Removing Code Based Sandbox Solutions in SharePoint Online

Frequent Contributor

The below was just published in our message center.  How did we go from a vaguely worded blog post from two years ago ("We realize that our customers have made investments in coded sandboxed solutions and we will phase them out responsibly.") to ("In approximately 30 days, currently running, code-based sandbox solutions in the SharePoint Online environment will be disabled.").  That's a responsible way to phase out sandbox solutions?  What happened to the one year notice for disruptive change? Did I miss something?


Here's the full notice in the message center:


We’ve detected that you are using a code-based sandbox solution with your tenant account. Please be advised that we’ve moved forward on our plans to remove code-based sandbox solutions as previously announced in 2014, which can be seen here: http://aka.ms/sandboxcode Please note that declarative (no-code) sandbox solutions are still fully supported.
How does this affect me?
As part of the removal process, activation of new code-based sandboxed solutions, as well as updates of existing solutions are no longer available. In approximately 30 days, currently running, code-based sandbox solutions in the SharePoint Online environment will be disabled. If you have an extenuating circumstance, please contact us as our Product and Customer Support teams are ready to support you during this transition.
What action do I need to take?
We continue to recommend that customers transition their solution(s) to the add-in model or pure client-side development, which provide high-performance, cloud-first approaches to extending SharePoint. More information on SharePoint add-ins can be seen here: http://aka.ms/add-ins Our Product and Customer Support teams are ready to support you with guidance and additional assistance as needed. Below is a list of guidance and resources for solution development for SharePoint Online: - SharePoint Add-in Documentation: http://aka.ms/add-ins - Patterns and Practices for SharePoint Add-ins: http://aka.ms/patternspractices - Plan customizations, solutions, and apps for SharePoint Online: http://aka.ms/plancustom - General SharePoint Development Documentation: http://aka.ms/SharePointDevelopment - Office Developer Center Home: http://aka.ms/OfficeDevCenterHome
41 Replies

I think the timing should at a minimum wait until the SharePoint Framework is fully rolled out and available, and enough people have been given the opportunity to transition their stuff into THAT framework.

If they could have said in January of 2016 that Sandbox Solutions with Managed Code will be disabled come December 31, then I would have no issue.  However, getting this message now means I have to scramble to identify and remediate these solutions in 30 days.

One of our admins removed a solution over the weekend trying to troubleshoot it. To his shock he can no longer add it again. So basically we just lose that app now and all its functionality. Not good.

We've had this issue for over a week. It was reported in the Message Center as an outage until Friday, then it was changed.  It looks like they removed the ability to activate code based sandbox solutions on 7/22/2016.  Whoever flipped that switch didn't tell anyone (apparently) because the issue showed up in the message center.


They updated it on Friday as "service restored" which is laughable since they literally didn't restore anything.


Here's the notice:


Service restored - Jul 29, 2016 5:54 PM

Final Status: After further review, this incident has been correlated to deprecated code-based Sandbox solutions. Detailed guidance on available options can be found in Message Center post MC73347.


User Impact: Users may be unable to activate or use SharePoint Online Sandbox Solutions. This may include event receivers, workflows, web parts, feature receivers, and InfoPath forms.

Scope of Impact: Your organization is affected by this event.

This is the final update for the event.

This is totally irresponsible on the part of the product team.  This will impact 1000s of SharePoint Online customers.  We at SP Marketplace have moved away from code based sandbox solutions over the last 18 months, but many of our over 700+ Office 365 SharePoint Online business application customers still run older versions of our products or have added the many available third party web parts in their overall business solutions.


I have no issue with the change given sufficient notice, but it is apparent the product team is really out of touch  with how customers are using SharePoint Online.  WE NEED AT LEAST SIX MONTHS FOLKS!

"If you have an extenuating circumstance, please contact us as our Product and Customer Support teams are ready to support you during this transition."


Don't bother, I already did!

After having first level support simply feed me the same reply 10x like a broken record, I finally got to speak to a manager who (par for the course) had nothing useful to say.

The "extenuating circumstance" that they are referring to apparently is only for users who have a managed code sandbox solution that is already disabled - which should just be an issue considering they're supposed to have until Aug 28. Customers with this issue will have to fill out a questionnaire on why they need this restored before Microsoft chooses whether or not to do so. IS THIS NOT MORE WORK FOR MICROSOFT THAN JUST EXTENDING THE AVAILABILITY WITH FORMAL NOTICE?!


Ironic that the linked article starts out with, "Our bad"! Yeah Microsoft, your bad - *you're* bad!

You're bad at planning!

You're bad at communicating!

You're bad at understanding your customers!


It is insulting to customers that Microsoft would stop functionality on 30 days notice, and it is extremely insulting to partners that Microsoft would not communicate a time frame for when they are going to chop an entire development platform. 


The fact that they use that linked article would be laughable except it isn't funny - it literally hurts their partners business! That article: 

a. Starts with, "Our bad." <- ??? Seriously?! Don't try to be hip Microsoft! We deserve a real apology, not some teeny-bopper text quip!

b. Gives NO TIMELINE! Congratulations Microsoft - you told people that one day you're going to do something that is going to make people really mad (in fact it already had), but you achieved EPIC FAIL status when you never gave people a date until you accidentally did it two years later. 


Glad to know that partners get no better support than an 11 year old calling for Xbox support!

Again, to me we are under a situation not well communicated...we all knew that Sanbox coded solutions were deprecated 2 years ago and also that this moment would come...but I also would expect a reasonable time window so customers and partners can be ready for this change.

I think it is a to quick move i only have a few customers who still have Sandboxes and 3 are busy with upgrading the box to PNP or other solutions. But timeing is a bit strange.

Yeap...and this could also affect to the ones migrating from OnPremises to SPO using Sharegate since in some scenarios it's required to use a Sandbox solution provided by Sharegate

This change probably was a very rude awakening for most of the organizations, and I find 30-day eviction notice very short. Now we can't even activate new solutions, so it has been practically half turned off already.


I'd have expected at least a T-90 day annoucement to communicate turn off plans detailing timeline. T-60 to stop activating new solutions, T-30 day reminder that it will be all gone.

Unfortunately, some of us weren't using SharePoint 2 years ago and even contracted a 3rd party vendor for a solution in our SP that just released in a few site collections and is now disabled for us to continue releasing to the other site collections AND figure out how we're supposed to fix this.
I've stood by Microsoft on many occasions and even applauded their recent fast paced rolloutso often, but this one is very rough and hard to swallow. Sandbox solutions were the lifeblood for many workarounds to functionality that made sharepoint be able to do anything. Months of testing, development and more were put into filling in the cracks and now it's a madifferent rush to redo it and hope the functionality that was stripped away is still achievable in a very short time frame. Better communication Microsoft..... come on now.
My memory is not what it once was, well, really it was never very good, however two months ago Microsoft did a big presentation on the future of SharePoint and they announced many things giving them a Q2 or 2H2016 timeframe. I do not recall final deprecation of Sandbox coded solutions on there. That would have been appropriate timing and gotten to the audience that needed to know.

Or maybe I just forgot they said it...

I also think that ISV's should get the chance to migrate the sandboxed solutions to the forthcoming SharePoint Framework (keeping the Sandbox alive until then) instead of having to create Add-in's in a hurry and then a few weeks later migrate the Add-in's to the new Framework.

I too am impacted, having many Sandbox Solutions with Code sold to clients over the years and recently that are heavily used. This isn't just going to affect my profits from selling existing products (web parts) but what do the SharePoint users do when the product they purchased and loaded all throughout their farms, site collections, sites, etc suddenly stop working. They are using these types of web parts for navigation and other critical purposes in their sites. Its crazy that 30 days or less is viewed as a "responsible" amount of time for clients to develop an alternative solution! Add-Ins, client side only components, etc are not practical to be built and tested in less than 30 days and distributed to all impacted users, in August of all times, with no advanced warning of the shutdown! We know they are "deprecated", but that's not the point. SOAP Web Services are deprecated for even longer and they are still critical to SharePoint, SP Designer, etc. Shutting down Sandbox Code solutions in such a short time span is a huge error and shows poor planning and judgement. And its another reason to suspect any solution strategy can go the way of the Dodo, thus negating years of investment and impacting live MS users. This decision would only drive users away from Microsoft and SharePoint.
This really has me worried for those other deprecated technologies: InfoPath, SharePoint Designer (workflows!), SOAP web services, etc.

Will the ability to create new InfoPath forms suddenly disappear and then a message be published a weekly stating that InfoPath is dead in 30 days?

Well no, they'd never do anything like that.... wait, Infopath is gone now too?  Uh oh.............


In Microsoft's defense (only sort of), they did push everyone towards the app model and have said that sandbox solutions have been deprecated for a while now.  That said, to pull the plug this suddenly is just craziness.  Sandbox solutions were the gateway to filling quite a few gaps in Sharepoint.

Thats the real crux of the matter.  I share the same concern regarding UserCustomActons/ScriptLinks now (didnt before).  I know they are going away in modern SharePoint, but are they just all gonna up and stop working one day?  


Epic change management fail: CC @Brian Levenson

Brian does seem very quite on this new Change Management strategy they are going with...

It's affecting us now, we've put a holt on any new sites to be migrated as the sandbox solution relied upon to ensure all metadata is migrated can't be activated.


Really hoping Microsoft allow a whitelisting to allow us to continue.

Thanks for looping me in!  I have been following this discussion and topic but haven't chimed in because I don't have much to contribute yet.  I am seeking a formal response to share, and I'd encourage everyone to submit feedback within the Message Center.  Using the like - or in this case, dislike - button and including comments routes your feedback directly to the product team and communication submitter.  This is the best way to communicate to the owner.

I've been working extensively with my local Microsoft team and the further we get into this, it is shocking how absolutely unprepared Microsoft was for this.  Not only did the team implementing this change not communicate with customers, but they apparently didn't communicate with anyone inside Microsoft either.


The longer this goes without a public acknowledgement that this was horribly executed and will be post poned until a future date, the more concerned I'll be about relying on Office 365 for critical busines applications.  The 30 day time bomb is ticking.

The Office Dev PnP group has just posted a PS script to identify sandbox solutions...


Generate list of sandbox solutions from SPO tenant


Thanks @VesaJuvonen and the rest of the PnP group!


(I'm still not happy with the abrupt change byt Microsoft, but at least the PnP group is responsive to helping us deal with it)

I do wonder if the abrupt change has anything to do with the recent sandbox vulnerability. I can't reason this type of change in any other way that makes sense.

Yes, having a script to inventory the sandbox solutions is helpful.  We were already closely monitoring that, but this will let us confirm that we didn't miss any.  We'll still need to analyse each one to determine if it includes managed code or not.

Brian Levenson, at the risk of sounding uninformed, what is this message center of which you speak?

The Message Center is a component of the O365 Admin portal where messages are sent to your O365 tenant about upcoming changes, alerts, or items such as this one where you have an issue that needs to be fixed by a certain date.

Just adding my voice to this thread and the ridiculous situation Microsoft has put us all in, their loyal customers and partners! I have a commercial sandbox solution that contains remote event handlers, I dont think the in-app model will work for this, and I'm thinking of porting my code to work with Azure for hosting. But I can't get any help from anyone at Microsoft on this. I've contacted support repeatedly just to get the 'Standard list' of documents and how-to's, none of which actually provides any relevant insight. And to top this off - I have less than 30 days to architect, code, test and deploy this fairly-major redesign!


Microsoft, how can you pass this off as an enterprise solution? Is this how you hope to get developers engaged in your ecosystem, building and offering solutions?

Copying @Brian Levenson, since he's the only one who seems to be responding and/or caring about customers... 

This is Adam from the SharePoint engineering team.  Thank you all for sharing your stories and comments; it has a real impact as we work with customers to move to a model we can carry forward.  We do hear loud and clear the feedback about the short notice.  As an engineering team, we know technology deprecations are some of the toughest challenges to navigate, with customers being impacted in many different ways. Hearing from you is critical – the content developed by PNP referenced above in the thread came about from early customer feedback.  So did this article that talks about how to remove assemblies from no-code solutions created in Visual Studio. We’re rapidly developing more guidance for you and want to partner with you to make sure those who are impacted get the help they need. (And yes, I agree, Vesa and the PNP team are awesome!)


So, we’ve put a process in place to work with customers and partners – especially those of you who may need more time for the transition. Through our support channels, we’ll work with you to understand your existing solutions, so we can help ensure they will function, uninterrupted, during the transition. This support-led process can extend the time your solutions can run from August 31, 2016 to November 30, 2016.  I see some people on this thread who didn’t receive the level of support they expected from us. And, we took that feedback and are making sure all parts of the team are well aware of the process and the impact to you.  


Please do contact support if you need help through the transition.



Adam Harmetz

Group Program Manager, SharePoint Experiences and Developer Platform

@Adam Harmetz - Thanks for the additional info and it's great to see Microsoft responding, but I really want to know: 


1) Why was this disabled with no notice? (7/22/2016)


2) Why wasn't this considered a "disruptive change" and given a firm one year deadline? (Like the dropping of support for IE8, IE10, etc.)


3) Will dropping support for InfoPath and SharePoint Designer be considered a disruptive change?


4) What exactly will happen to deployed sandbox solutions with managed code "in approximately 30 days"? Will they be deactivated/uninstalled? Or will their managed code simply cease to execute?


@Adam Harmetz Any chance that the November 30 2016 deadline can be the default deadline for all?  Instead of only for customers that push through the support process to have it manually extended?  This would atleast be seen as a big step in resolving the timing issue, giving us 3 months plus instead of 30 days (which is not practical at all).  Surely at this point in the aftermath it should be clear that many users/partners/customers are negatively impacted by this disruptive change.  Deprecated solution debates aside, this should be the defacto way any technology is completely shut down.  If you allow people to use the technology (even if they are encouraged not to) you have a responsibility to those users.  Don't even get me started if this were to happen for SharePoint Designer, InfoPath, SOAP Web Services, etc.  Change is great, but change must be managed.  Many companies (myself included) invested heavily in Microsoft SharePoint (and other Microsoft Technologies).  Please don't make us regret our investment and add fear and uncertaintly to our future investments.  We are all in the same boat, lets not forget that.

+ 1 to this request, the November 30 deadline should apply for all SPO customers WW

That would be ideal, maybe by then some more definitive details will be out for the SharePoint Framework.


I'm going to have to bump a few things from Sandbox Solutions over to UserCustomActions and then will subsequently have to bump those over to the new SharePoint Framework (I hope).  Not thrilled about rearchitecting stuff twice.

I appreciate the link to the powershell script. I ran it and had a couple of hits.  @Kelly Jones when you mentioned analysing the results to see which actually include managed code, could you help me understand that  a little? Our SPO site is pretty new and was handed over to us by a consultant and I'm still learning how all the pieces work together.


If I have a webpart in the script that is marked Activated and HasAssemblies, is this is a definite that it is a sandboxed solution that needs to be dealt with? Or how do I know for sure?


Also, we had a couple hits on InfoPath forms that others in the company have created. Do those forms fall under sandboxed solutions?


I appreciate the help as I untangle this web.

What you need to learn is what elements can be provisioned in the Sandbox and requieres an assembly behind the scenes and which ones no. In the Sandbox you can provision the following elements that usally contains an assembly: Web Parts, Visual Web Parts, Event Receivers, Workflows (SP 2010 ones), InfoPath Forms with code behind. So in your case your two hits imply that you have to look for an alternative for both the WebPart and the InfoPath Forms.
Thank you very much.

The folks at Rencore have released a free tool "Sandbox Solutions Inspector" that identifies sandbox use with SharePoint Online tenants and also the use of active code, showing which site elements are involved.




hope this helps.

Thanks @Chirag Patel !  That tool sounds great.


Quick update for those following this story: Working through Premier Support, we were able to get an extended deadline for our WSP.  We had to send them the WSP and they "whitelisted" it within our tenant.  We can now activate it.


Also, we had another WSP that we didn't submit and I tried activating it, and while the activate button is enabled for this second WSP (non whitelisted), I get an error when I click the activate button.

Through our MS Support ticket, we learned some more details about what will happen when the deadline (approximately 30 days from July 29) hits:


For remaining Sandbox solutions, any server side code will stop working at the end of the month. For example, if you have a sandbox solution that uses event receivers to perform an action upon site creation, the new site will still be provisioned but the actions that would have been triggered by the event receiver will not occur. If any of the other WSPs are declarative – meaning they are wsp file but they do not use server side code – the wsp file can be recompiled without the assembly references and it will continue to work: https://support.microsoft.com/en-us/kb/3183084

Thank you Kelly Jones for pushing for an answer  and posting your findings.  This is exteremely disruptive change and MS should realise how much time and efforts it takes to undestand what happening and what to do.  


6 months should be minimum ( as promised in the past).  



Hope people are given more time, certain migartion tools also make use of sandbox to move content to O365 and they must be whitelisted