Enabling/disabling custom scripts on site collection using PowerShell
TL;DR: To create or update Teamsware Solutions, custom scripts must be enabled on the target SharePoint site collection. If your Microsoft 365 tenant has the Baseline Security Mode policy "Don't allow new custom scripts in SharePoint sites" turned on, you must first disable it in the Microsoft 365 admin center — otherwise per-site overrides are reset within 24 hours. Once the tenant-level policy is off, Solution Studio should be able to enable custom scripts on individual site collections or you can enable it manually using SharePoint Online Management Shell or PnP PowerShell.
This article describes how to enable custom scripts on a SharePoint site collection so that Teamsware Studio can create and update solutions on that site.
Scripting capability in Teamsware Studio is tied to the Custom Script option in the SharePoint admin settings. Without it, creating or updating Teamsware solutions is not possible. There are two layers of control you may need to address: a tenant-level policy (Microsoft 365 Baseline Security Mode) and a site-collection-level setting (per-site PowerShell command).
This article walks you through both layers — starting with the tenant-wide policy check, and then the per-site PowerShell commands.
Scenario
- You are a SharePoint or Microsoft 365 administrator on your tenant.
- You want to create or update a Teamsware solution on a SharePoint site collection.
- You now need to:
- Verify and, if necessary, disable the tenant-level Baseline Security Mode policy that blocks custom scripts globally.
- Enable custom scripts on the specific target site collection.
Step 1 — Check & Disable the Baseline Security Mode Policy
Microsoft 365 includes a Baseline Security Mode feature that provides tenant-wide security hardening policies. One of its settings — "Don't allow new custom scripts in SharePoint sites" — permanently blocks custom scripts across all SharePoint and OneDrive sites when turned on.
IMPORTANT: If this tenant-level policy is active, any per-site override you want to make via PowerShell will be blocked. You must disable this policy first before enabling custom scripts at the site level.
How to access Baseline Security Mode settings
- Sign in to the Microsoft 365 admin center (admin.microsoft.com).
- In the left navigation bar, select Show all, then expand Settings.
- Under Settings, select Org Settings.
- On the Org Settings page, select the Security and Privacy tab.
- Select Baseline Security Mode.
- Click on the "Open Baseline security mode" button at the buttom in the right panel.
- Scroll to the Authentication section and locate the setting "Don't allow new custom scripts in SharePoint sites".
- If this setting is On (enabled), toggle it Off to allow custom scripts at the site level.
- Save your changes.
Note: You need the SharePoint Administrator role (or higher) to manage this setting. Baseline Security Mode supports role-based access control, so confirm you have the appropriate role before proceeding.
Step 2 — Enable Custom Scripts via SharePoint Online Management Shell
Once the tenant-level Baseline Security Mode policy is off (or was never enabled), you can enable custom scripts on a specific site collection using the SharePoint Online Management Shell.
Step 2a: Connect to your SharePoint Online tenant
Open PowerShell and connect to your SharePoint Online admin endpoint:
- Replace <SPO tenant name> with your actual tenant name (e.g. contoso).
Connect-SPOService -Url "https://<SPO tenant name>-admin.sharepoint.com" -Interactive
Step 2b: Enable custom scripts on the target site
Run the following command to enable custom scripts on the site collection:
Set-SPOSite "https://<SPO tenant name>.sharepoint.com/sites/<Site name>" -DenyAddAndCustomizePages 0
- Replace <SPO tenant name> with your tenant name.
- Replace <Site name> with the site collection name (URL segment).
- The value 0 means custom scripts are allowed; 1 means they are blocked.
IMPORTANT: You must be a SharePoint Admin to run this command. Site Owner permissions are not sufficient.
Step 3 — Enable Custom Scripts via PnP PowerShell
Alternatively, you can use PnP PowerShell to enable custom scripts. This approach connects directly to the site URL and requires a registered Entra ID Application with appropriate permissions.
Step 3a: Connect to the target site via PnP PowerShell
Run the following command to connect to the site collection:
Connect-PnPOnline -Url "https://<SPO tenant name>.sharepoint.com/sites/<Site name>" -Interactive -ClientId <client id of your Entra ID Application Registration>
- Replace <SPO tenant name> with your tenant name.
- Replace <Site name> with the target site's URL segment.
- Replace <client id of your Entra ID Application Registration> with the Application (client) ID from your Microsoft Entra ID app registration.
Step 3b: Enable custom scripts on the tenant site
Run the following command to allow custom scripts:
Set-PnPTenantSite -Identity "https://<SPO tenant name>.sharepoint.com/sites/<Site name>" -DenyAddAndCustomizePages:$false
Note: Setting -DenyAddAndCustomizePages:$false enables custom scripts; use $true to block them again.
Result: Custom Scripts Enabled for Teamsware Studio
- The tenant-level Baseline Security Mode policy no longer blocks custom scripts across all SharePoint sites.
- The target site collection has custom scripts enabled (DenyAddAndCustomizePages = 0).
- Teamsware Studio can now create and update solutions on that site collection.
- The Solution Studio scripting capability dialog will no longer block solution creation on this site.
Additional Hints & Special Cases
24-Hour Reset Behavior
Per-site custom script changes are temporary by default. Any change that allows custom scripts on a specific site is automatically reset to Not allowed within 24 hours — unless the Baseline Security Mode policy is disabled at the tenant level first.
- Always verify the Baseline Security Mode setting is off before applying per-site overrides.
Permissions Required
- You must be a SharePoint Administrator (or Global Administrator) to run the PowerShell commands above.Site Owner permission alone is not sufficient.
- To manage Baseline Security Mode settings, you need the SharePoint Administrator role or another supported admin role (e.g., Security Administrator).
Dialog Prompt in Solution Studio
When creating a new Teamsware solution on a site collection where custom scripts are disabled, Solution Studio will display a dialog prompting you to enable scripting capabilities. You can simply click the "Enable" button. After disabling the Baseline Security Mode Policy Teamsware Studio should be able to enable scripts for a specific site.
Further Reading
Related Articles
Custom Action setup (create your own action type)
Note: This tutorial is for the classic UI only (Actions in Rich Forms and Actions Links) and will not (yet) work for Modern Forms and Modern List Actions. In the CustomActionShared.zip archive attached below there are two files: • ...How to fix broken lookup on the site
If your SharePoint list has a lookup column that was connected to a list which has been deleted, the field configuration will show an empty 'Get information from:' value. SharePoint does not allow you to select a new source list through the UI in ...Field Validation Examples using Regex
The SharePoint out-of-the-box field validation is very limited and you can't use regex to validate the value entered in the form. Using teamsware rich forms as add-in but as well in solution studio you can configure a validation on each form field ...Action: Add users to site
Add users to site action allows to grant an Active Directory (AD) user or group access to a SharePoint site without assigning any permissions. Example of Add users to site action configuration on the current site For more information about Action ...Action: Add site to favorite
Add site to favorite action allows you to follow SharePoint sites where you have access to. Example of configuration on the current site For more information about Action Builder read Action Builder introduction article. To configure the action Start ...