Removing Code Based Sandbox Solutions in SharePoint Online

Not applicable

The below was just published in our message center.  How did we go from a vaguely worded blog post from two years ago ("We realize that our customers have made investments in coded sandboxed solutions and we will phase them out responsibly.") to ("In approximately 30 days, currently running, code-based sandbox solutions in the SharePoint Online environment will be disabled.").  That's a responsible way to phase out sandbox solutions?  What happened to the one year notice for disruptive change? Did I miss something?


Here's the full notice in the message center:


We’ve detected that you are using a code-based sandbox solution with your tenant account. Please be advised that we’ve moved forward on our plans to remove code-based sandbox solutions as previously announced in 2014, which can be seen here: Please note that declarative (no-code) sandbox solutions are still fully supported.
How does this affect me?
As part of the removal process, activation of new code-based sandboxed solutions, as well as updates of existing solutions are no longer available. In approximately 30 days, currently running, code-based sandbox solutions in the SharePoint Online environment will be disabled. If you have an extenuating circumstance, please contact us as our Product and Customer Support teams are ready to support you during this transition.
What action do I need to take?
We continue to recommend that customers transition their solution(s) to the add-in model or pure client-side development, which provide high-performance, cloud-first approaches to extending SharePoint. More information on SharePoint add-ins can be seen here: Our Product and Customer Support teams are ready to support you with guidance and additional assistance as needed. Below is a list of guidance and resources for solution development for SharePoint Online: - SharePoint Add-in Documentation: - Patterns and Practices for SharePoint Add-ins: - Plan customizations, solutions, and apps for SharePoint Online: - General SharePoint Development Documentation: - Office Developer Center Home:
41 Replies

It's affecting us now, we've put a holt on any new sites to be migrated as the sandbox solution relied upon to ensure all metadata is migrated can't be activated.


Really hoping Microsoft allow a whitelisting to allow us to continue.

Thanks for looping me in!  I have been following this discussion and topic but haven't chimed in because I don't have much to contribute yet.  I am seeking a formal response to share, and I'd encourage everyone to submit feedback within the Message Center.  Using the like - or in this case, dislike - button and including comments routes your feedback directly to the product team and communication submitter.  This is the best way to communicate to the owner.

I've been working extensively with my local Microsoft team and the further we get into this, it is shocking how absolutely unprepared Microsoft was for this.  Not only did the team implementing this change not communicate with customers, but they apparently didn't communicate with anyone inside Microsoft either.


The longer this goes without a public acknowledgement that this was horribly executed and will be post poned until a future date, the more concerned I'll be about relying on Office 365 for critical busines applications.  The 30 day time bomb is ticking.

The Office Dev PnP group has just posted a PS script to identify sandbox solutions...


Generate list of sandbox solutions from SPO tenant


Thanks @VesaJuvonen and the rest of the PnP group!


(I'm still not happy with the abrupt change byt Microsoft, but at least the PnP group is responsive to helping us deal with it)

I do wonder if the abrupt change has anything to do with the recent sandbox vulnerability. I can't reason this type of change in any other way that makes sense.

Yes, having a script to inventory the sandbox solutions is helpful.  We were already closely monitoring that, but this will let us confirm that we didn't miss any.  We'll still need to analyse each one to determine if it includes managed code or not.

Brian Levenson, at the risk of sounding uninformed, what is this message center of which you speak?

The Message Center is a component of the O365 Admin portal where messages are sent to your O365 tenant about upcoming changes, alerts, or items such as this one where you have an issue that needs to be fixed by a certain date.

Just adding my voice to this thread and the ridiculous situation Microsoft has put us all in, their loyal customers and partners! I have a commercial sandbox solution that contains remote event handlers, I dont think the in-app model will work for this, and I'm thinking of porting my code to work with Azure for hosting. But I can't get any help from anyone at Microsoft on this. I've contacted support repeatedly just to get the 'Standard list' of documents and how-to's, none of which actually provides any relevant insight. And to top this off - I have less than 30 days to architect, code, test and deploy this fairly-major redesign!


Microsoft, how can you pass this off as an enterprise solution? Is this how you hope to get developers engaged in your ecosystem, building and offering solutions?

Copying @Brian Levenson, since he's the only one who seems to be responding and/or caring about customers... 

This is Adam from the SharePoint engineering team.  Thank you all for sharing your stories and comments; it has a real impact as we work with customers to move to a model we can carry forward.  We do hear loud and clear the feedback about the short notice.  As an engineering team, we know technology deprecations are some of the toughest challenges to navigate, with customers being impacted in many different ways. Hearing from you is critical – the content developed by PNP referenced above in the thread came about from early customer feedback.  So did this article that talks about how to remove assemblies from no-code solutions created in Visual Studio. We’re rapidly developing more guidance for you and want to partner with you to make sure those who are impacted get the help they need. (And yes, I agree, Vesa and the PNP team are awesome!)


So, we’ve put a process in place to work with customers and partners – especially those of you who may need more time for the transition. Through our support channels, we’ll work with you to understand your existing solutions, so we can help ensure they will function, uninterrupted, during the transition. This support-led process can extend the time your solutions can run from August 31, 2016 to November 30, 2016.  I see some people on this thread who didn’t receive the level of support they expected from us. And, we took that feedback and are making sure all parts of the team are well aware of the process and the impact to you.  


Please do contact support if you need help through the transition.



Adam Harmetz

Group Program Manager, SharePoint Experiences and Developer Platform

@Adam Harmetz - Thanks for the additional info and it's great to see Microsoft responding, but I really want to know: 


1) Why was this disabled with no notice? (7/22/2016)


2) Why wasn't this considered a "disruptive change" and given a firm one year deadline? (Like the dropping of support for IE8, IE10, etc.)


3) Will dropping support for InfoPath and SharePoint Designer be considered a disruptive change?


4) What exactly will happen to deployed sandbox solutions with managed code "in approximately 30 days"? Will they be deactivated/uninstalled? Or will their managed code simply cease to execute?

@Adam Harmetz Any chance that the November 30 2016 deadline can be the default deadline for all?  Instead of only for customers that push through the support process to have it manually extended?  This would atleast be seen as a big step in resolving the timing issue, giving us 3 months plus instead of 30 days (which is not practical at all).  Surely at this point in the aftermath it should be clear that many users/partners/customers are negatively impacted by this disruptive change.  Deprecated solution debates aside, this should be the defacto way any technology is completely shut down.  If you allow people to use the technology (even if they are encouraged not to) you have a responsibility to those users.  Don't even get me started if this were to happen for SharePoint Designer, InfoPath, SOAP Web Services, etc.  Change is great, but change must be managed.  Many companies (myself included) invested heavily in Microsoft SharePoint (and other Microsoft Technologies).  Please don't make us regret our investment and add fear and uncertaintly to our future investments.  We are all in the same boat, lets not forget that.

+ 1 to this request, the November 30 deadline should apply for all SPO customers WW

That would be ideal, maybe by then some more definitive details will be out for the SharePoint Framework.


I'm going to have to bump a few things from Sandbox Solutions over to UserCustomActions and then will subsequently have to bump those over to the new SharePoint Framework (I hope).  Not thrilled about rearchitecting stuff twice.

I appreciate the link to the powershell script. I ran it and had a couple of hits.  @Deleted when you mentioned analysing the results to see which actually include managed code, could you help me understand that  a little? Our SPO site is pretty new and was handed over to us by a consultant and I'm still learning how all the pieces work together.


If I have a webpart in the script that is marked Activated and HasAssemblies, is this is a definite that it is a sandboxed solution that needs to be dealt with? Or how do I know for sure?


Also, we had a couple hits on InfoPath forms that others in the company have created. Do those forms fall under sandboxed solutions?


I appreciate the help as I untangle this web.

What you need to learn is what elements can be provisioned in the Sandbox and requieres an assembly behind the scenes and which ones no. In the Sandbox you can provision the following elements that usally contains an assembly: Web Parts, Visual Web Parts, Event Receivers, Workflows (SP 2010 ones), InfoPath Forms with code behind. So in your case your two hits imply that you have to look for an alternative for both the WebPart and the InfoPath Forms.
Thank you very much.

The folks at Rencore have released a free tool "Sandbox Solutions Inspector" that identifies sandbox use with SharePoint Online tenants and also the use of active code, showing which site elements are involved.


hope this helps.

Thanks @Chirag Patel !  That tool sounds great.


Quick update for those following this story: Working through Premier Support, we were able to get an extended deadline for our WSP.  We had to send them the WSP and they "whitelisted" it within our tenant.  We can now activate it.


Also, we had another WSP that we didn't submit and I tried activating it, and while the activate button is enabled for this second WSP (non whitelisted), I get an error when I click the activate button.

Through our MS Support ticket, we learned some more details about what will happen when the deadline (approximately 30 days from July 29) hits:


For remaining Sandbox solutions, any server side code will stop working at the end of the month. For example, if you have a sandbox solution that uses event receivers to perform an action upon site creation, the new site will still be provisioned but the actions that would have been triggered by the event receiver will not occur. If any of the other WSPs are declarative – meaning they are wsp file but they do not use server side code – the wsp file can be recompiled without the assembly references and it will continue to work: