1
M

Enable Pre-Install License Check for AL Extensions

Marco Darge on 6/23/2025 6:33:48 PM

Dear Microsoft Support,

We would like to raise a concern regarding the current limitations of AL extensions in Business Central, specifically during the app installation process.

As of version 24.0 / AL language 4.0, it is not possible to initiate an outbound HTTP request (via HttpClient) during the OnInstallAppPerCompany or OnInstallAppPerDatabase triggers. We understand this restriction exists to ensure runtime safety and installation robustness. However, it creates a critical gap in intellectual property (IP) protection and licensing validation.


Problem Description

When an extension is installed—especially via AppSource or through a partner's deployment process—its AL objects and full source logic are already imported into the customer's database (SaaS or OnPrem), even before any licensing logic can be triggered. Since outbound communication is blocked during installation, there is:

  • No way to validate or enforce licensing before execution
  • No opportunity to register or authenticate the tenant prior to code exposure
  • No mechanism to prevent unauthorized IP inspection or reverse engineering


This means that a customer—intentionally or unintentionally—can access, analyze, or potentially misuse the extension's business logic before any licensing terms are enforced or even communicated.


Security and IP Protection Risks

  • The full extension object set is stored unprotected in the database (in SaaS or OnPrem)
  • Licensing logic embedded in AL cannot execute during install
  • Outbound HTTP calls (e.g., to validate a tenant or activation key) are blocked
  • Obfuscation of AL code is not supported or possible
  • There is no AppSource deployment setting to defer object import until license is validated

Request for Microsoft’s Review

We kindly request that Microsoft consider one or more of the following improvements:

  1. Allow HTTP calls during installation (optionally or securely, e.g. using a special flag or system setting)
  2. Support a pre-install validation hook, where a licensing endpoint can be queried before objects are imported
  3. Provide secure deferred deployment options, where app logic is only delivered after validation
  4. Introduce encryption or server-side protection mechanisms for AL source code in AppSource packages


These measures would allow partners and ISVs to better protect their intellectual property and enforce licensing compliance in a standardized, secure way, without compromising on Business Central's installation integrity.

We understand the technical complexity and appreciate your efforts in making the AL ecosystem robust and extensible. However, we believe this issue requires urgent attention for all partners distributing commercial extensions.


Best regards,

Marco / neoponder GmbH

Category: Development
STATUS DETAILS
New