Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Plug-in Isolation, Trusts, and Statistics

[Applies to: Microsoft Dynamics CRM 2011]

Microsoft Dynamics CRM 2011 support the execution of plug-ins and custom workflow activities in an isolated environment. In this isolated environment, also known as a sandbox, a plug-in or custom activity can make use of the full power of the Microsoft Dynamics CRM SDK to access the organization web service. Access to the file system, system event log, certain network protocols, registry, and more is prevented in the sandbox. However, sandbox plug-ins and custom activities do have access to external endpoints like the Windows Azure cloud.

Microsoft Dynamics CRM collects run-time statistics and monitors plug-ins and custom workflow activities that execute in the sandbox. If the sandbox worker process that hosts this custom code exceeds threshold CPU, memory, or handle limits or is otherwise unresponsive, that process will be killed by the platform. At that point any currently executing plug-in or custom workflow activity in that worker process will fail with exceptions. However, the next time that the plug-in or custom workflow activity is executed it will run normally. There is one worker process per organization so failures in one organization will not affect another organization.

In summary, the sandbox is the recommended execution environment for plug-ins as it is more secure, supports run-time monitoring and statistics reporting, and is supported on all Microsoft Dynamics CRM deployments. In addition, Microsoft Dynamics CRM Online only supports execution of custom workflow activities if they are registered in the sandbox. Support for custom workflow activity execution in the sandbox is new for Microsoft Dynamics CRM 2011 Update Rollup 12 and Microsoft Dynamics CRM December 2012 Service Update.

If your organization has been updated to Microsoft Dynamics CRM Online Fall ’13, please use the latest version of the SDK. Download the updated SDK package for Microsoft Dynamics CRM 2013 and CRM Online Fall ‘13.


Developers have the option of registering their plug-ins in the sandbox, known as partial trust, or outside the sandbox, known as full trust. Full trust is supported for on-premises and Internet-facing Microsoft Dynamics CRM deployments. For a Microsoft Dynamics CRM Online deployment, plug-ins or custom workflow activities must be registered in the sandbox (partial trust) where they are isolated as previously described.

Custom workflow activities and plug-ins that were developed using the Microsoft Dynamics CRM 4.0 SDK are not supported for execution in the sandbox or by Microsoft Dynamics CRM Online.

Run-time Statistics

The Microsoft Dynamics CRM platform collects run-time information about plug-ins and custom workflow activities that execute in the sandbox. This information is stored in the database using PluginTypeStatistic entity records. These records are populated within 30 minutes to one hour after the sandboxed custom code executes. See the PluginTypeStatistic attributes to find out what information is collected. You can retrieve this information by using the retrieve message or method.

Web Access

Sandboxed plug-ins and custom workflow activities can access the network through the HTTP and HTTPS protocols. This capability provides support for accessing popular web resources like social sites, news feeds, web services, and more. The following web access restrictions apply to this sandbox capability.

  • Only the HTTP and HTTPS protocols are allowed.

  • Access to localhost (loopback) is not permitted.

  • IP addresses cannot be used. You must use a named web address that requires DNS name resolution.

  • Anonymous authentication is supported and recommended. There is no provision for prompting the logged on user for credentials or saving those credentials.

These default web access restrictions are defined in a registry key on the server that is running the Microsoft.Crm.Sandbox.HostService.exe process. The value of the registry key can be changed by the System Administrator according to business and security needs. The registry key path on the server is:


The key value is a regular expression string that defines the web access restrictions. The default key value is:


By changing this registry key value, you can change the web access for sandboxed plug-ins.

securitySecurity Note
The sandbox processing service role defaults to outbound calls being enabled. If you do not want to permit outbound calls from custom code (plug-ins or custom workflow activities), you can disable outbound calls by setting the following registry key to 1 (DWORD) on the server that hosts the sandbox processing service role. Next, restart the Microsoft Dynamics CRM Sandbox Processing Service.


See Also

Microsoft Dynamics CRM 2011
Send comments about this topic to Microsoft.
© 2013 Microsoft Corporation. All rights reserved.

Community Additions

© 2014 Microsoft. All rights reserved.