A case of inspiration: Locking down CRM for maintenance

Today we had a discussion at the office on an upcoming migration at a customer. Their Dynamics CRM environment is getting a complete overhaul and a large number of external systems need to be hooked up. A migration for which we are preparing multiple scenarios.

While the migration is going on, it would be really nice to lock out all users in a friendly way. Preferably with a nice message indication that the system is offline for maintenance.


Dynamics CRM offers some methods to restrict user access while updating.

  • CRM On premise/Online: Disable almost all users
    Out of the box, simple, however prone to errors. You could lock out your own account.
    Locking out users can be done under Settings > Security > Users.


  • CRM Online: Administration mode
    When you place a Sandbox instance in administration mode only users with CRM System Administrator or System Customizer security roles will be able to sign in to that instance. Administration mode is useful when you want to make operational changes and not have regular users affect your work, and not have your work affect regular users.

The second method is the most efficient one and less prone to errors. However this functionality is only available on CRM online. The regular users may get confused why they don’t have access anymore. * And this made me wonder *

Why does CRM not offer a mechanism in which an administrator can lock the system for maintenance that informs the users in a nice way that the system is down for maintenance?

While driving back home, some ideas popped up in my head. Ideas that I want to share with you.

Idea 1: Plugin protection

The “lock down for maintenance” mechanism could work like this.

Lockdown concept1

In case an App uses the CRM API to get data from CRM, an exception will be thrown indicating that CRM is in maintenance. The same applies for web and/or tablet use.
In the case of the tablet application or the browser experience a popup can be shown indicating that CRM is in maintenance (if you want to do it quick and dirty, you can throw a “Invalid Plugin Execution” exception. CRM will handle the popup).

However, in case the user accessing CRM is an administrator – regardless of access through an App, tablet or browser – CRM should operate as usual.

The way this can be implemented is via a plugin. The plugin can be registered on both the Retrieve and RetrieveMultiple messages with no primary entity. In that case the plugin will fire for any entity being accessed.

Lockdown concept2

The CRM administrator can enable and disable the plugin via the SDK messages.

The downside of this approach is that the impact on the system performance can be big, as the plugin will fire for any retrieve / retrieve multiple action.

Idea 2: Custom HTML Resource

The other idea that popped up in my head was the custom html resource. On the default dashboard was can add a custom HTML web resource. This web resource shows an overlay with a nice display message in case the system is in maintenance mode and the user is not an administrator.

The HTML overlay cannot be closed; which effectively disables CRM.
In case the system is not in maintenance the html webresource can be used to inform the users on upcoming maintenance.

However this mechanism is not super secure! In case CRM is accessed through the API, this mechanism will be ignored and the user will have access even if the system is in maintance mode. In other words the front door is locked down, while the back door is open to anyone.

The advantage of using this method is that we can register in a custom entity when CRM is in maintenance, what the message shown is supposed to be, when the user should be informed on upcoming maintenance etcetera.

What would be perfect…

For now I leave the idea as is. I don’t have time to implement it right now. In order to make a user friendly solution I think both ideas should be combined, which means:

  • a custom web resource that can be placed on the dashboard(s).
    This web resource informs the users on upcoming maintance, and locks down the dashboard. Rendering CRM useless
  • a custom entity containing the message, the maintenance start/end date and time, an indicator if the users should be warned, etcetera.
  • a custom plugin that throws exception when retrieving data (except for administrators).

If only I had a day to spend 😉