MC1186368 - Microsoft SharePoint: Update to custom scripting governance in App Catalog site

To strengthen security and reduce the risk of ungoverned scripting, Microsoft is expanding the custom scripting governance in the App Catalog site. This change helps ensure a more secure and manageable environment in SharePoint Online.

What will happen:

Custom scripting will be disabled (setting DenyAddAndCustomizePages to 1 or $true) for the tenant-wide App Catalog site using the APPCATALOG#0 template.

When this will happen: Default custom scripting governance on the App Catalog site will take effect starting in mid-January 2026.

Who is affected: Admins managing the SharePoint tenant-wide App Catalog site and content inside.

How this affects your organization:

App operations remain unaffected: Uploading, updating, and deploying SharePoint and Office apps will continue to work.
Custom script-based changes will be blocked: New changes related to custom scripting in the App Catalog Site will be disabled by default; existing custom scripting related customizations will remain unaffected.

What you can do to prepare:

Inform App Catalog site owners and helpdesk staff in your organization of this upcoming change to reduce confusion and support calls.

To temporarily opt out of custom scripting governance for a specific site (effective for 24 hours with tenant admin approval), use the following PowerShell command:

Set-SPOSite <SiteURL> -DenyAddAndCustomizePages $false

To update the site property bag (by default disallowed when custom script governance is enabled), use the following PowerShell commands to enable it at tenant or site level:

Set-SPOTenant -AllowWebPropertyBagUpdateWhenDenyAddAndCustomizePagesIsEnabled $true

Set-SPOSite <SiteURL> -AllowWebPropertyBagUpdateWhenDenyAddAndCustomizePagesIsEnabled $true

Learn more:

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.