Impersonation for on-premise deployed plug-ins

Impersonation is used to execute business logic (custom code) on behalf of a Dynamics 365 Customer Engagement (on-premises) system user to provide a desired feature or service for that user. Any business logic executed within a plug-in, including Web service method calls and data access, is governed by the security privileges of the impersonated user.

General information about using impersonation with plug-ins can be found in the Dataverse topic Impersonate a user. The information that follows below is specific to on-premises plug-in development.

Plug-ins not executed by either the sandbox or asynchronous service execute under the security account that is specified on the Identity tab of the CRMAppPool Properties dialog box. The dialog box can be accessed by right-clicking the CRMAppPool application pool in Internet Information Services (IIS) Manager and then clicking Properties in the shortcut menu. By default, CRMAppPool uses the Network Service account identity but this can be changed by a system administrator during installation. If the CRMAppPool identity is changed to a system account other than Network Service, the new identity account must be added to the PrivUserGroup group in Active Directory. More information: Change a Microsoft Dynamics 365 Customer Engagement (on-premises) service account or AppPool identity for more detailed instructions.

See also

Plug-in Development
Register and Deploy Plug-ins
Understand the execution context
Impersonate Another User
Support offline execution