BLOG > ARTICLE

Avoid security risks from customizing SharePoint Online

4 min read

Customizing SharePoint Online is a valuable way of ensuring your employees can get the most out of the platform. Whether you’re replicating customizations you had in your old on-premises platform or are introducing brand new modifications, by customizing SharePoint in the cloud, you give your employees specific features and tools they need to get their jobs done.

However, as Waldek says “SharePoint is a beast” and just like customizing SharePoint on-premises, there is a range of risks involved in customizing the cloud version of the platform. Let’s look at the risks that can arise when you make changes to SharePoint Online, then look at how you can avoid them.

How can you customize in SharePoint Online?

Just like the on-premises version, Microsoft allows you to customize various features and functionality of SharePoint Online out of the box without the use of any code. These include various ‘cosmetic’ changes to the user interface, as well as the introduction of web parts, views and the ability to introduce third-party apps from the approved app store. For more advanced customizations (such as triggering workflows or introducing ), you’ll need to write your own code. Today, Microsoft is encouraging developers to do this through the SharePoint Framework (which we’ve spoken a lot about previously) which deploys your code in the user’s browser.

Risks from customizing SharePoint Online

A key thing to understand about customizing SharePoint Online is that Microsoft do not make it possible to edit the underlying code which SharePoint Online runs on. This is because the platform is cloud-based and managed centrally by Microsoft. If they allowed anyone to edit this code, everyone’s environments are open to vulnerabilities, performance issues and general crashes. Instead, you can customize some of the user experience in SharePoint and also introduce browser based add-ins which change how your users interact with and use the platform.

This is, by and large, a good thing. Microsoft make it impossible for external developers to introduce any kind of customizations which could ‘break’ SharePoint Online, and so your risk is somewhat lower than any full trust code you might deploy in SharePoint on-premises. That said, poor quality browser-based development can still damage the user experience with the platform, give individuals access to content that they don’t have permission to access, and can cause unnecessary confusion. Therefore, there’s no room for error.

For example, if you want to write code that displays external data on a page in SharePoint, you might choose to use a third-party JavaScript library to display the data in an animated way in the browser. The problem here is that if your code is poorly written, this can be hijacked in the browser and introduce security problems. It’s probably likely that many organizations are prone to these type of security problems. I imagine even Microsoft occasionally find bugs in their code within SharePoint Online . So, if it happens to the best of us then you can see a potential problem where multiple developers introduce their own poor quality code to the online platform and this can cause even more problems.

While there are risks with customizing SharePoint Online, this doesn’t mean that you should avoid making the changes your teams want. Instead, you can avoid the risks by introducing rigorous standards for design, deployment and governance.

Avoid the risks of customizing SharePoint Online

Like any kind of technology best practice, customization of SharePoint Online involves technical responsibilities as well as people and process management.

People and process

SharePoint Online’s user interface is easy to customize: if permissions allow them, end users can change the look and feel of sites and they can introduce third-party apps from the app store. Developers are also able to introduce apps which have not been tested or which may not be safe. It is therefore essential that you implement strict and rigorous governance procedures which ensure that apps are only deployed once they have been approved by qualified and responsible staff. This will limit the risks of dangerous and insecure customizations being implemented (read more in our guide here).

Technical responsibilities

For more complicated customization, it is highly advisable that you perform regular checks on the quality of any code – both before it is added to your environment, but also once it is online, to ensure it continues to run smoothly in conjunction with any new updates from Microsoft. Your tests need to review upgradability, SPO feature deprecations, supportability, security and memory leaks.

Peace of mind when customizing SharePoint Online

Customizing SharePoint Online offers many benefits. However, if your customizations are not secure, you face a range of risks – from poor user experience to the potential of being hacked. The nature of cloud services, especially SharePoint in general, is that every user can customize. This means that Citizen Developers may unknowingly introduce insecure customizations.

Enter Rencore’s new product

Keep an eye out for our new tool coming soon! It provides analysis of your live customizations within SharePoint Online, discovers any discrepancies in the code, and instantly informs you.

Sign up and receive the latest information regarding availability!

Keep me informed

Tobias Zimmergren

Tobias is Head of Technical Operations, and is responsible for the cloud analysis architecture of the Rencore platform. He has the lead on building a cloud platform for Rencore, where our customers can securely and easily use our tools and offerings as services on demand. For his contributions to the technical Microsoft communities as a blogger, speaker, and developer, Tobias is a recipient of the Microsoft MVP award since 2008