cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Allow or prevent custom script at different scopes and levels

john john
Steel Contributor

‎Dec 06 2018 04:54 PM - edited ‎Dec 06 2018 04:56 PM

‎Dec 06 2018 04:54 PM - edited ‎Dec 06 2018 04:56 PM

Allow or prevent custom script at different scopes and levels

I was reading this article about "Allow or prevent custom script" https://docs.microsoft.com/en-us/sharepoint/allow-or-prevent-custom-script. but i got confused on how we need to manage this from sharepoint.

Question 1:- on the link they mentioned the following:-

 

By default, script is allowed on sites that admins create. It is not allowed on OneDrive, on sites users create themselves, and on the root site for your organization.

 

but does this mean if the global admin or a sharepoint admin created a new modern team site or modern communication site, then custom scripts will be enabled by default? while if end users created a new modern team site or modern communication site, then the custom scripts will be disabled?

 

Question 2:- Inside sharepoint admin center >> settings >> there are 2 settings as follow:-

prevent.png

but it is not clear if these settings are only related to end users, or to sharepoint and global admins as well? so let say i am preventing custom scripts (as shown above), then even SP admins and Global admins can not run custom scripts on the sites?

 

Question 3: inside the link they mentioned the following if we disable cusotm scripting on site collection basis:-

 

If you change this setting for a user's OneDrive or a user-created site, it will be overridden by the Custom Script setting in the admin center within 24 hours.

 

so does this mean if i am allowing custom script on the admin level, but i have disabled on the site collection level (or Vice versa ), then the admin center settings will be applied to all the site collection within 24 hour? so in a way or another, at the end all the site collections will be following the same setting regarding custom scripting (as define in the SP admin center) ??

 

Thanks in advance for any help on my above 3 questions

 

 

Labels:
3,087 Views
0 Likes
5 Replies
Reply
5 Replies
Thuyavan Ganesan

‎Dec 09 2018 09:41 AM

‎Dec 09 2018 09:41 AM

Re: Allow or prevent custom script at different scopes and levels

Hi John,

First of all I just wanted to appreciate the level of analysis you put in for every questions you post here. very detailed and well articulated.

   

Question 1: does this mean if the global admin or a SharePoint admin created a new modern team site or modern communication site, then custom scripts will be enabled by default? while if end users created a new modern team site or modern communication site, then the custom scripts will be disabled?

 

Answer: It is miss leading but by default custom scripts is  enabled for global admin or a SharePoint admin , it is determined based on the permission level that user has. If admins want to disable custom scripting  they can restrict it on the site collection collection level.

For end users created sites by default custom scripts will be not allowed  until admin check "allow users to run the custom script personal / self-service created sites" options   

 

Question 2: but it is not clear if these settings are only related to end users, or to SharePoint and global admins as well? so let say i am preventing custom scripts (as shown above), then even SP admins and Global admins can not run custom scripts on the sites?

 

Answer : This setting is applied to both Admin as well as end users . As I mentioned above by default custom scripting is allow for admins, if they want to allow custom scripting for end users they allow here. by default its not allowed for end users  and admin has to allow or prevent.

 

Question 3: 

does this mean if i am allowing custom script on the admin level, but i have disabled on the site collection level (or Vice versa ), then the admin center settings will be applied to all the site collection within 24 hour? so in a way or another, at the end all the site collections will be following the same setting regarding custom scripting (as define in the SP admin center) ??

 

Answer : for example globally if you are allowing any end users to run custom script, which means any site collection created will be able to run the custom scripts. For some site collection if I want to restrict the custom scripting doesn't matter  if it was created by the  global admin  by the end user.

 

Hope this helps!

 

Thuyavan

 

0 Likes
Reply
john john

‎Dec 09 2018 03:47 PM

‎Dec 09 2018 03:47 PM

Re: Allow or prevent custom script at different scopes and levels

@Thuyavan Ganesan wrote:

Hi John,

First of all I just wanted to appreciate the level of analysis you put in for every questions you post here. very detailed and well articulated.

   

Question 1: does this mean if the global admin or a SharePoint admin created a new modern team site or modern communication site, then custom scripts will be enabled by default? while if end users created a new modern team site or modern communication site, then the custom scripts will be disabled?

 

Answer: It is miss leading but by default custom scripts is  enabled for global admin or a SharePoint admin , it is determined based on the permission level that user has. If admins want to disable custom scripting  they can restrict it on the site collection collection level.

For end users created sites by default custom scripts will be not allowed  until admin check "allow users to run the custom script personal / self-service created sites" options   

 

Question 2: but it is not clear if these settings are only related to end users, or to SharePoint and global admins as well? so let say i am preventing custom scripts (as shown above), then even SP admins and Global admins can not run custom scripts on the sites?

 

Answer : This setting is applied to both Admin as well as end users . As I mentioned above by default custom scripting is allow for admins, if they want to allow custom scripting for end users they allow here. by default its not allowed for end users  and admin has to allow or prevent.

 

Question 3: 

does this mean if i am allowing custom script on the admin level, but i have disabled on the site collection level (or Vice versa ), then the admin center settings will be applied to all the site collection within 24 hour? so in a way or another, at the end all the site collections will be following the same setting regarding custom scripting (as define in the SP admin center) ??

 

Answer : for example globally if you are allowing any end users to run custom script, which means any site collection created will be able to run the custom scripts. For some site collection if I want to restrict the custom scripting doesn't matter  if it was created by the  global admin  by the end user.

 

Hope this helps!

 

Thuyavan

 

@Thuyavan Ganesan  thanks for the reply, but i did not get your replies , please find my points:-

 

>>but by default custom scripts is  enabled for global admin or a SharePoint admin

do you mean by default enabled for sites created by global admin or sharepoint admin? or you are referring to the global admin and SP admin as users? and not sites created by them?

 

>>This setting is applied to both Admin as well as end users . As I mentioned above by default custom scripting is allow for admins, if they want to allow custom scripting for end users they allow here

i think there is something unclear, you mentioned that the setting is applied to both admin and end users, then you said that by default custom scripting is allowed for admin.. so the setting will not be applied to the admin in this case??

 

third question. now i did not find any option in the UI to be able to enable/disable the custom scripting on the site collection level... the only option i found is to enable/disable this on the SP admin center site.. so can i do so using power-shell? and can i disable custom scripting on a site collection level while enable it on the SP admin level? and if i do so, will the SP admin level settings override the setting i have on each site collection after 24 hours, as mentioned on the official documentations where they mentioned "If you change this setting for a user's OneDrive or a user-created site, it will be overridden by the Custom Script setting in the admin center within 24 hours." ?

0 Likes
Reply
Thuyavan Ganesan

‎Dec 10 2018 06:59 AM

‎Dec 10 2018 06:59 AM

Re: Allow or prevent custom script at different scopes and levels

Please pardon my English :)

1. As a user if global admin & SP admin created site collection will have custom script enabled by default.

2. i think there is something unclear, you mentioned that the setting is applied to both admin and end users, then you said that by default custom scripting is allowed for admin.. so the setting will not be applied to the admin in this case??

Yes, if you are admin if you create a site collection your by default it set to "Enable" , later if you want you can disable

but if you are not an admin and if you create a site collection your by default it set to "Disabled". Later admin can enable it for you.

3. please use this
Set-SPOsite <SiteURL> -DenyAddAndCustomizePages 0
0 Likes
Reply
john john

‎Dec 10 2018 04:34 PM - edited ‎Dec 10 2018 04:37 PM

‎Dec 10 2018 04:34 PM - edited ‎Dec 10 2018 04:37 PM

Re: Allow or prevent custom script at different scopes and levels

@Thuyavan Ganesan wrote:
Please pardon my English :)

1. As a user if global admin & SP admin created site collection will have custom script enabled by default.

2. i think there is something unclear, you mentioned that the setting is applied to both admin and end users, then you said that by default custom scripting is allowed for admin.. so the setting will not be applied to the admin in this case??

Yes, if you are admin if you create a site collection your by default it set to "Enable" , later if you want you can disable

but if you are not an admin and if you create a site collection your by default it set to "Disabled". Later admin can enable it for you.

3. please use this
Set-SPOsite <SiteURL> -DenyAddAndCustomizePages 0

@Thuyavan Ganesan

ok thanks a lot for your contentious help.

so let me summarize things, also to make it easier for other:-

1. if a sharepoint admin or global admin create a site collection, then it will have custom scripts enabled by default, for all users. and we can disabled it later on?

2. while if an end user (who is not a global admin nor is a sharepoint admin) creates a site collection , then custom script will be disabled by default, for all users. and we can enable it later on?

3. Now it is not clear what is the relation between setting on the SP admin and the default behavioure? let say i am disabling the custom script at the SP admin level, and a global admin create a new site collection,, will custom script be disable or enabled by default in this case?

4. Final question. now let say i run this script to enable "custom script" at the site collection level (for sites created by admin and by end users) Set-SPOsite <SiteURL> -DenyAddAndCustomizePages 0 , while  i have custom script disabled at the SP admin level (for both personal sites & self-service site ), then will the SP admin settings override the setting on the site collection after 24 hours? because on the official Microsoft documentation they mentioned the following sentence ""If you change this setting for a user's OneDrive or a user-created site, it will be overridden by the Custom Script setting in the admin center within 24 hours." ?" so at the end all the site collections (created by admin or created by end users) will have the same setting as defined on the SP admin settings?

 

Thanks

 

0 Likes
Reply
Thuyavan Ganesan

‎Dec 12 2018 08:57 PM

‎Dec 12 2018 08:57 PM

Re: Allow or prevent custom script at different scopes and levels

so let me summarize things, also to make it easier for other:-

1. if a sharepoint admin or global admin create a site collection, then it will have custom scripts enabled by default, for all users. and we can disabled it later on?
yes you are correct

2. while if an end user (who is not a global admin nor is a sharepoint admin) creates a site collection , then custom script will be disabled by default, for all users. and we can enable it later on?
Yes thats right

3. Now it is not clear what is the relation between setting on the SP admin and the default behavioure? let say i am disabling the custom script at the SP admin level, and a global admin create a new site collection,, will custom script be disable or enabled by default in this case?
you can disable custom script for only non admins at the SP admin level (there is no option for you to disable for admin but once a admin create a site collection there is an option at the site collection level to disable). only site collection level you can disable/ enable for both user and admin.

4. Final question. now let say i run this script to enable "custom script" at the site collection level (for sites created by admin and by end users) Set-SPOsite <SiteURL> -DenyAddAndCustomizePages 0 , while i have custom script disabled at the SP admin level (for both personal sites & self-service site ), then will the SP admin settings override the setting on the site collection after 24 hours? because on the official Microsoft documentation they mentioned the following sentence ""If you change this setting for a user's OneDrive or a user-created site, it will be overridden by the Custom Script setting in the admin center within 24 hours." ?" so at the end all the site collections (created by admin or created by end users) will have the same setting as defined on the SP admin settings?

Yes site collections (created by admin or created by end users) will have the same setting if its overridden by the Custom Script setting in the admin center
0 Likes
Reply