Level Up for Dynamics 365/Power Apps has made lives easier for countless Dynamics admins, developers, and end users. Some IT departments don’t like users having that power and block the extensions. Here’s how you can still get the same results.

This post is the first of a series. In future posts I will explore more features of these extensions and how to replicate their functionality in restricted environments.

I’m a big fan of the browser extensions Level up for Dynamics 365 and Dynamics 365 Power Pane when I’m working with Dynamics 365 / PowerApps / Dataverse. If you aren’t familiar with the tools, I’ll start by saying they’re both amazing and make my job easier almost every single day. More specifically, they’re browser extensions that make working with Model Driven Apps easier by providing shortcuts to perform common tasks that are supported, but not necessarily easy to do through the UI. A couple of examples are:

• Make hidden fields visible
• Highlighting which fields changed since a form loaded
• Getting a list of labels and values for an option set
• Seeing the schema name for the fields on a form.

There are lots of ways to get that information but what’s great about the extensions is that they give a simple interface to pull it all together and quickly get the information you need.

The single biggest shortcut that Level Up is known for is God Mode. This is a button that will:

• Show all hidden fields, tabs, and sections on a form
• Enable any disabled fields
• Make all fields not required

Power Pane has a similar feature, with each action is a separate button.

What’s the problem?

There are lots of CRM Administrators and IT shops that hate these extensions. I’ve been at countless conferences and had these discussions, and they generally fall in two categories:

1. It’s a security risk because it’s an open-source tool
2. It lets users bypass security I have set up on my form.

I would love to discuss these here and might do it in a future post (especially #2: Security through Obscurity). For now, I’m taking aim at a common mitigation technique: ban extensions! Yes, depending on your work situation you might be using a work computer where the IT policy prevents you from installing dastardly extensions that make you job easier.

What’s the solution?

These tools don’t do anything you can’t already do in the browser, they just make it easier. So what’s the harder way? Open DevTools and input the commands directly in the console.

In Edge (Ctrl-Shift-I or):

1. Click on Settings and More (Alt-F)
2. Click on More Tools -> Developer Tools

With the DevTools open, click on the Console tab

Place your cursor in the white space and paste the following code:

this.Xrm.Page.data.entity.attributes.forEach(a => a.setRequiredLevel('none'));

this.Xrm.Page.ui.controls.forEach(c => {
c.setVisible(true);
if(c.setDisabled){
c.setDisabled(false);
}
c.clearNotification();
});

this.Xrm.Page.ui.tabs.forEach(t => {
t.setVisible(true);
t.setDisplayState('expanded');
t.sections.forEach(s => s.setVisible(true));
});

After running the script you’ll immediately see all the hidden components and required fields will be made optional.

After using the script once, you’ll be able to press the Up arrow to find recently used commands, so you won’t have to continually copy-paste it.

How does it work?

This script modifies the page in a supported way through the Xrm.Page object. Xrm.Page itself is deprecated but it was the predominant way developers interacted with forms for 10+ years and it’s still supported (if not updated). Through this hook it iterates the tabs, sections, and fields to make the desired updates.

Will it cause issues?

From a technical sense, no. Everything is 100% supported and won’t break Dynamics functionality.

From a business perspective, possibly. This command won’t let you do anything the platform doesn’t already allow. For example, my Super Secure Required Fields is required on the form but there are no other enforcement mechanisms. I could create the contact through the SDK and not set the field, this script allows me to do the same thing on the form.

What can an admin do to prevent the issues?

One of the objections to the extensions / scripts is that it lets users update fields they “shouldn’t be able to”. This is only a superficial blocker though, because these same fields could all be updated through API calls.

If it’s a security reason, the fields should be configured to use a column security profile. This a special field-level security where only specified users or teams can edit the value. If it’s a business reason (they can’t update X after Y is set) then it might need to be handled in a Pre-Update plugin, which performs the necessary checks and can throw an exception to terminate the transaction if there’s an issue with the data.

On the other hand, if the concern is that they can skip required fields, that’s easily addressed through a Business Rules configured to run on the Entity.

Summary

Level Up and Power Pane are great tools and provide shortcuts to do common, supported steps in Dynamics 365. Some IT shops prevent these extensions to make it harder to get around how they want people to use the tool. These blocks don’t prevent users from performing the same action, they just need to take a few extra steps. If the actions users can take are harmful to security or the business, there are additional steps that the administrators can take to build a more robust security model.

Keep your eyes out for future posts to show additional features from Level Up and Power Pane.

• Uncategorized