Allow or prevent custom script

As a Global Administrator or SharePoint Administrator in Microsoft 365, you can allow custom script as a way of letting users change the look, feel, and behavior of sites and pages to meet organizational objectives or individual needs. If you allow custom script, all users who have "Add and Customize Pages" permission to a site or page can add any script they want. (By default, users who create sites are site owners and therefore have this permission.)

Note

For simple ways to change the look and feel of a site, see Change the look of your SharePoint site.

By default, script is allowed on most sites that admins create using the SharePoint admin center as well as all sites created using the New-SPOSite PowerShell command. It is not allowed on OneDrive, on sites users create themselves, on modern team and communication sites, and on the root site for your organization. You'll probably want to limit the amount of script you allow for security reasons. For more info about the security implications of custom script, see Security considerations of allowing custom script.

Important

If SharePoint was set up for your organization before 2015, your custom script settings might still be set to "Not Configured" even though in the SharePoint admin center they appear to be set to prevent users from running custom script. In this case, users won't be able to copy items between SharePoint sites and between OneDrive and SharePoint. On the Settings page in the SharePoint admin center, to accept the custom script settings as they appear, select OK, and enable cross-site copying. For more info about copying items between OneDrive and SharePoint, see Copy files and folders between OneDrive and SharePoint sites.

To allow custom script on OneDrive or user-created sites

In the SharePoint admin center, you can choose to allow users to run custom script on OneDrive (referred to as "personal sites") or on all classic team sites they create. For info about letting users create their own sites, see Manage site creation in SharePoint.

Caution

Before you allow custom script on sites in your organization, make sure you understand the security implications.

  1. Go to Settings in the SharePoint admin center, and sign in with an account that has admin permissions for your organization.

    Note

    If you have Office 365 operated by 21Vianet (China), sign in to the Microsoft 365 admin center, then browse to the SharePoint admin center and open the Settings page.

  2. At the bottom of the page, select classic settings page.

  3. Under Custom Script, select:

    • Allow users to run custom script on personal sites.

    • Allow users to run custom script on self-service created sites.

    Custom script section of settings page in SharePoint admin center

    Note

    Because self-service site creation points to your organization's root site by default, changing the Custom Script setting allows custom script on your organization's root site. For info about changing where sites are created, see Manage site creation in SharePoint.

  4. Select OK. It can take up to 24 hours for the change to take effect.

To allow custom script on other SharePoint sites

Caution

Before you allow custom script on sites in your organization, make sure you understand the security implications.

To allow custom script on a particular site (previously called "site collection") immediately, follow these steps:

  1. Download the latest SharePoint Online Management Shell.

    Note

    If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall "SharePoint Online Management Shell."

  2. Connect to SharePoint as a Global Administrator or SharePoint Administrator in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell.

  3. Run the following command.

    Set-SPOSite <SiteURL> -DenyAddAndCustomizePages 0
    

    or by means of the PnP.PowerShell cmdlet Set-PnPSite

    Set-PnPSite -Identity <SiteURL> -NoScriptSite $false
    

If you change this setting for a classic team site, it will be overridden by the Custom Script setting in the admin center within 24 hours.

Note

You cannot allow or prevent custom scripts to an individual user's OneDrive.

Features affected when custom script is blocked

When users are prevented from running custom script on OneDrive or the classic team sites they create, site admins and owners won't be able to create new items such as templates, solutions, themes, and help file collections. If you allowed custom script in the past, items that were already created will still work.

The following site settings are unavailable when users are prevented from running custom script:

Site feature Behavior Notes
Save Site as Template
No longer available in Site Settings
Users can still build sites from templates created before custom script was blocked.
Save document library as template
No longer available in Library Settings
Users can still build document libraries from templates created before custom script was blocked.
Solution Gallery
No longer available in Site Settings
Users can still use solutions created before custom script was blocked.
Theme Gallery
No longer available in Site Settings
Users can still use themes created before custom script was blocked.
Help Settings
No longer available in Site Settings
Users can still access help file collections available before custom script was blocked.
HTML Field Security
Still available in Site Settings, but changes made will not take effect
Users can still use HTML field security that they set up before custom script was blocked.
Sandbox solutions
Solution Gallery is no longer available in Site Settings
Users can't add, manage, or upgrade sandbox solutions. They can still run sandbox solutions that were deployed before custom script was blocked.
SharePoint Designer
Pages that are not HTML can no longer be updated.
Handling List: Create Form and Custom Action will no longer work.
Subsites: New Subsite and Delete Site redirect to the Site Settings page in the browser.
Data Sources: Properties button is no longer available.
Users can still open some data sources. To open a site that does not allow custom script in SharePoint Designer, you must first open a site that does allow custom script.
Uploading files that potentially include script
The following file types can no longer be uploaded to a library
.asmx
.ascx
.aspx
.htc
.jar
.master
.swf
.xap
.xsf
Existing files in the library are not impacted.
Uploading Documents to Content Types
Access denied message when attempting to attach a document template to a Content Type.
We recommend using Document Library document templates.
Publishing of SharePoint 2010 Workflows
Access denied message when attempting to publish a SharePoint 2010 Workflow.

The following web parts and features are unavailable to site admins and owners when you prevent them from running custom script.

Web part category Web part
Business Data
Business Data Actions
Business Data Item
Business Data Item Builder
Business Data List
Business Data Related List
Excel Web Access
Indicator Details
Status List
Visio Web Access
Community
About This Community
Join
My Membership
Tools
What's Happening
Content Rollup
Categories
Project Summary
Relevant Documents
RSS Viewer
Site Aggregator
Sites in Category
Term Property
Timeline
WSRP Viewer
XML Viewer
Document Sets
Document Set Contents
Document Set Properties
Forms
HTML Form Web Part
Media and Content
Content Editor
Script Editor
Silverlight Web Part
Search
Refinement
Search Box
Search Navigation
Search Results
Search-Driven Content
Catalog-Item Reuse
Social Collaboration
Contact Details
Note Board
Organization Browser
Site Feed
Tag Cloud
User Tasks
Master Page Gallery
Can't create or edit master pages
Publishing Sites
Can't create or edit master pages and page layouts

Best practice for communicating script setting changes to users

Before you prevent custom script on sites where you previously allowed it, we recommend communicating the change well in advance so users can understand the impact of it. Otherwise, users who are accustomed to changing themes or adding web parts on their sites will suddenly not be able to and will see the following error message.

Error message displayed when scripting is disabled on a site

Communicating the change in advance can reduce user frustration and support calls.