SharePoint Extensibility: What's New and What's Coming

SharePoint API surface

Selected permissions in Microsoft Graph are completed now:

• Sites.Selected: GA status
• Sites.Creat.All: GA status
• List.SelectedOperations.Selected: GA status
• ListItems.SelectedOperations.Selected: GA status
• Files.SelectedOperations.Selected: GA status

Sites.Selected and Sites.Create.All have to be granted together (alongside). Make sure to define the template (as for now only sync templates are realized) attribute – see … for reference.

Recommedne site provisioning flow

1. Provisioning app has sites.create.all and sites.selected permission
2. Create site collection and configure the site, provisioning app has full control via sites.selected
3. use /permisisions endpont to grannt another app acces via sites.select
4. remove the provision apps’s permissions using /permissions endpoint again

SharePoint Framework

SPFx as an extensibility framework will continue to base on SSO and automatic code hosting. It’s still super-widely used and contiunes to be 100% supported as a code-first framework.

New features & roadmap

• ACE’s now can be used in every site via Manage dashboard capability

• v.1.22 is planned to reach GA in December 2025
  —> Check out the documentation online for details

  • Addressing all npm audit issues
  • Transition from Gulp to an open webpack based toolchain orchestracted by Heft
  • scaffolded projects are using by default TypeScript 5.8

• v1.23 is planned to reach GA in February / March 2026

  • open-source SPFx solution templates to GitHub
  • new open-sourced SPFx CLI for replacing existing Yeoman generator
  • Command set improvements for lists and libraries
  • New and edit panel override support lists and libraries
  • New debugging toolbar improving the in-page develpment experience

• v1.24 is planned to reach GA in May / June 2026

  • navigation customizers to override navigation nodes and / or experiences with SPFx components
  • other features will be shared in future roadmap updates

Things evolving

The new developer toolbar (server-side update) is coming initially in December. It will be visible when your are doing live debugging from localhost and enables easier debugging and capabilities to expose to log a bug or get help.

Command set grouping will offer a new capabiltity to grouping (and ordering – will be supported by List formatting) command set options into groups

Form customizers in the Edit / New panels will offer capabilites override the rendering of custom forms; this will also affect the details pane – and will override the grid form / grid view if we build custom forms by code

Content Security Policy (CSP)

CSP improves security by governimng custom SPFx based script loading on “modern” pages: you decide which scripts are loaded and which are not:

• Using default SPFx configuration to load from SharePoint Online CDN —> always allowed
• deploy scirpt to external CDN, location is configure via cdnBasePath proertiy in the ./config/wirte-maifests.json file
• deploy script to external CN, loaction is configured via the externals map in config.json

We have to define the scripts in the Trusted script sources location in the SPO Admin Center:

CSP affects the development work – eval() and setTimeout() will keep working while other injections automatically will be blocked (unless allowed).

From March 2026, csp will be enforced for all customers, unless ther was a temporry opt-out which delays envoircement until June 1, 2026 by using this PowerShell cmdlet:

Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true

After June 1, CSP will be enforced (and can no longer be postponed) on all tenants.

Feature retirements