Allowing custom script has its security implications. But what exactly does it mean? Is it dangerous? My colleauge Daniel and me have done a little experiment. There are two implications stated on MS Docs: Scripts have access to everything the user has access to. Scripts can access content across several Office 365 services and even beyond with Microsoft Graph integration. To summarize, we can look at that picture: So the risk that user 1 (the Blue User) intentionally or unintentionally places a script and lets user 2 (the Red User) run this script by linking to the page that has this script.