Since I started working with SharePoint, what seems like a lifetime ago now, people have wanted to extend or customize it in many ways. From writing full-trust C# code to hacking the user interface with JavaScript injection. The goal of this to either add new functionality, extend an existing feature or component, to make SharePoint function differently.
As versions have changed and with the release of cloud services, the same need is there. The organization has an inherent need at some point to modify the out of the box capabilities for their needs. When an organization reaches the need for modifications, the question of how to make them or how to extend an existing feature becomes a priority. Too often we all associate these changes with developers, simply because for the most part it has required code changes to be made. As part of this, I have noticed that there seem to be three different types of modifications that are needed. The first is extending or adding functionality to existing features or components. Second, branding of the sites and then lastly building what we term applications that use SharePoint as a presentation layer and core components to render data.
Now don’t get me wrong, I do like the word “Customization,” as I think it explains quite well what it is. However, I would argue the case that a “Customization” is, in fact, an “Application.” Now don’t argue with me yet, let’s look at the definition of the word “Application.”
A program or piece of software designed to fulfill a particular purpose (English Oxford Dictionaries, 2018).
Surely with this definition, items such as full-trust C# code solutions (WSP), JavaScript injection (Scripts, Script Editor Web Parts), Add-ins and SharePoint Framework (SPFx) as well as custom branding can be defined as an “Application.”
If this is the case then we no longer create customizations, but applications that may be small or large depending on the business need. When we think of customizations this way, we start to understand the importance of those small changes that have made that may seem insignificant to us but are mission critical to the business users. It also means that a JavaScript customization can be just as significant as a fully developed InfoPath form (not that you are using them), a workflow, a Flow or even a PowerApp.
We need to shift our understanding of this and start to realize that Data Protection, Security and Access Control should become part of these enhancements.
For too long organizations have been in denial that end users have “Applications” or even using the other word “Customizations” in their SharePoint sites. As a consultant, I have tried to explain this time and time again, that end users will modify the user experience as they seem to fit based on their permissions. I have yet to find a SharePoint environment that does not have modifications made to it in one way or another. Whether these are paid applications, fully developed applications, modifications made directly to the site, or even JavaScript script directly added into web parts or pages, they always exist somewhere.
So, if end users are making these changes, then IT and Security teams within an organization need to be aware of them, analyze and monitor them. Within SharePoint Online there is currently no mechanism for this. PowerShell can be run to iterate all sites and find specific web parts on a page for example, but that would require PowerShell knowledge as well as the manual execution of any scripts for this. You could also manually review each page or utilize 3rdparty components to execute frequent audits for applications.
In its most basic form, either manual, automatic, tools or management scripts should be used to control access, data as well as monitor these applications, and provide controlled testing and deployment. No longer can you as an organization expect that these applications or users are managing the security correctly, or even controlling the flow of data or content.
An even better approach is to utilize tooling that can perform the discovery, analysis, provide review and then monitor the applications easily. Tooling will allow an organization to spend time doing what it does best, without having to worry about the applications within the SharePoint Online sites. By using some automatic tool, IT, Security and end users have the assurance that applications are validated, constantly checked and protected from any potential risks.
Now is the time for organizations to provide mechanisms either through IT support, Security Teams or 3rd Party tools that will help control applications that inevitably exist out of necessity.
I recommend taking a look at the free report: How SharePoint administrators manage their environments and solutions authored by Microsoft MVP Waldek Mastykarz. It raises awareness of current administrator practices and trends in relation to SharePoint and Office 365.
Reference: English Oxford Dictionaries, 2018, English Oxford Living Dictionaries [online] https://en.oxforddictionaries.com. Available at: https://en.oxforddictionaries.com/definition/application [Accessed 5 Sep. 2018].
This blog post was originally posted on Liam’s blog