Microsoft SharePoint Online for Enterprises

Custom Solution Policies and Process

Dedicated Plans Service Description

Published: October2012

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2012 Microsoft Corporation. All rights reserved.

Microsoft, SharePoint, Visual Studio, Windows PowerShell, and Windows are trademarks of the Microsoft group of companies.

All other trademarks are property of their respective owners.

Contents

Introduction

Policy and Process Updates in This Release

Benefits of Following This Process

What Customers Should Know

Reviews of Custom Solutions

Custom Solution Parameters

About MSOCAF

Analysis with MSOCAF

Test Deployment with MSOCAF

Submission with MSOCAF

Potential Hardware and Service Impact of Deploying Custom Solutions

Monitoring of Deployed Custom Solutions

Use of Third-Party Components and Products

Third-Party Solution Licensing

Open Source Project Support

Custom Solution Process

Overview of the Custom Solution Process

Timeline of the Custom Solution Process

Step 1 – Gather Requirements

Step 2 – Create and Submit High Level Design Document

Submit the HLD Document

Step 3 – Microsoft Review of High Level Design Document

Hardware Evaluation

Step 4 – Develop Custom Solution

Step 5 – Test, Package, and Validate with MSOCAF

Limitations

Package the Custom Solution

Scheduling the Deployment

Submitting the Deployment Package

MSOCAF Submission Troubleshooting

Deployment Guide

Deployment Manifest

Step 6 – Microsoft Review, Validation, and Deployment

Timeline for Review and Deployment by Microsoft

Engineering Review by Microsoft

Pre-Production Environment Validation

Production Review

Production Environment Deployment

Custom Solution Policies

Custom Solution Deployment Maximum

SLA Exemption Waivers

Custom Databases

MSOCAF Compliance Policy

MSOCAF Release Cycle

Custom Solution Scoping Policy

Policy for Updating Custom Solutions

Resubmission Policy for Custom Solution Deployment Packages

Break-Fix Policy

Emergency Change Remediation

Platform Upgrades or Updating Impacts

System Monitoring Policy

Log Request Policy

Event Logging

Appendix A: SharePoint Online Policies for Sandboxed Solutions

Appendix B: Code Development and Deployment Responsibilities

Appendix C: Escalating Custom Solution Post-Deployment Issues

Introduction

This document describes the policies and process that govern howMicrosoft and its subscribers to Microsoft® SharePoint® Onlinefor enterprises dedicated plansvalidate and deploycustom solutions to the SharePoint Online environment. These custom solutions include solutions and products that are developed by third parties and code developed in-house by customers. Custom solutions can be deployed to any web application in the SharePoint Online dedicated environment (Portal, Team, Partner, or Personal Sites).

This document and the process it describes apply only to fully trusted code that requires deployment or executionby Microsoft on thehosted servers based on Microsoft SharePoint 2010 or Microsoft Office SharePoint Server 2007. This is typically Microsoft .NET–based code and dependent files, but can also include Windows PowerShell® scripts or batch files.

This document and process do not apply to these other methods of customizing a SharePoint Online environment:

  • End-user solution. A customization that is performed through a web-based mechanism (for example, applying style sheets and out-of-the-box Web Parts and page templates).
  • Authored site customization. A customization that is performed by web designers using HTML editors (for example, customization of master pages or page layouts). This also includes declarative solutions using Microsoft SharePoint Designer and SharePoint site administrative pages in the browser (for example, data access with Business Connectivity Services, or connecting list and data view Web Parts).
  • Sandboxed solution (partially trusted code). A customization that is created by developers, and that typically contains .NET–based code and dependent files that can be deployed to SharePoint site collections by the customer’s site collection administrators.However, we recommend analyzing the code of a sandboxed solution using the Microsoft SharePoint Online Code Analysis Framework tool (MSOCAF). For an introduction to the MSOCAF tool, see About MSOCAFlater in this document.For policies about using sandboxed solutions, see Appendix A: SharePoint Online Policies for Sandboxed Solutions.

Important

The policies and process described in this document do not apply to standard configurations. They apply only to custom solutions. Do not include standard configurations in your deployment guide when submitting a custom solution. For standard configurations, contact the Microsoft service delivery manager (SDM) to submit a configuration request (CR) for the standard configuration change. Use the CR templates available on the Service Administration portal.

The goal of the policies and process in this document is to ensure that custom solutions deployed to theSharePoint Onlineenvironmentcan be operated, managed, secured, and scaled following established best practices. To that end, Microsoft performs these reviews of custom solutions:

  • Reviews proposed custom solutions and determines whether an existing custom solution, or an “out-of-the-box” solution, can accomplish the same goals.
  • Reviews the high-level design of custom solutions and provides feedback to make sure they can be hosted by SharePoint Online.
  • Reviews the custom solution deployment package and final code of custom solutions to make sure they can be deployed and hosted onSharePoint Online. Reviews incorporate manual test cases and follow best practices established by Microsoft.
  • Deploys custom solutions in Microsoft test environments for complete deployment review and release verification.

Policy and Process Updates in This Release

There are no new policy changes for the current release. The following change wasincluded in the previous release:

  • Shorter timeline for custom solution deployment. Deployment automation must be used to deploy custom solutions. This includes using MSOCAF for custom solution validation and submission and the inclusion of a deployment manifest for automated deployment and rollback. The use of deployment automation results in a shorter timeline for custom solution deployment:
  • Five-day advance notice is no longer required for High Level Design documents or code drops.
  • The code review period is shortened from five business days to four.
  • Deployment to the PPE following code approval is reduced from five business days to three.
  • Deployment to the production environment happens three business days after PPE approval is received from the customer.

For more information see Deployment Manifest and Timeline of the Custom Solution Process later in this document.

Benefits of Following This Process

Customers thatwant to develop custom solutions, or purchase them from third parties, receive these benefits:

  • Structured process. Microsoft uses a structured review process to help mitigate the risk of falling outside the established goals for custom solutionperformance, scalability, availability, and upgrade.
  • Experience in deploying custom solutions. Microsoft has extensive experience deploying custom solutions, including custom-written, off-the-shelf, and hybrid solutions that rely on custom code and third-party products.
  • Capacity planning experience. Microsoft has experience in evaluating howa custom solutionis managed, monitored, and instrumented, and whether it has the ability to scale, and can suggest an infrastructure design to meet customer needs.

What Customers Should Know

Readers of this document should be familiar withdeveloping on the SharePoint platform, Internet Information Services (IIS), and life-cycle-based development and testing of .NET-based code. For more developer resources regarding the development process and best practices, seethe SharePoint Online Custom Solution Developer’s Guide in the Microsoft Download Center.

Reviews of Custom Solutions

Microsoft reviews the proposed design of custom solutions at an early stage and also reviews the packaged solution after it has been developed.Microsoft waits until after the customer validation of the service before reviewing any customsolutions for a customer. Acustomer that chooses to develop and submit farm-level custom solutions for deployment by Microsoft may do so after purchasing custom solution credits.

Customersmust allow the necessary time for these reviews when scheduling custom solution development and deployment (as described in Table 2later in this document). Customers receive a change window schedule from theSDM to calculate the work-back dates for developing the custom solution, submitting a deployment package, and moving through the test and review process.

Custom Solution Parameters

Microsoft chargesone or more custom solution credits when Microsoft acknowledges receipt of a custom solution that a customer has submitted for deployment.The number of custom solution credits charged isbased on the amount of code and number of solution packages, as detailed in Custom Solution Scoping Policy later in this document. (Credits are purchased as a Deployment and Upgrade Pack; contact the relevant sales team for full details.)

However, Microsoft does not charge acustom solution credit when anupdate to a custom solution falls within the scope of the original High Level Design (HLD) document. For example, no custom solution credit is debited when the customer updates a custom solution to work with a newer version of SharePoint, or if a bug is discovered that requires a code change but not an HLD change. Microsoft also does not charge a customization credit for reviewing third-partysolutions for use in the SharePoint Online environment, or for deploying those third-party solutions.

About MSOCAF

Microsoft provides a framework called the Microsoft SharePoint Online Code Analysis Framework (MSOCAF) to customers for use in analyzing custom solutions, testing the deployment of custom solutions in the farm environment, and submitting them for review and deploymentin the SharePoint Online environment.

Important

Use of MSOCAF and submission of a deployment manifest are mandatory parts of the custom solution deployment process.

By using MSOCAF, the customer can conduct most of the required code validation early and automatically. Analysis with MSOCAF ensures that custom solution code is built following established best practices for software development.MSOCAF checks for security flaws and memory leaks, and also checks that the custom solution does not use the SharePoint APIs in ways that are known to cause performance or stability issues. Deployment testing with MSOCAF enables a customer to validate that the custom solution deploys correctly to the customer’s test environment.After successful validation of the custom solution and testing of its deployment,the customer also uses MSOCAFto submitthe custom solution to Microsoft.

Important

MSOCAF performs only code validation and deployment testing.Functional testing and stress, or load, testing must be done separately by the customer's development team. Because the SharePoint Online service does not include a hosted development or testing environment, all development and testing must take place in environments that are hosted by the customer. Testing should specifically take place in a farm environment rather than a standalone environment. For information on building these environments, refer to the customer-facing build guides and the Performance Test Policy available only to current customers, on the Customer Extranet site.

The SharePoint Online service does include a pre-production environment (PPE) that customers can use for validating the custom solution before deploying to the production environment. However, the PPE is not a substitute for a customer-hosted or partner-hosted test environment. For details about the PPE, see Pre-Production Environment Validation later in this document.

The SharePoint Online engineering team may continue to add rules and plug-ins according to the MSOCAF compliance policy, which is described inMSOCAF Compliance Policy later in this guide.MSOCAF includes a user's guide in a compiled Help file, and uses the ClickOnce technology that enables Microsoftto automatically perform updates or add new rules and test cases according to the compliance policy without the need for customers to re-install the framework.

MSOCAF must be used to validate all custom solutions developed for SharePoint Online byboth customers and independent software vendors (ISVs). Custom solutions developed by customers for SharePoint Onlinemust use solution package (.wsp) files. To use MSOCAF with a custom solution, the deployment package alsomust be organized into a specific directory structure as described inthe SharePoint Online Custom Solution Developer’s Guidein the Microsoft Download Center.

Analysis with MSOCAF

MSOCAF expedites the engineering review by Microsoft,because customers are able to detect and fix defects prior to submitting their custom solutions to Microsoft. The frameworkhelps to check for memory management, security vulnerabilities, exception management, object model usage, and presence of unsupported features, and verifies that proper instrumentation is implemented by the solution.

MSOCAF performs a rules-based code analysis of the solution to ensure that it is built using established best practices.To perform the code analysis, MSOCAF incorporates existing Microsoft Visual Studio® components such as FxCop, CAT.NET, and SPDisposeCheck.The report generated by MSOCAF instructs developers about the parts of the solution that must be changed to meet the validation criteria.

In addition to analysis with MSOCAF, the customer is required to conductadditional manual test cases, which are collected in the Custom Solution Test Cases document(available to current customers only, on the Customer Extranet site). Customers must run their custom solutions through these manual tests in their test environment prior to submission.

Test Deployment with MSOCAF

A custom solution that has been packaged for deployment and analyzed successfully can be deployed to the customer’s on-premises test environment using MSOCAF. Similarly, MSOCAF can test the rollback or removal of a deployed custom solution from the customer’s test environment. Testing the deployment and rollback of custom solutions is required, to ensure the accuracy of the deployment instructions that the customer is providing and identify any issues that might arise.

Submission with MSOCAF

After the customer successfully validates a custom solution with MSOCAF, the customer can submitit to Microsoft. Submissionrequires the following information, as shown below in Figure 1:

  • Configurationrequest number (CR-XXXX)
  • Submitter email ID
  • Customer agreement

Figure 1. Submission form in MSOCAF

When the customer submits the deployment package, MSOCAF validates that the directory structure is correct and that all required components are included, and then packages all of thefiles into a single CAB file. MSOCAF calls a hosted web service to validate the username and the CR number. If both elements are validated, MSOCAF uploads the CAB file. After the upload completes, the customer receives a confirmation message by email.

Note

The automated submission has an upper size limit for the CAB files of 250 megabytes (MB); if the CAB file size exceeds this amount, then the customer must submit the package manually to the SDM.

For more information about MSOCAF, see the SharePoint Online Custom Solution Developer’s Guidein the Microsoft Download Center.

Potential Hardware and Service Impact of Deploying Custom Solutions

Custom solutions have the potential to significantly impact the SharePoint Online environment—especially when the code generates a high load, requires significant resources, or doesn't scale to the current environment. To address these issues, it may be necessary to purchase additional hardware, upgrade existing hardware components, scale back custom solution deployment by deploying to fewer sites or pages, or remove the custom solution entirely.

During the review steps of the custom solution process, the SharePoint Online engineering team determines whether there may be a need for additional hardware or upgraded components. In cases where hosting a custom solution would require the purchase of additional hardware, Microsoft reserves the right to charge for the requiredhardware and delay deployment until the hardware has been procured and configured, orreject the custom solution.

Monitoring of Deployed Custom Solutions

Microsoft monitors deployed custom solutions based on the defined monitoring rules that the customer provides, as described in System MonitoringPolicylater in this document. Monitoring of custom solutionsby Microsoft is effective only if customers provide complete and usable troubleshooting guides, and ifcustom solutions implement the proper instrumentation to support monitoring.