Share via

Plug-in isolation, trusts, and statistics


Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online

Microsoft Dynamics 365 (online & on-premises) support the execution of plug-ins and custom workflow activities in an isolated environment. In this isolated environment, also known as a sandbox, a plug-in or custom activity can make use of the full power of the Microsoft Dynamics 365 SDK to access the organization web service. Access to the file system, system event log, certain network protocols, registry, and more is prevented in the sandbox. However, sandbox plug-ins and custom activities do have access to external endpoints like Azure Cloud Services.

Microsoft Dynamics 365 collects run-time statistics and monitors plug-ins and custom workflow activities that execute in the sandbox. If the sandbox worker process that hosts this custom code exceeds threshold CPU, memory, or handle limits or is otherwise unresponsive, that process will be killed by the platform. At that point any currently executing plug-in or custom workflow activity in that worker process will fail with exceptions. However, the next time that the plug-in or custom workflow activity is executed it will run normally. There is one worker process per organization so failures in one organization will not affect another organization.

In summary, the sandbox is the recommended execution environment for plug-ins as it is more secure, supports run-time monitoring and statistics reporting, and is supported on all Microsoft Dynamics 365 deployments. In addition, Microsoft Dynamics 365 (online) only supports execution of custom workflow activities if they are registered in the sandbox.


Developers have the option of registering their plug-ins in the sandbox, known as partial trust, or outside the sandbox, known as full trust. Full trust is supported for on-premises and Internet-facing Microsoft Dynamics 365 deployments. For a Microsoft Dynamics 365 (online) deployment, plug-ins or custom workflow activities must be registered in the sandbox (partial trust) where they are isolated as previously described.


Custom workflow activities and plug-ins that were developed using the Microsoft Dynamics CRM 4.0 SDK are not supported for execution in the sandbox or by Microsoft Dynamics 365 (online).

Run-time statistics

The Microsoft Dynamics 365 platform collects run-time information about plug-ins and custom workflow activities that execute in the sandbox. This information is stored in the database using PluginTypeStatistic entity records. These records are populated within 30 minutes to one hour after the sandboxed custom code executes. See the PluginTypeStatistic attributes to find out what information is collected. You can retrieve this information by using the retrieve message or method.

Web access

Sandboxed plug-ins and custom workflow activities can access the network through the HTTP and HTTPS protocols. This capability provides support for accessing popular web resources like social sites, news feeds, web services, and more. The following web access restrictions apply to this sandbox capability.

  • Only the HTTP and HTTPS protocols are allowed.

  • Access to localhost (loopback) is not permitted.

  • IP addresses cannot be used. You must use a named web address that requires DNS name resolution.

  • Anonymous authentication is supported and recommended. There is no provision for prompting the logged on user for credentials or saving those credentials.

These default web access restrictions are defined in a registry key on the server that is running the Microsoft.Crm.Sandbox.HostService.exe process. The value of the registry key can be changed by the System Administrator according to business and security needs. The registry key path on the server is:


The key value is a regular expression string that defines the web access restrictions. The default key value is:


By changing this registry key value, you can change the web access for sandboxed plug-ins.

System_CAPS_security Security Note

The sandbox processing service role defaults to outbound calls being enabled. If you do not want to permit outbound calls from custom code (plug-ins or custom workflow activities), you can disable outbound calls by setting the following registry key to 1 (DWORD) on the server that hosts the sandbox processing service role. Next, restart the Microsoft Dynamics 365 Sandbox Processing Service.


See Also

Introduction to the event framework
Write a plug-in
Create a custom workflow activity
Azure extensions for Microsoft Dynamics 365
PluginTypeStatistic entity messages and methods
Sample: Web access from a sandboxed plug-in

Microsoft Dynamics 365

© 2016 Microsoft. All rights reserved. Copyright