuyavan
Thuyavan Ganesan thanks for the reply, but i did not get your replies , please find my points:-
>>but by default custom scripts is enabled for global admin or a SharePoint admin
do you mean by default enabled for sites created by global admin or sharepoint admin? or you are referring to the global admin and SP admin as users? and not sites created by them?
>>This setting is applied to both Admin as well as end users . As I mentioned above by default custom scripting is allow for admins, if they want to allow custom scripting for end users they allow here
i think there is something unclear, you mentioned that the setting is applied to both admin and end users, then you said that by default custom scripting is allowed for admin.. so the setting will not be applied to the admin in this case??
third question. now i did not find any option in the UI to be able to enable/disable the custom scripting on the site collection level... the only option i found is to enable/disable this on the SP admin center site.. so can i do so using power-shell? and can i disable custom scripting on a site collection level while enable it on the SP admin level? and if i do so, will the SP admin level settings override the setting i have on each site collection after 24 hours, as mentioned on the official documentations where they mentioned "If you change this setting for a user's OneDrive or a user-created site, it will be overridden by the Custom Script setting in the admin center within 24 hours." ?
- Please pardon my English :)
1. As a user if global admin & SP admin created site collection will have custom script enabled by default.
2. i think there is something unclear, you mentioned that the setting is applied to both admin and end users, then you said that by default custom scripting is allowed for admin.. so the setting will not be applied to the admin in this case??
Yes, if you are admin if you create a site collection your by default it set to "Enable" , later if you want you can disable
but if you are not an admin and if you create a site collection your by default it set to "Disabled". Later admin can enable it for you.
3. please use this
Set-SPOsite <SiteURL> -DenyAddAndCustomizePages 0
