SharePoint Customization versus Application

Since I started working with SharePoint, what seems like a lifetime ago now, people have wanted to extend or customize it in many ways. From writing full-trust C# code to hacking the user interface with JavaScript injection. The goal of this to either add new functionality, extend an existing feature or component, to make SharePoint function differently.

As versions have changed and with the release of cloud services, the same need is there. The organization has an inherent need at some point to modify the out of the box capabilities for their needs. When an organization reaches the need for modifications, the question of how to make them or how to extend an existing feature becomes a priority. Too often we all associate these changes with developers, simply because for the most part it has required code changes to be made. As part of this, I have noticed that there seem to be three different types of modifications that are needed. The first is extending or adding functionality to existing features or components. Second, branding of the sites and then lastly building what we term applications that use SharePoint as a presentation layer and core components to render data.

 

What does the word “Application” mean?
Now don’t get me wrong, I do like the word “Customization,” as I think it explains quite well what it is. However, I would argue the case that a “Customization” is, in fact, an “Application.” Now don’t argue with me yet, let’s look at the definition of the word “Application.”

A program or piece of software designed to fulfill a particular purpose.” – https://en.oxforddictionaries.com/definition/application

Surely with this definition, items such as full-trust C# code solutions (WSP), JavaScript injection (Scripts, Script Editor Web Parts), Add-ins and SharePoint Framework (SPFx)
as well as custom branding can be defined as an “Application.

If this is the case then we no longer create customizations, but applications that may be small or large depending on the business need. When we think of customizations this way, we start to understand the importance of those small changes that have made that may seem insignificant to us but are mission critical to the business users. It also means that a JavaScript customization can be just as significant as a fully developed InfoPath form (not that you are using them), a workflow, a Flow or even a PowerApp.

We need to shift our understanding of this and start to realize that Data Protection, Security and Access Control should become part of these enhancements.

 

We don’t have any customizations or applications in SharePoint
For too long organizations have been in denial that end users have “Applications” or even using the other word “Customizations” in their SharePoint sites. As a consultant, I have tried to explain this time and time again, that end users will modify the user experience as they seem to fit based on their permissions. I have yet to find a SharePoint environment that does not have modifications made to it in one way or another. Whether these are paid applications, fully developed applications, modifications made directly to the site, or even JavaScript script directly added into web parts or pages, they always exist somewhere.

So, if end users are making these changes, then IT and Security teams within an organization need to be aware of them, analyze and monitor them. Within SharePoint Online there is currently no mechanism for this. PowerShell can be run to iterate all sites and find specific web parts on a page for example, but that would require PowerShell knowledge as well as the manual execution of any scripts for this. You could also manually review each page or utilize 3rd party components to execute frequent audits for applications.

In its most basic form, either manual, automatic, tools or management scripts should be used to control access, data as well as monitor these applications, and provide controlled testing and deployment. No longer can you as an organization expect that these applications or users are managing the security correctly, or even controlling the flow of data or content.

An even better approach is to utilize tooling that can perform the discovery, analysis, provide review and then monitor the applications easily. Tooling will allow an organization to spend time doing what it does best, without having to worry about the applications within the SharePoint Online sites. By using some automatic tool, IT, Security and end users have the assurance that applications are validated, constantly checked and protected from any potential risks.

Now is the time for organizations to provide mechanisms either through IT support, Security Teams or 3rd Party tools that will help control applications that inevitably exist out of necessity.

Liam Cleary

Liam began his career as a Trainer of all things computer related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes and of course security controls and protection. Liam also serves as the Product Owner for Security at Rencore, where he is helping to develop offerings that help organizations further understand and mitigate security and compliance risks, within SharePoint and Office 365 customizations. His core focus will is to identify, control and protect whether they are full-fledged customizations or out-of-the-box Office 365 functionality. He is also a twelve-time Microsoft MVP focusing on Architecture but also crosses the boundary into Development. His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...