Skip to content

Update doc to clarify modern SharePoint guidance #10902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Ashlesha-MSFT wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Update doc to clarify modern SharePoint guidance #10902

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
26c62f7
Update doc to clarify modern SharePoint guidance
Ashlesha-MSFT Jun 15, 2026
2204718
Revise information management policy guidance for SP Add-in
Ashlesha-MSFT Jun 15, 2026
ad1a4f5
Added deprecation note and corrected links
Ashlesha-MSFT Jun 16, 2026
58bc066
updated links
Ashlesha-MSFT Jun 16, 2026
a484f3e
Update article to specify Classic SharePoint applicability and links
Ashlesha-MSFT Jun 16, 2026
89657df
Add legacy guidance to UDF security permissions article
Ashlesha-MSFT Jun 16, 2026
ffb3a92
Fix link format in user segmentation documentation
Ashlesha-MSFT Jun 17, 2026
68a05db
fixed link
Ashlesha-MSFT Jun 17, 2026
1a4257c
removed invalid technet link
Ashlesha-MSFT Jun 17, 2026
6cce170
fixed technet link
Ashlesha-MSFT Jun 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 13 additions & 72 deletions docs/general-development/how-to-restrict-udf-code-access-security-permissions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,115 +12,56 @@ ms.localizationpriority: medium

# Restrict UDF code access security permissions

If you do not want a particular user-defined function (UDF) assembly to run with full trust, you must explicitly restrict code access security permissions for it. You can configure code groups and restrict permissions by using the .NET Framework 2.0 Configuration tool.



> **Legacy guidance notice**
>
> This article applies only to legacy environments using **SharePoint Server 2010/2013 Excel Services** and **.NET Framework 2.0–3.5 Code Access Security (CAS)**.
> CAS, code groups, and the .NET Framework Configuration tool are **deprecated and not supported in .NET Framework 4+ or modern SharePoint/Excel platforms**.
>
> For modern solutions, use service-level security, APIs, and OS/network isolation instead of assembly-level permission configuration.

If you do not want a particular user-defined function (UDF) assembly to run with full trust, you must explicitly restrict code access security permissions for it. You can configure code groups and restrict permissions by using the .NET Framework 2.0 Configuration tool.

For example, imagine a scenario where you have a UDF assembly that contains multiple methods. One of the UDF methods performs a custom calculation, and another UDF method in the same assembly calls a Web service to obtain stock quotes. Because your users only use Excel workbooks that call the first (calculation) method, you might want to disable the assembly from having Web access, for increased security.
You have the UDF assembly installed in a folder on the server at C:\\UdfAssemblies\\CalcAndWebAccessUdf.dll. Because the assembly is on the same computer as Microsoft SharePoint Server 2010, when Excel Calculation Services loads the UDF assembly, it is loaded in the MyComputer zone. By default, the MyComputer zone is fully trusted. This means that the UDF assembly is granted full trust permission.



You have the UDF assembly installed in a folder on the server at C:\\UdfAssemblies\\CalcAndWebAccessUdf.dll. Because the assembly is on the same computer as Microsoft SharePoint Server 2010, when Excel Calculation Services loads the UDF assembly, it is loaded in the MyComputer zone. By default, the MyComputer zone is fully trusted. This means that the UDF assembly is granted full trust permission.

To lock down the UDF assembly so that it cannot have Web access, you must explicitly restrict the permission set that it is granted by following these steps:
1. Create a new URL-based code group under My_Computer_Zone at the Machine level. Scope the code group to that specific assembly and create a custom permission set.


2. Configure the custom code group properties so that your policy level has only the permissions from the permission set that is associated with the custom code group. When Excel Calculation Services loads a UDF assembly that resides on the same computer, the assembly is loaded in the MyComputer zone. This means that by default, the UDF assembly is granted full trust. When the custom permission set intersects with the full trust permission set, the result is full trust. To make it so that the a policy has only the permission from the permission set that is associated with your custom code group, you must enable the **This policy level will only have the permissions from the permission set associated with this code group** property.


For more information about configuring code groups, see the following articles on MSDN:
- [Configuring Code Groups Using the .NET Framework Configuration Tool](https://msdn.microsoft.com/library/default.asp?url=/library/cpguide/html/cpconUsingNETConfigurationToolToWorkWithCodeGroups.asp?frame=true) (https://msdn.microsoft.com/library/default.asp?url=/library/cpguide/html/cpconUsingNETConfigurationToolToWorkWithCodeGroups.asp?frame=true)


- [Code Access Security in Practice](https://msdn.microsoft.com/library/default.asp?url=/library/dnnetsec/html/thcmch08.asp) (https://msdn.microsoft.com/library/default.asp?url=/library/dnnetsec/html/thcmch08.asp)



### To create a new code group


1. Click **Start**, point to **All Programs**, point to **Administrative Tools**, and then click **Microsoft .NET Framework 2.0 Configuration**.

1. Click **Start**, point to **All Programs**, point to **Administrative Tools**, and then click **Microsoft .NET Framework 2.0 Configuration**.
This starts the **.NET 2.0 Framework Configuration** tool.


2. In the left pane, expand the **My Computer** node, and then expand the **Runtime Security Policy** node.


2. In the left pane, expand the **My Computer** node, and then expand the **Runtime Security Policy** node.
3. Expand the **Machine** node.


4. Expand the **Code Groups** node.


5. Expand the **All_Code** node.


6. Expand the **My_Computer_Zone** node.Right-click **My_Computer_Zone** and then select **New** to display the **Identify the new Code Group** dialog box.


7. Select **Create a new code group**.


8. In the **Name** field, type a name for the new code group, for example,RestrictWebAccessUdf.


9. Click **Next**.


10. To scope the code group to your specific UDF assembly, select **URL** from the **Choose the condition type for this code group**.

This displays the **URL** field.


11. In the **URL** field, type the path to the UDF assembly for which you want to restrict access to the Web, for example,C:\\UdfAssemblies\\CalcAndWebAccessUdf.dll.


12. Click **Next**.


13. Select **Create a new permission set**, and then click **Next**.


14. In the **Name** field, type a name for your permission set, for example,AssemblyExecutionCustomPermissionSet.


15. Click **Next**.


16. To give your UDF assembly "assembly execution" permission, select **Security** from the **Assembly Permissions** list, and then click **Add**.

16. To give your UDF assembly "assembly execution" permission, select **Security** from the **Assembly Permissions** list, and then click **Add**.
This displays the **Permission Settings** dialog box.


17. Select **assemblies the following security permissions**.


18. Select **Enable assembly execution**.


19. Click **OK**, and then click **Next**.


20. Click **Finish**.

You should see your new custom code group under the **My_Computer_Zone** node (in this example, **RestrictWebAccessUdf**).



### To make sure that the permission sets are executed


1. Under the **My_Computer_Zone** node, right-click the new custom code group (in this example, **RestrictWebAccessUdf**), and then select **Properties**.


2. On the **General** tab, select the **This policy level will only have the permissions from the permission set associated with this code group** check box.


2. On the **General** tab, select the **This policy level will only have the permissions from the permission set associated with this code group** check box.
3. Click **Apply**, and then click **OK**.

> [!NOTE]
> If the UDF method throws an exception because it cannot make the Web service call, you should receive a **#VALUE!** error in the Excel formula that called the UDF.

Expand Down
19 changes: 12 additions & 7 deletions docs/general-development/how-tos-for-sharepoint.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,12 @@ ms.localizationpriority: high

Find how-to articles and related code examples that show how to perform basic development tasks in SharePoint, including how to set up your development environment and start building sites, SharePoint Framework and SharePoint Add-ins.

> **Important notice: SharePoint Add-ins are deprecated**
>
> SharePoint Add-ins (including provider-hosted and SharePoint-hosted add-ins) are a legacy development model. They are no longer recommended for new development and have been largely superseded by SharePoint Framework (SPFx), Microsoft Graph, and Microsoft 365 development patterns.
>
> This page includes both modern SharePoint Framework (SPFx) guidance and legacy SharePoint Add-in content for reference purposes only. For new solutions, use SPFx and Microsoft 365 developer services instead.

## Getting started how-tos for SharePoint Framework

|Title|Summary|
Expand Down Expand Up @@ -65,7 +71,6 @@ Find how-to articles and related code examples that show how to perform basic de

|Title|Summary|
|:-----|:-----|
| [Add license checks to your apps for Office](https://msdn.microsoft.com/library/fp161347.aspx) |Learn how to add code to your Office Add-in that checks the validity of a user's app license, and takes action based on the app license properties. Load test app license tokens to test your license checking code. |
| [Add license checks to Office and SharePoint Add-ins](/office/dev/store/add-license-checks-to-office-and-sharepoint-add-ins) |Learn how to add code to your SharePoint Add-in that checks the validity of a user's app license, and takes action based on the app license properties. Load test app license tokens to test your license checking code. |

## Setting up your dev environment how-tos for developing sites and solutions in SharePoint
Expand Down Expand Up @@ -106,7 +111,7 @@ Find how-to articles and related code examples that show how to perform basic de
|Title|Summary|
|:-----|:-----|
| [Use code to pin terms to navigation term sets in SharePoint](how-to-use-code-to-pin-terms-to-navigation-term-sets-in-sharepoint.md) |Learn how to use code to pin terms to navigation term sets. |
| [Create device channels in SharePoint](https://msdn.microsoft.com/library/339c7dba-95ee-46e0-8c76-0fe1adb6f366.aspx) |Learn how to create a device channel, change a device channel, delete a device channel, and reorder device channels in SharePoint. |
| [Create device channels in SharePoint](/sharepoint/dev/general-development/sharepoint-design-manager-device-channels#create) |Learn how to create a device channel, change a device channel, delete a device channel, and reorder device channels in SharePoint. |
| [Map a network drive to the SharePoint Master Page Gallery](how-to-map-a-network-drive-to-the-sharepoint-master-page-gallery.md) |Learn how to map a network drive to the Master Page Gallery so that you can use Design Manager to upload design files in SharePoint. |
| [Convert an HTML file into a master page in SharePoint](how-to-convert-an-html-file-into-a-master-page-in-sharepoint.md) |With Design Manager, you can convert an .html file into a SharePoint master page, a .master file. After the conversion, the HTML file and master page are associated, so that when you edit and save the HTML file, the changes are synced to the associated master page. |
| [Apply a master page to a site in SharePoint](how-to-apply-a-master-page-to-a-site-in-sharepoint.md) |Learn how to map a master page to a SharePoint site. |
Expand All @@ -118,8 +123,8 @@ Find how-to articles and related code examples that show how to perform basic de
| [Add a web part zone snippet in SharePoint](how-to-add-a-web-part-zone-snippet-in-sharepoint.md) |A web part zone is a snippet that you can add to a page layout so that content authors can add, edit, or delete web parts in that zone. |
| [Add a Security Trim snippet in SharePoint](how-to-add-a-security-trim-snippet-in-sharepoint.md) |You can use a Security Trim snippet to display content only to specific users, based on a specific permission that those users must have and whether the users are authenticated or anonymous. |
| [SharePoint Design Manager image renditions](sharepoint-design-manager-image-renditions.md) |Learn how to create, edit, or delete image renditions. An image rendition defines the dimensions that are used to display images in SharePoint publishing sites. |
| [Add an image rendition to a page in SharePoint](https://msdn.microsoft.com/library/fp161347.aspx) |Learn how to use image renditions in a SharePoint publishing site. |
| [Crop an image rendition in SharePoint](https://msdn.microsoft.com/library/fp161347.aspx) |Learn how to specify the portion of the image to use in an image rendition. |
| [Add an image rendition to a page in SharePoint](/sharepoint/dev/general-development/sharepoint-design-manager-image-renditions#add-an-image-rendition) |Learn how to use image renditions in a SharePoint publishing site. |
| [Crop an image rendition in SharePoint](/sharepoint/dev/general-development/sharepoint-design-manager-image-renditions#crop-an-image-rendition) |Learn how to specify the portion of the image to use in an image rendition. |

## Workflow how-tos for SharePoint

Expand All @@ -135,8 +140,8 @@ Find how-to articles and related code examples that show how to perform basic de
| [Read and write to the social feed by using the REST service in SharePoint](how-to-learn-to-read-and-write-to-the-social-feed-by-using-the-rest-service-in-s.md) |Create a SharePoint-hosted app that uses the REST service to publish a post and get the personal feed for the current user. |
| [Create and delete posts and retrieve the social feed by using the .NET client object model in SharePoint](how-to-create-and-delete-posts-and-retrieve-the-social-feed-by-using-the-net-cli.md) |Learn how to create and delete microblog posts and retrieve social feeds by using the SharePoint .NET client object model. |
| [Create and delete posts and retrieve the social feed by using the JavaScript object model in SharePoint](how-to-create-and-delete-posts-and-retrieve-the-social-feed-by-using-the-javascr.md) |Learn how to create and delete microblog posts and retrieve social feeds by using the SharePoint JavaScript object model. |
| [Include mentions, tags, and links to sites and documents in posts in SharePoint](how-to-include-mentions-tags-and-links-to-sites-and-documents-in-posts-in-sharep.md) |Learn how to add [SocialDataItem](https://msdn.microsoft.com/library/Microsoft.SharePoint.Client.Social.SocialDataItem.aspx) objects to microblog posts, which render as mentions, tags, or links in SharePoint social feeds. |
| [Embed images, videos, and documents in posts in SharePoint](how-to-embed-images-videos-and-documents-in-posts-in-sharepoint-server.md) |Learn how to add [SocialAttachment](https://msdn.microsoft.com/library/Microsoft.SharePoint.Client.Social.SocialAttachment.aspx) objects to microblog posts, which render as embedded pictures, videos, and documents in SharePoint social feeds. |
| [Include mentions, tags, and links to sites and documents in posts in SharePoint](how-to-include-mentions-tags-and-links-to-sites-and-documents-in-posts-in-sharep.md) |Learn how to add [SocialDataItem](/previous-versions/office/sharepoint-csom/jj164135(v=office.15)) objects to microblog posts, which render as mentions, tags, or links in SharePoint social feeds. |
| [Embed images, videos, and documents in posts in SharePoint](how-to-embed-images-videos-and-documents-in-posts-in-sharepoint-server.md) |Learn how to add [SocialAttachment](/previous-versions/office/sharepoint-csom/jj163900(v=office.15)) objects to microblog posts, which render as embedded pictures, videos, and documents in SharePoint social feeds. |
| [Follow people by using the .NET client object model in SharePoint](how-to-follow-people-by-using-the-net-client-object-model-in-sharepoint.md) |Learn how to work with Following People features by using the SharePoint .NET client object model. |
| [Follow people by using the JavaScript object model in SharePoint](how-to-follow-people-by-using-the-javascript-object-model-in-sharepoint.md) |Learn how to work with Following People features by using the SharePoint JavaScript object model. |
| [Follow documents and sites by using the .NET client object model in SharePoint](how-to-follow-documents-and-sites-by-using-the-net-client-object-model-in-sharep.md) |Learn how to work with Following Content features by using the SharePoint .NET client object model. |
Expand Down Expand Up @@ -192,7 +197,7 @@ Find how-to articles and related code examples that show how to perform basic de
|Title|Summary|
|:-----|:-----|
| [Create a claims provider in SharePoint](how-to-create-a-claims-provider-in-sharepoint.md) |Learn how to create and implement a SharePoint claims provider that fulfills the requirements for claims augmentation and claims picking. |
| [Deploy a claims provider in SharePoint](how-to-deploy-a-claims-provider-in-sharepoint.md) |Learn how to deploy a SharePoint claims provider by using the features infrastructure and creating a class that inherits from [SPClaimProviderFeatureReceiver](https://msdn.microsoft.com/library/Microsoft.SharePoint.Administration.Claims.SPClaimProviderFeatureReceiver.aspx). |
| [Deploy a claims provider in SharePoint](how-to-deploy-a-claims-provider-in-sharepoint.md) |Learn how to deploy a SharePoint claims provider by using the features infrastructure and creating a class that inherits from [SPClaimProviderFeatureReceiver](/previous-versions/office/sharepoint-server/ee559827(v=office.15)). |

## See also

Expand Down
Loading