Allow or prevent custom script

Last updated: July 2017

Allowing custom script is a way to let users change the look, feel, and behavior of sites and pages to meet organizational objectives or individual needs. If you allow custom script, all users who have "Add and Customize Pages" permission to a site or page can add any script they want. (By default, users who create sites are site owners and therefore have this permission. For more info about SharePoint permission levels, see Understanding permission levels in SharePoint.)

Note: For simple ways to change the look and feel of a site, see Change the theme of your SharePoint team site.

By default, script is allowed on sites that admins create. It is not allowed on OneDrive, on sites users create themselves, and on the root site for your organization. You’ll probably want to limit the amount of script you allow for security reasons. For more info about the security implications of custom script, see Security considerations of allowing custom script.

IMPORTANT: If SharePoint Online was set up for your organization before 2015, your custom script settings might still be set to "Not Configured" even though in the SharePoint admin center they appear to be set to prevent users from running custom script. In this case, users won't be able to copy items between SharePoint sites and between OneDrive and SharePoint. On the settings page of the SharePoint admin center, click OK to accept the custom script settings as they appear and enable cross-site copying. (For more info about copying items between OneDrive and SharePoint, see Copy files and folders between OneDrive for Business and SharePoint sites.)

In the SharePoint admin center, you can choose to allow users to run custom script on OneDrive (referred to as "personal sites") or on all user-created sites. For info about letting users create their own sites, see Manage site creation in SharePoint Online.

Warning: Before you allow custom script on sites in your organization, make sure you understand the security implications.

  1. Sign in to Office 365 as a global admin or SharePoint admin.

  2. Select the app launcher icon The icon that looks like a waffle and represents a button click that will reveal multiple application tiles for selection. in the upper-left and choose Admin to open the Office 365 admin center. (If you don't see the Admin tile, you don't have Office 365 administrator permissions in your organization.)

  3. In the left pane, choose Admin centers > SharePoint.

  4. Select settings.

  5. Under Custom Script choose:

    • Allow users to run custom script on personal sites.

    • Allow users to run custom script on self-service created sites.

    Custom script section of settings page in SharePoint admin center

    Note: Because self-service site creation points to your organization’s root site collection by default, changing the Custom Script setting allows custom script on your organization’s root site collection. For info about changing where sites are created, see Manage site creation in SharePoint Online.

  6. Click OK. It can take up to 24 hours for the change to take effect.

Warning: Before you allow custom script on sites in your organization, make sure you understand the security implications.

To allow custom script on a particular site collection immediately, use the following Microsoft PowerShell command (learn more about the SharePoint Online Management Shell):

Set-SPOsite <SiteURL> -DenyAddAndCustomizePages 0

If you change this setting for a user's OneDrive or a user-created site, it will be overriden by the Custom Script setting in the admin center within 24 hours.

When users are prevented from running custom script on OneDrive or user-created sites, site collection owners and site owners won't be able to create new items such as templates, solutions, themes, and help file collections. If you allowed custom script in the past, items that were already created will still work.

The following site settings are unavailable when users are prevented from running custom script:

Site feature

Behavior

Notes

Save Site as Template

No longer available in Site Settings

Users can still build sites from templates created before custom script was blocked.

Save document library as template

No longer available in Library Settings

Users can still build document libraries from templates created before custom script was blocked.

Solution Gallery

No longer available in Site Settings

Users can still use solutions created before custom script was blocked.

Theme Gallery

No longer available in Site Settings

Users can still use themes created before custom script was blocked.

Help Settings

No longer available in Site Settings

Users can still access help file collections available before custom script was blocked.

HTML Field Security

No longer available in Library Settings

Users can still use HTML field security that they set up before custom script was blocked.

Sandbox solutions

Solution Gallery is no longer available in Site Settings

Users can’t add, manage, or upgrade sandbox solutions. They can still run sandbox solutions that were deployed before custom script was blocked.

SharePoint Designer

Pages that are not HTML can no longer be updated.

Handling List: Create Form and Custom Action will no longer work.

Subsites: New Subsite and Delete Site redirect to the Site Settings page in the browser.

Data Sources: Properties button is no longer available.

Users can still open data sources.

Uploading files that potentially include script

The following file types can no longer be uploaded to a library

.asmx

.ascx

.aspx

.htc

.jar

.master

.swf

.xap

.xsf

Existing files in the library are not impacted.

The following web parts and features are unavailable to site collection owners and site owners when you prevent them from running custom script.

Web part category

Web part

Business Data

Business Data Actions

Business Data Item

Business Data Item Builder

Business Data List

Business Data Related List

Excel Web Access

Indicator Details

Status List

Visio Web Access

Community

About This Community

Join

My Membership

Tools

What’s Happening

Content Rollup

Categories

Project Summary

Relevant Documents

RSS Viewer

Site Aggregator

Sites in Category

Term Property

Timeline

WSRP Viewer

XML Viewer

Document Sets

Document Set Contents

Document Set Properties

Forms

HTML Form Web Part

Media and Content

Content Editor

Script Editor

Silverlight Web Part

Search

Refinement

Search Box

Search Navigation

Search Results

Search-Driven Content

Catalog-Item Reuse

Social Collaboration

Contact Details

Note Board

Organization Browser

Site Feed

Tag Cloud

User Tasks

Master Page Gallery

Can't create or edit master pages

Publishing Sites

Can't create or edit master pages and page layouts

Before you prevent custom script on sites where you previously allowed it, we recommend communicating the change well in advance so users can understand the impact of it. Otherwise, users who are accustomed to changing themes or adding web parts on their sites will suddenly not be able to and will see the following error message.

Error message displayed when scripting is disabled on a site or site collection

Communicating the change in advance can reduce user frustration and support calls.

Top of Page

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×