When making a request using the Dataverse Web API (OData), you simply add the MSCRM.BypassCustomBusinessLogic header with the value true .
By default, this privilege is typically granted to the role. If you are writing a script or integration service, the Application User or Service Account running the script must have a security role that includes this privilege. If the user lacks the privilege, the API call will ignore the header (and run the plugins) or fail, depending on the context. prvbypasscustombusinesslogic
The privilege is a specialized security permission in Microsoft Dataverse that allows users to execute data operations while skipping custom-registered plug-ins and workflows. This is primarily used by developers and administrators to improve the performance of bulk data operations, such as migrations or large integrations. Core Functionality When making a request using the Dataverse Web
It essentially tells the platform: "I know what I am doing. Just write the data to the database and skip the custom code side-effects." If the user lacks the privilege, the API
In the world of Microsoft Dynamics 365 development, performance is king. We spend hours optimizing plugins, refining workflows, and ensuring that our customizations run smoothly. But sometimes, the very customizations we build become bottlenecks—especially during data migration or bulk integration jobs.
| Scenario | Flaw | Bypass Method | |----------|------|----------------| | E‑commerce refund | Only support agents can approve refunds | Change a hidden user_role=user to user_role=support in a POST request | | Document approval | Only the creator can edit a draft | Modify doc.owner_id to match your own ID | | Multi‑step transfer | Step 3 should verify step 2 was completed | Directly call step 3’s endpoint (lack of state validation) | | Subscription plan | Free users can’t access premium reports | Change plan=free to plan=premium in a cookie or JWT claim | | Bulk operations | Admin-only export endpoint | Add ?admin=true or reuse a lower privilege session ID |
However, treat it like a surgical scalpel, not a sledgehammer. Use it to trim away unnecessary processing during migration, but never use it to bypass logic that protects the validity of your business data.