SPO WBBag: January 3

Photo by Markus Spiske

THE ENABLE or DISABLE Custom Scripts Challenge.

In this Weekly SharePoint Online Brown Bag I will talk about Governance in a company point of view about the Enable Custom Scripts in SharePoint Online as a Migration Consultant

One of the first things I have on my migration to-do list is to check if this option is enabled or disabled, and why? Custom Strips enable, allow the tenant to run JavaScript directly and inject pure JavaScript on a Site. You can have ready made sites with Frameworks or Libraries such as AnjularJS, Reat, JSOM Code etc. Will maybe work when migrated in most cases if this option is enable, But first, and because I have to be aware of the implications in terms of security, I must and is my way of working to put myself in other people’s shoes, I really have to be flexible.

My usual note

Perfect people or companies don’t exist. I’m the first to admit I’m not mistake free, that’s because I learn and share. If so please comment to Improve

SUMMARY

These days performing a migration in some industry sectors can bring many challenges. Why? Because security is very tight and nothing can go out the corporation environment.

CHALLENGES IN THIS POST

  1. Introduction
  2. Enable Custom Scripts Implications
  3. SharePoint Development Challenges
  4. The “Sharing is Caring” concept

LET´S START

Trust me, I’ve seen just about everything in the context of migrations to SharePoint Online. For those who are starting out in this area and because there are several utilities that make a wizard-type migration possible, the temptation is often to take a Site Collection and place it online as it is. Is this a good practice? Of course not, doing the same thing and expecting different results is insanity, even if all the scripts work and I have a website up in 1 hour.

FIND FLAT STUCTURE, Hub Sites and follow the line, good videos out there.

(c) Microsoft

Now let’s go back to the implication of activating this option, what does it do when activated?

Set-SPOSite -DenyAddAndCustomizePages 0

From the Microsoft Site

Every script that runs in a SharePoint page (whether it’s an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means:

  • Scripts have access to everything the user has access to.
  • Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration.

What does this mean really this?

Any user who has “Add and Customize Pages” permission (part of the Design and Full Control permission levels) to any page or document library can insert code that can potentially have a powerful effect on all users and resources in the organization.

From a Migration point of view, in practice, does this mean that you will have to develop the migrated sites that contain scripts from scratch? YES, looks crazy no? BUT NOT. Everything has a reason.

In the early days of development in SharePoint, in this article I will only focus on the 2003 version, development was very demanding, because there was not much documentation and the learning curve was big, there were many sleepless nights.

When SharePoint 2007 appeared, the concept of FARM and inherited permissions also appeared, something that did not exist before, at this time good practices began to appear, but even so it was not possible to invent much, developers had to reinvent themselves and share how could, in good measure with the goodwill of those who shared in the Outlook Express NNTP groups, now imagine and go back further when the product was actually launched.

But what does this have to do with the context of DenyAddAndCustomizePages anyway? ALL. When Microsoft started to launch Services like BPOS and Live@Edu it became clear that the development paradigm had to change, on the other hand years ago Microsoft didn’t have a policy of making things easier, now with SasS everything changed.

SO the SharePoint Framework (SPFx) was launched and now Microsoft really understood that it needed help to develop on his platform, so, Microsoft as a First Party Developer and the Programmers as Third Party developers, FINALLY, and the the slogan ” Sharing is Caring” appear. This is cool it’s YUPIII.

With SPFx, you may say, TypeScript is compiled to JavaScript and SASS to CSS, it’s true, but why is more secure? From the Microsoft Site again and see the Key Features.

The following are some of the key features included as part of the SPFx:

  • It runs in the context of the current user and connection in the browser. There are no iFrames for the customization (JavaScript is embedded directly to the page).
  • The controls are rendered in the normal page DOM.
  • The controls are responsive and accessible by nature.
  • It enables the developer to access the lifecycle in addition to renderloadserialize and deserializeconfiguration changes, and more.
  • It’s framework-agnostic. You can use any JavaScript framework that you like including, but not limited to, React, Handlebars, Knockout, Angular, and Vue.js.
  • The developer toolchain is based on popular open-source client development tools such as NPM, TypeScript, Yeoman, webpack, and gulp.
  • Performance is reliable.
  • End users can use SPFx client-side solutions that are approved by the tenant administrators (or their delegates) on all sites, including self-service team, group, or personal sites.
  • SPFx web parts can be added to both classic and modern pages.
  • SPFx solutions can be used to extend Microsoft Teams.

This means from Microsoft

Within multi-tenant SharePoint Online, full trust code has never been supported, and the sandboxed code service has been deprecated. The most common patterns for customizations of SharePoint Online have been either through add-ins, remote-code execution (code executing elsewhere, such as in Azure) through the standard APIs, and JavaScript embedding. Although JavaScript embedding has been a powerful way of extending SharePoint, it has also proven difficult to keep up with the evergreen model of SharePoint Online. The SharePoint Framework aims to solve these issues by providing a standardized framework on how to create custom user interface extensions and building applications on top of SharePoint Online in a supported and future prepared way.

DON’T FORGET Microsoft Graph and Microsoft Identity (Future Brown Bags)

But in my sole opinion Scripts Disable are Good because it will disallow your users to save LIST or SITES as templates and upload to a another tenant. If you have Confidential information this is really bad if active. “Usually” Secret Documents are not allowed in SharePoint Online.

The “Sharing is Caring” concept PnP

The community grow a lot, developers become evolving sharing and extending tools, samples, really live savers.

What is Sharing is Caring?

Sharing is Caring is a PnP program that provides hands-on guidance on using and contributing to the Microsoft365 community

CONCLUSION

The Enable Custom Scripts represent a BIG role on your effort estimation, usually if you have Systems with a Shutdown Date. Keep in mind this particular topic, it will define all your team projection and capacity.

Hope that help you in some constraints that you have.

That’s all for this week, see you next time

Joao Livio

Joao is a Consultant with more than 25 years of experience in various technologies, he has been working with SharePoint since version 2003, an area in which he decided to specialize. Today he works in the Modern Workplace area with focus in Migrations to Office/Microsoft 365 as well in the Ecosystem Development. 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *