Self-service deployment FAQ


Functionality noted in this article will be made available to users based on the geographic location recognized by Microsoft Azure.

This article provides answers to some frequently asked questions about self-service deployment. Refer to the known issues list if your scenario is not listed here.

Why do I see only application version 8.1.1 and Platform update 21 and above when I try to deploy my sandbox environment using self-service deployment?

Currently, self-service deployment supports only application version 8.1.1 with Platform update 21 and above.

My development environment is on application version 8.1. Am I still able to move my customization to the sandbox environment?

Yes. Application version 8.1.1 is fully backward compatible with application 8.1.

What is the minimum supported application and platform version when trying to use the self-service deployment?

Application version 8.1 with Platform update 20 is the minimum supported version.

What do I do if deployment fails?

  1. Delete the deployment.
  2. If you want to reuse the same environment name, wait 5 minutes and try again. Otherwise, retry deploying with a new name.
  3. If deployment fails again, log a Support ticket.


Microsoft will add automatic retry logic in an upcoming release and make logs available.

What if my deployment fails with an “environment already exists” error?

You may be trying to reuse the environment name of a deployment that you just deleted. Wait 5–10 minutes before retrying the deployment.

I don't have Remote Desktop access to my sandbox environment. How do I perform critical actions that require Remote Desktop access today?

Although you will no longer have Microsoft Remote Desktop access, you can continue to operate your Tier 2+ sandbox environments, because Microsoft is providing self-service capabilities and tools that you can use to perform the common critical actions that are described here.

Access the Azure SQL database

You can access the Microsoft Azure SQL database by following these steps.

  1. From LCS, add a safe list of the IP address of the machine that you will use to connect to the Azure SQL database using SQL Management Studio.
  2. Use LCS to request access to see the database credentials. You must provide a reason for requesting access.

As soon as you submit the request, it's automatically approved. Within a minute or two, you will be able to see the database access credentials on the LCS environment details page. You can use the credentials to connect to the SQL database.


The credentials are valid for eight hours, and then they will expire. After the credentials expire, you will have to request access again.

Access log files

You can view and download all log files from the Activity tab on the LCS environment monitoring page.

Use perfmon tools

Although you can no longer use Remote Desktop and then use perfmon.exe to diagnose performance issues, you can monitor critical health metrics for CPU and memory consumption through LCS. In addition, you can run predefined queries on demand, and you can run predefined actions to mitigate performance issues on your Tier 2+ environments.

Access self-service logs

All logs that are related to self-service operations that are performed on the environment through LCS are available for download from LCS. These self-service operations include deployment, servicing, and database movement. You can download the log folders from the LCS environment history page.

Turn Maintenance mode on/off

Starting in the January 2019 release, you will be able to turn Maintenance mode in your environment on and off through a self-service action in LCS.

Restart services

Starting in the January 2019 release, you will able to restart services through a self-service action in LCS.

Configure the Regression suite automation tool

Microsoft is working on tooling that will let you update certificate thumbprints in the wif.config file without having to use Remote Desktop. This tooling is scheduled for release in February 2019. If you must use the Regression suite automation tool before then, log a support request.

I must perform one of the critical actions that are listed earlier in this article, but the self-service feature isn't yet available. How do I get help?

Log a support ticket, and Microsoft will help you perform the action on your environment.

I don't have Remote Desktop access to my sandbox environment, and the critical action that I must perform isn't listed in this article. How do I get help?

If your critical action isn't listed earlier in this article, add a comment to this article or log a documentation bug, and Microsoft will address your requirement.

What regions are supported on self-service in North America?

We currently only support the following regions in North America.

  • East US
  • West US
  • Central US


    Central US is no longer being provided as an option for self-service migrations beginning April 1, 2021.

For more information about region availability, see International availability of Dynamics 365.

My environments are currently in the regions that are no longer supported. How will this change affect me?

Projects that have been onboarded on or after August 1, 2020 are no longer supported in the following regions:

  • East US2
  • West US2
  • West Central US
  • North Central US
  • South Central US


This will not affect any environments that have their data stored in the deprecated regions before August 2020. There is a transition plan to move customers in the deprecated regions into other regions. For a list of the latest supported regions, see International availability of Dynamics 365.

  • With all self-service migrations, we are changing the outbound IP addresses in regions where your environments are hosted. New outbound IP addresses are available, so you must add them before your upcoming self-service migrations. For more information about IP addresses, see For my Microsoft-managed environments, I have external components that have dependencies on an explicit outbound IP safe list. How can I ensure my service is not impacted after the move to self-service deployment?.
  • If you have any integrations or other dependencies that are latency-driven and have questions regarding how the change in regions will impact that, please contact Microsoft Support.
  • Central US is no longer an option for self-service migrations. If a customer plans to leverage dual-write functionality, virtual entities, or any finance and operations apps add-ins that have dependencies on Dataverse, keep in mind that Dataverse is not supported in Central US. There are currently no plans to support Dataverse in Central US in the foreseeable future. For continued functionality of features in a supported region, we will plan to move your environment to East US or West US instead of Central US.
  • If you have a project which has a few environments using self-service capabilities in Central US and others in North Central, South Central or West Central, the rest of the IaaS environments can still be moved to East or West US as part of migrations. For the environments already on Service Fabric and in Central US, please contact Microsoft Support to get them moved to East/West US based on your preference.
  • Please review all the Azure resources in your current region and assess if they need to be co-located to the new region in preparation for the upcoming changes as part of migrations.
  • If you have questions about data movement related to cross-region migrations, see The source and target are on different infrastructure (Microsoft-managed vs. self-Service).

For my Microsoft-managed environments, I have external components that have dependencies on an explicit outbound IP safe list. How can I ensure my service is not impacted after the move to self-service deployment?

With self-service migrations, we are changing the outbound IP addresses in regions where your environments are hosted. New outbound IP addresses are available so you can add them in preparation for the upcoming self-service migrations or post migrations.

  • If none of your external components have dependencies on an explicit inclusion list of IPs or special handling of outbound IP addresses for routing or firewall, no action is required.
  • If any of your external components have special handling for the outbound IP addresses to communicate to the AOS, add the new outbound IP addresses where the existing ones appear. Don’t replace the existing IP addresses. You can find the new outbound IP addresses in the following list. For example, an outbound IP address may be explicitly included in a firewall outside your AOS, or an external service may have an allowed list that contains the outbound IP address for your AOS.

The inbound IP address to the AOS is dynamic. This can, and will, change over time as infrastructure changes occur.


The outbound IP address from the AOS will be an IP address from the listed ranges based on the Azure region of your deployment. The specific outbound IP address may vary across outbound requests, even from within the same session.

Geography Azure region IP prefixes1
Asia Pacific East Asia
Asia Pacific Southeast Asia
Australia Australia East
Australia Australia Southeast
Azure Government US Gov Texas2
Azure Government US Gov Virginia
Brazil Brazil South
Canada Canada Central
Canada Canada East
China China East 2
China China North 2
Europe North Europe
Europe West Europe
France France Central
France France South2
India India Cental
India India South
Japan Japan East
Japan Japan West
South Africa South Africa North
South Africa South Africa West2
Switzerland Switzerland North
Switzerland Switzerland West2
United Arab Emirates UAE North
United Kingdom UK South
United Kingdom UK West
United States Central US
United States East US
United States West US

1 For Azure regions with multiple IP prefixes, such as West Europe, outbound requests will utilize IP addresses from any of the listed IP prefixes.

2 Denotes a BCDR-only Azure region. Outbound requests will only originate from this region in disaster recovery scenarios that require regional failover within the geography.

What does the downtime look like for self-service migrations?

Self-service migration for any environment takes three hours of 100% downtime, with a six-hour pre-migration window leading up to the actual migration downtime of 3 hours. The environment will be available with limited servicing capabilities during the six-hour pre-migration window, but will be completely unavailable in the three-hour migration window. We recommend that customers do not schedule any servicing activity, like package deployment, during the pre-migration window because it will interfere with migrations and will trigger a migration cancellation.

Is there a potential impact on the environment's certificates?

Yes, if you are migrating from the previous non self-service deployment, your environment’s certificate may be renewed due to infrastructure differences. Determine if there is any dependence on the certificates in your solution/integration and perform the needed actions after the migration.