Microsoft 365 Message Center Archive

MC1186368 - Microsoft SharePoint: Update to custom scripting governance in App Catalog site

Message ID

MC1186368

View in Message Center

Service

SharePoint Online

Last Updated

Nov 15, 2025

Published Nov 14, 2025

Tag

Major change
Feature update
User impact
Admin impact

Act by

Jan 13, 2026

Summary

Starting mid-January 2026, custom scripting will be disabled by default on the tenant-wide SharePoint App Catalog site to enhance security. App operations remain unaffected, but new custom script changes will be blocked. Admins can temporarily opt out using PowerShell commands and should inform site owners accordingly.

More information

To strengthen security and reduce the risk of ungoverned scripting, Microsoft is expanding the custom scripting governance in the App Catalog site. This change helps ensure a more secure and manageable environment in SharePoint Online.

What will happen:

Custom scripting will be disabled (setting DenyAddAndCustomizePages to 1 or $true) for the tenant-wide App Catalog site using the APPCATALOG#0 template.

When this will happen: Default custom scripting governance on the App Catalog site will take effect starting in mid-January 2026.

Who is affected: Admins managing the SharePoint tenant-wide App Catalog site and content inside.

How this affects your organization:

  • App operations remain unaffected: Uploading, updating, and deploying SharePoint and Office apps will continue to work.
  • Custom script-based changes will be blocked: New changes related to custom scripting in the App Catalog Site will be disabled by default; existing custom scripting related customizations will remain unaffected.

What you can do to prepare:

  • Inform App Catalog site owners and helpdesk staff in your organization of this upcoming change to reduce confusion and support calls.
  • To temporarily opt out of custom scripting governance for a specific site (effective for 24 hours with tenant admin approval), use the following PowerShell command:

Set-SPOSite <SiteURL> -DenyAddAndCustomizePages $false

  • To update the site property bag (by default disallowed when custom script governance is enabled), use the following PowerShell commands to enable it at tenant or site level:

Set-SPOTenant -AllowWebPropertyBagUpdateWhenDenyAddAndCustomizePagesIsEnabled $true
Set-SPOSite <SiteURL> -AllowWebPropertyBagUpdateWhenDenyAddAndCustomizePagesIsEnabled $true

Learn more: 

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.