One of the common but often overlooked issues in Dataverse plug-ins is when a plug-in executes under a user context that has been disabled. This can result in errors that prevent the plug-in from completing its operation.
In this blog, we’ll explore why this error occurs, how to troubleshoot it, and best practices to ensure smooth execution of plug-ins without encountering disabled user issues.
🚨 Understanding the Error
Error Message:
System.ServiceModel.FaultException`1[Microsoft.Xrm.Sdk.OrganizationServiceFault]: The user with SystemUserId=<User-ID> in OrganizationContext=<Context> is disabled. Disabled users cannot access the system. Consider enabling this user. Also, users are disabled if they don't have a license assigned to them.This error occurs when a plug-in is set to execute under the security context of a user that has been disabled. Since disabled users lose access to Dataverse, any plug-ins that depend on their credentials will fail.
🧐 Why Does This Happen?
Several scenarios can trigger this error:
1️⃣ The plug-in was registered to run as a user who has been disabled – Often happens when an administrator disables a user account without checking dependent plug-ins.
2️⃣ The plug-in impersonates a user who has been disabled – The plug-in attempts to execute using an impersonation context, but the user lacks access.
3️⃣ The user no longer has a valid license assigned – A user might still be active but lacks the necessary license to access Dataverse.
🔍 How to Troubleshoot and Fix the Issue
1️⃣ Find the Plug-in Steps Running Under a Disabled User
To identify the plug-in steps that are executing under a disabled user, run the following query in Dataverse Web API:
GET https://<env-url>/api/data/v9.2/sdkmessageprocessingsteps
?$filter=_impersonatinguserid_value eq '<disabled-userId-from-error>'
&$expand=plugintypeid($select=name,friendlyname,assemblyname;$expand=pluginassemblyid($select=solutionid,name,isolationmode)),sdkmessageid($select=solutionid,name)
&$select=solutionid,name,stage,_impersonatinguserid_value,modeThis query will return the list of plug-in steps associated with the disabled user, along with their solution names, stages, and the plug-in assembly details.
2️⃣ Update the Plug-in to Use a Valid User
Once you’ve identified the affected plug-in steps, you need to update them to run under a valid user.
How to Check & Update the Plug-in’s User Context
1️⃣ Open Power Platform Admin Center and navigate to Environments > Your Environment > Settings.
2️⃣ Under Users + Permissions, select Users and locate the affected user.
3️⃣ If the user is disabled, assign a valid user instead.
If the plug-in impersonates a disabled user, update the Run in User’s Context setting in the Plug-in Registration Tool:
- Locate the step that is failing
- Change the Run in Context field to a different active user
- Save and update the registration
3️⃣ Ensure the User Has the Necessary License
Even if the user is active, they might still be missing the Dataverse license, which prevents them from accessing the system.
- Navigate to Microsoft 365 Admin Center
- Check if the user has a valid Power Apps, Dynamics 365, or Dataverse license
- If not, assign the correct license
📌 Best Practices to Avoid Disabled User Errors
✔ Use a System Account for Plug-ins – Instead of registering plug-ins under individual users, use a service account that is not subject to deactivation.
✔ Regularly Review Plug-in Configurations – Monitor which users are associated with plug-ins and verify they remain active.
✔ Enable Alerts for Disabled Users – Set up notifications in Microsoft Entra ID (Azure AD) to detect when a user with an assigned plug-in step is disabled.
📢 Coming Up Next…
In Blog 7, we will dive into Message size exceeded when sending context to Sandbox in Dataverse plug-ins and how to optimize queries for better performance.
Stay tuned for the next post in the series! 🚀
My Trial 