Introduction 

Since November 2024, Microsoft has made changes to the use and management of custom scripts in SharePoint Online. These updates reflect Microsoft’s commitment to improving platform security and reliability while encouraging the adoption of modern development practices.

This document outlines a temporary method for automatically enabling custom scripts, designed to help organizations address immediate needs or legacy dependencies. However, we strongly discourage the continued use of custom scripts due to the significant security risks they pose, such as potential exposure to malicious code and reduced compliance with modern governance standards. 

Instead, we encourage you to consider transitioning to modern alternatives, such as leveraging SharePoint Framework (SPFx) and other Microsoft 365 tools that are more secure, scalable and supported. 

If you are impacted by these changes, we’re here to help! Our team can guide you in modernizing your platform, ensuring compatibility with the latest features while maintaining the integrity and security of your environment. Additionally, we can assist you in upgrading to Omnia, our modern platform that seamlessly integrates with Microsoft 365 and SharePoint, providing a comprehensive and secure solution for your organizations’ s needs.

Summary: The Custom Script setting will be removed from OneDrive and SharePoint sites by early-May 2024. A new PowerShell command, DelayDenyAddAndCustomizePagesEnforcement, will allow the delay of this change until mid-November 2024. The NoScriptSite setting will be configured to True for all existing SharePoint and OneDrive sites. Existing scripts in OneDrive and SharePoint sites will remain unaffected. Administrators can permit the execution of custom scripts on specific SharePoint sites using the Set-SPOSite command. 

Source: Message center - Microsoft 365 admin center

How-to tutorial

Follow these instructions on how to setup the automatic script to temporarily enable custom scripts for your impacted sites.

You will have two options, either setup a Windows scheduled task or use Azure Automation and Runbooks to automatically unset sites being blocked from using custom scripts every 24 hours. The choice will depend on whatever solution you prefer and fits your organization best.

Please note that it will require a Global administrator to perform the steps included in this tutorial.

Windows Task scheduler

Prerequisites

• Windows server or VM running 24/7 
• PowerShell 7.0 
• PnP.PowerShell (see step 1)
• Global Administrator role

Step 1: Install PowerShell 7 and PnP PowerShell

Go to Installing PowerShell on Windows - PowerShell | Microsoft Learn and select your preferred installation method.

After installing, start PowerShell 7.0 as administrator.

Now, run the below command to install the latest stable version of PnP PowerShell cmdlets for the current user.

Install-Module PnP.PowerShell -Scope CurrentUser

Step 2: Register an Entra ID application to use with PnP PowerShell and App Only Access

Since we will want to run this script without requiring user interaction, you must register a new Microsoft Entra ID application for App Only access following this guide here: Register an Entra ID Application to use with PnP PowerShell | PnP PowerShell

TLDR; run the following command to register an new app and generate the certificates for you to use with that app

$result = Register-PnPEntraIDApp -ApplicationName "Enable custom scripts in SPO 
automation" -Tenant [yourtenant].onmicrosoft.com -OutPath c:\mycertificates -
Interactive -SharePointApplicationPermissions Sites.FullControl.All

Please note that the -OutPath parameter will save both the CER and PFX files to the location specified. You can change this to your preferred location, since we will need to use this later on. Also, the command will return the private key certificate encoded in base64 encoding. Make sure to safeguard both the certificate and private key following your normal procedures.

Step 3: Create a .ps1 file

Using your favorite code editor, e.g. Visual Studio Code, create a new .ps1 file and add the following script and save to your machine. Ensure that your replace the [variables] to fit your organizations tenant.

# Connect to the tenant using a certificate
Connect-PnPOnline -ClientId [yourClientId] -CertificatePath 
[pathToYourCertificateFile] -Url https://[yourTenantName].sharepoint.com -Tenant 
"[yourTenantName].onmicrosoft.com"
# Enter the list of site URLs needing custom scripts enabled
$siteUrls = @("[siteUrl1]", "[siteUrl2]")
# Enable custom scripts on all sites
foreach ($site in $siteUrls) { 
Write-Host "Running command on site: " $site.Url
Set-PnPSite -Identity $site -NoScriptSite $false
};

Step 4: Setup Windows task schedule

Open Task Scheduler on your machine.

In the Task Scheduler, click Create Task…

In the General tab, give your task a name and description, e.g. “Enable custom scripts in SPO task”. Select Run whether user is logged on or not and check Run with highest privileges.

In the Triggers tab, click new and set the trigger to Daily and specify the start time. Set Rectur every 1 days and Repeat task every 8 hours for duration of Indefinitely. Check Enabled. Click OK.

In the Actions tab, click New. Set the Action to Start a Program. In the Program/script input field click browse to browse to your PowerShell 7.0 executable, e.g. “C:\Program Files\PowerShell\7\pwsh.exe”. Then in the Add arguments (optional) field, type -File "C:\path\to\your\script.ps1" and click Ok.

In the conditions tab, disable all of the options.

Enable the following in the Settings tab:

Click OK to save the task. You will be prompted to enter your password.

Check that custom script is allowed for your site(s)

Copy the URL below and replace the tenant name with your own.

https://<tenantname>-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/siteManagement/view/CUSTOM SCRIPT ENABLED SITES

Azure Automation

Please note, that if you already have an Azure Automation account within your organization you want to use, you will simply need to ensure that it has a managed identity configured with the right permissions.

Prerequisites

• PowerShell 7.0 
• Microsoft Graph PowerShell SDK 
• Global administrator 
• Azure subscription

Step 1: Install PowerShell 7 and PnP PowerShell

Go to Installing PowerShell on Windows - PowerShell | Microsoft Learn and select your preferred installation method.

After installing, start PowerShell 7.0 as administrator.

Now, run the below command to install the latest stable version of PnP PowerShell cmdlets for the current user.

Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force

Step 2: Create Azure Automation account

Go to the Azure Portal and login with your Azure credentials. 

Create a new Azure Automation Account using the Create a resource button and search for Automation.

Fill out the details for the Azure Automation Account as desired and click Review + Create. 

Then click Create. 

Once your resource has been provisioned, select Go to resource.

Step 3: Configure the Azure Automation Account

Go to your Azure Automation Account. Navigate to Shared Resources Modules from the left navigation.

Click on Add a module. 

Select Browse from gallery, Runtime version 7.2 (recommended) and click on the Click here to browse from gallery link.

Search for PnP PowerShell and select the first result.

Click Import to start the download and importing process. 

It will take up to 10 minutes to import the module. You can check the status by changing the Module type filter to Custom.

Step 4: Setup authentication

The recommended option to authenticate your Azure Automation Runbooks is using a Managed Identity to allow your runbooks to connect to Microsoft Graph or SharePoint Online using PnP PowerShell. This guide will only focus on this approach, but you can read more about it here: Using PnP PowerShell in Azure Automation Runbooks | PnP PowerShell

In your Azure Automation account, select Account settings Identity. 

Ensure you are on the System assigned tab and flip the switch for Status to On, if not already set by the system.

Click on save button and confirm your action in the dialog box that will be shown.

Step 5: Assign permissions to managed identity

Using Microsoft Graph PowerShell SDK. 

Connect to your Azure tenant using the Connect-MGGraph cmdlet

Connect-MgGraph -Scopes 'Directory.ReadWrite.All'

Find the Managed Identity Object using the object (principal) ID.

$managedIdentity = Get-MgServicePrincipal -ServicePrincipalId '<object id>'

Retrieve and set the Office 365 SharePoint Online application to find a matching permission scope for your managed identity. The application roles associated with your tenant’s Office 365 SharePoint Online application object GUID is the same in every tenant.

$spoSPN = Get-MgServicePrincipal -Filter “AppId eq '00000003-0000-0ff1-ce00-
000000000000'”

Create a variable named $permissions to store the permission scope Sites.FullControl.All to enable the automated runbook to access and enable custom scripts.

$permissions = "Sites.FullControl.All"

Next, search for the AppRoles associated with the Office 365 SharePoint online enterprise application ($spoSPN) that match $permissions and are of Application type.

$appRole = $spoSPN.AppRoles | Where-Object Value -eq $permission | Where-Object AllowedMemberTypes -Contains "Application"

Output the variable $appRole value using Format-List to view the matching role and validate it’s correct.

$appRole | Format-List

Then assign the matching app role to the managed identity object.

$bodyParam = @{
PrincipalId = $managedIdentity.Id
ResourceId = $spoSPN.Id
AppRoleId = $appRole.Id 
}
New-MgServicePrincipalAppRoleAsignment -ServicePrincipalId 
$managedIdentity.Id -BodyParameter $bodyParam

Verify the app role assignment by navigating to the managed identity enterprise application Entra ID. In the enterprise application, navigate to Security Permissions. The permissions should display the newly assigned app role for the managed identity.

Step 6: Create a Runbook

Using your Azure Automation account.

Select Process Automation Runbooks from the left navigation.

Click Create a runbook.

Give the Runbook a name and description, select the Runbook type PowerShell and for the Runtime version choose 7.2 (recommended) and click on Create.

Add the PowerShell script below and replace any [variables] to reflect your tenant.

# Connect to the tenant using managed identity
Connect-PnPOnline -Url "[https://[yourDomain]-admin.sharepoint.com" -
ManagedIdentity
# Enter the list of site URLs needing custom scripts enabled
$siteUrls = @("[SiteUrl1]","[SiteUrl2]")
# Enable custom scripts on all sites
foreach ($site in $siteUrls) {
 Write-Host "Running command on site: " $site.Url
 Set-PnPSite -Identity $site -NoScriptSite $false
};

Click Save to save your Runbook. 

Then click Test pane, to test your Runbook before continuing by starting the execution of the script and validate the output of the script.

Once validated, select the X to close the Test pane. 

Click Publish and acknowledge by selecting Yes.

Step 7: Setup schedule

Using Azure Automation account and your Runbook. 

Select Resources Schedules. 

Click Add a schedule and select Link a schedule to your runbook. 

Add a new schedule by selecting Add a schedule.

Give it a name, description and select when you want the script to start and using what time zone. 

Select Recurring and set Recur every 8 hours with no expiration. 

Click Create. Click OK to save.