Set Resource Exposure Policy settings


When you start a new project, an app.json file is generated automatically, which contains the information about the extension that you're building.

In the app.json file, you can specify a setting called resourceExposurePolicy that defines the accessibility of the resources and source code during different operations.

The resourceExposurePolicy specifies the following list of options:

  • applyToDevExtension

  • allowDebugging

  • allowDownloadingSource

  • includeSourceInSymbolFile

Each of these properties defines the specific areas in which the source code of an extension can be accessed. All the options are by default set to false, which means that by default, no dependent extension can debug or download the source code of your extension.

The syntax of the resourceExposurePolicy setting is as follows:

`"resourceExposurePolicy": {"applyToDevExtension": <boolean>, "allowDebugging": <boolean>, "allowDownloadingSource": <boolean>, "includeSourceInSymbolFile": <boolean>}`

The AL:Go! project template now has allowDebugging, allowDownloadingSource, and includeSourceInSymbolFile switched on by default. This is visible in the app.json file where the project resourceExposurePolicy property is set.

You can always override this for your AppSource or per-tenant extension by changing the setting.

The AL: Go! template sets the allowDebugging, allowDownloadingSource, and includeSourceInSymbolFile options in the resourceExposurePolicy setting to true.


With the applyToDevExtension flag, you can specify if all resource exposure policies specified for the extension also apply to developer extensions, by setting the value to true.


To allow debugging into your extension, you must set the allowDebugging flag when the extension is taken as a dependency, otherwise debugging isn't allowed. The default value of allowDebugging is false.

If you want to allow debugging into your extension to view the source code, the allowDebugging property in the app.json file must be set to true. For example, if someone develops an extension A and another person develops an extension B, where B depends on A, then debugging B will only step into the code for A, if a method from A is called and if the allowDebugging flag is set to true in the app.json file for extension A as shown in the example below. By adding this setting, you enable debugging into an extension to view the source code and variables when that extension is set as a dependency.

"resourceExposurePolicy": {"allowDebugging": true}

allowDebugging doesn't apply to Profiles, Page Customizations, and Views, because these objects can't define any custom logic in procedures or triggers. The code for Profiles, Page Customizations, and Views defined in an extension with allowDebugging set to false can still be accessed and copied using Designer.

The [NonDebuggable] attribute

Unless you've specified the [NonDebuggable] attribute on methods and variables, setting the allowDebugging to true will allow stepping into this code. If you, however, have marked the methods and variables with the [NonDebuggable] attribute, these methods and variables will remain non-debuggable.

The default value of the allowDebugging flag is false. If allowDebugging is set to true, anyone who extends your code can debug it.

However, it isn't possible to allow both, debugging and Go to Definition, and still protect source from being extracted through the debug experience, for example, by using third party Visual Studio Code tools. For AppSource apps, if you want to protect your IP, it's recommended to limit access to the source by setting the resourceExposurePolicy flags to false. Then rely on the ability to grant yourself and optionally trusted reseller partners time-limited individual access through the dynamic override of the resource policy.

For per-tenant extensions, if the customer owns the IP and approves of exposing it, it's recommended to at least allow debugging and include source in symbols to make troubleshooting, extracting IP from the service, and working across resellers easier.

Someone will still be able to view your code if an extension is deployed through Visual Studio Code as a DEV extension, as opposed to deployed using a cmdlet, by using the Extension Management page in Business Central or using AppSource. Use the applyToDevExtension setting to specify if all resource exposure policies should also apply to your DEV extension.


When this flag is set to true in the app.json file of extension A, the source code and any media files of extension A can be downloaded, for example, from the Download Source option in the Extension Management page in Business Central. Extension A can be a PTE or a DEV extension. The default value of allowDownloadingSource is false.


When this flag is set to true in the app.json file of extension A, the downloaded symbol file in Visual Studio Code, which is accessed by using the Downloading Symbols functionality, contains symbols, source code, and all other resources of extension A. When includeSourceInSymbolFile is set to false, the source isn't available in the symbol files, and you can't use Go to Definition to view source. You can, however, still extend, get IntelliSense for, and call functionality in extension A by relying on its exposed symbols and signatures. The default value of includesourceInSymbolFile is false.

Override the resource policy

The resource exposure override can be used to dynamically grant access to the users. Overriding the policy is useful, if you've, for example, set the allowDebugging flag to false in your app.json file, but you want to allow specific Microsoft Entra ID tenants access temporarily. If you don't specify anything in the BC-ResourceExposurePolicy-Overrides secret described below, then no one can debug your code if allowDebugging is set to false. On the contrary, if you've set allowDebugging to true in your app.json file, then it doesn't matter what you specify in the BC-ResourceExposurePolicy-Overrides secret. Anyone will be able to debug into that code.

It's a requirement to enable overriding the resource policy, that you have a key vault set up. Setting up a key vault is an onboarding process that is described in the links below. Follow the guidelines for keeping your key vault safe. If the key vault is used for multiple purposes, you can create different policies for access to override the secret in the key vault.

Resource exposure policy overrides can be used to dynamically grant users of a given Microsoft Entra ID tenant ID access. The users performing the action, such as debugging, can be delegated admins or a guest user on the target environment. In addition, you must specify the tenant property in the launch.json file. The tenant property must be set to the target tenant ID.

The BC-ResourceExposurePolicy-Overrides secret

Once the key vault is set up, the policy of an extension can be overridden by using settings in your extension's key vault. A secret named BC-ResourceExposurePolicy-Overrides must be added to the key vault. The value of the secret is a .json file with the structure as shown in the example below.

$json = '{ 
    "allowDebugging": [ 
    "allowDownloadingSource": [ 
    "includeSourceInSymbolFile": [ 
$Secret = ConvertTo-SecureString -String $json -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName "YourKeyVaultName" -Name "BC-ResourceExposurePolicy-Overrides" -SecretValue $Secret

Because the json secret value in this case spans multiple lines, you must use Azure PowerShell instead of the Azure portal to define the json secret value. To enable one or more of the properties for use by a Microsoft Entra ID tenant, you must add the tenant ID to enable that property for the users of the tenant. Doing so enables a temporary access to the source code, for example, for debugging purposes.