MC1186368 – Microsoft SharePoint: Update to custom scripting governance in App Catalog site

Product:

Microsoft 365 Apps, SharePoint

Platform:

Online, Web, World tenant

Status:

Change type:

Feature update, User impact, Admin impact

Links:

Details:

Summary:
Starting mid-January 2026, custom scripting will be disabled by default on the tenant-wide SharePoint App Catalog site to enhance security. App operations remain unaffected, but new custom script changes will be blocked. Admins can temporarily opt out using PowerShell commands and should inform site owners accordingly.

Details:
To strengthen security and reduce the risk of ungoverned scripting, Microsoft is expanding the custom scripting governance in the App Catalog site. This change helps ensure a more secure and manageable environment in SharePoint Online.
What will happen:
Custom scripting will be disabled (setting DenyAddAndCustomizePages to 1 or $true) for the tenant-wide App Catalog site using the APPCATALOG#0 template.
When this will happen: Default custom scripting governance on the App Catalog site will take effect starting in mid-January 2026.
Who is affected: Admins managing the SharePoint tenant-wide App Catalog site and content inside.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-11-15

updated:
2025-11-15

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Disabling Custom Scripting
Custom scripting will be disabled by default, preventing new custom script changes which may impact existing workflows and functionalities that rely on custom scripts.
   - roles: SharePoint Admin, Site Owners
   - references: https://learn.microsoft.com/sharepoint/allow-or-prevent-custom-script, https://learn.microsoft.com/sharepoint/security-considerations-of-allowing-custom-script

Increased Support Calls
Without prior communication, users may experience confusion leading to increased support calls regarding the inability to implement custom scripts.
   - roles: Helpdesk Staff, SharePoint Admin
   - references: https://learn.microsoft.com/sharepoint/allow-or-prevent-custom-script " target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/sharepoint/allow-or-prevent-custom-script

Operational Delays
Admins may face operational delays as they need to inform site owners and manage temporary opt-out requests, impacting productivity.
   - roles: SharePoint Admin, Site Owners
   - references: https://learn.microsoft.com/sharepoint/allow-or-prevent-custom-script " target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/sharepoint/allow-or-prevent-custom-script

User Experience Degradation
Users may experience a degradation in user experience if custom scripts that enhance functionality are no longer allowed, leading to frustration.
   - roles: End Users, Site Owners
   - references: https://learn.microsoft.com/sharepoint/security-considerations-of-allowing-custom-script

Compliance Risks
If not communicated properly, the change may lead to compliance risks as users may unknowingly violate governance policies by attempting to use custom scripts.
   - roles: Compliance Officers, SharePoint Admin
   - references: https://learn.microsoft.com/sharepoint/security-considerations-of-allowing-custom-script

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Security Training for Admins
With the change in custom scripting governance, there is an opportunity to provide enhanced security training for SharePoint admins. This will ensure they understand the implications of the new governance and how to manage it effectively, thereby reducing potential security risks.
   - next-steps: Develop a training program focused on the new custom scripting governance policies and best practices for SharePoint security. Schedule sessions for all SharePoint admins before the January 2026 deadline.
   - roles: SharePoint Admins, IT Security Officers, Helpdesk Staff
   - references: https://learn.microsoft.com/sharepoint/security-considerations-of-allowing-custom-script, https://learn.microsoft.com/sharepoint/allow-or-prevent-custom-script

Improved User Communication Protocols
The upcoming changes to custom scripting governance provide a chance to improve communication protocols with site owners and users. By informing them of changes and providing clear guidelines, confusion and support calls can be minimized.
   - next-steps: Create a communication plan that includes FAQs, instructional materials, and direct outreach to site owners. Implement feedback mechanisms to gauge user understanding and concerns.
   - roles: Project Managers, Communication Officers, SharePoint Site Owners
   - references: https://learn.microsoft.com/sharepoint/allow-or-prevent-custom-script

Review and Optimize Existing Custom Scripts
As new custom script changes will be blocked, this is an opportunity to review existing custom scripts in use across the organization. This can help in identifying redundant or outdated scripts that can be optimized or removed, enhancing overall performance.
   - next-steps: Conduct an audit of all existing custom scripts within the App Catalog. Collaborate with developers to determine which scripts are essential and which can be optimized or eliminated.
   - roles: SharePoint Developers, IT Operations Managers, Application Managers
   - references: https://learn.microsoft.com/sharepoint/dev/spfx/sharepoint-framework-overview

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only