Overview
Dataverse offers three primary approaches for implementing form logic and validation: no-code business rules, client-side JavaScript, and server-side C# plugins. Business rules handle simple field validation and visibility without code, JavaScript provides rich client-side interactivity and form manipulation, while plugins offer server-side enforcement and complex business logic. Understanding when to use each approach is essential for building maintainable, performant solutions.
Prerequisites
- Advanced Dataverse and model-driven app experience
- Understanding of form customisation and field properties
- Familiarity with validation requirements and business logic
- Basic knowledge of JavaScript and C# (for respective approaches)
Why Multiple Logic Approaches Exist
Dataverse provides three distinct mechanisms for implementing form logic, validation, and automation: business rules (no-code), JavaScript (client-side code), and C# plugins (server-side code). Each approach has specific strengths, limitations, and ideal use cases, with a critical distinction between client-side convenience and server-side security.
Common form logic scenarios:
- Field validation (required fields, format checking, range validation)
- Conditional visibility (show/hide fields based on other values)
- Default value setting based on user selections
- Cross-field validation (ensure date ranges are valid)
- Dynamic field locking based on status or role
- Calculations that update as users type
- Integration with external systems during form interaction
The three approaches compared:
| Approach | Execution Location | Can Be Bypassed | Typical Use |
|---|---|---|---|
| Business Rules | Client-side (browser) | Yes (API, imports) | UI guidance, form convenience |
| JavaScript | Client-side (browser) | Yes (API, imports) | Rich UI logic, user experience |
| C# Plugins | Server-side (Dataverse) | No - true enforcement | Security, data integrity, critical validation |
Why server-side enforcement matters:
- Security – Client-side logic can be bypassed by malicious users or API calls
- Data integrity – Only server-side logic guarantees rules are enforced
- Multiple entry points – Data enters via forms, API, Power Automate, imports, Excel
- User manipulation – Browser developer tools can disable JavaScript and business rules
- Compliance – Regulatory requirements often mandate server-side validation
🚨
Critical Security Principle
Never trust client-side validation for security or data integrity. Business rules and JavaScript execute in the user's browser and can be completely bypassed using API calls, browser developer tools, or data imports. If validation is critical for business rules, compliance, or data integrity, it MUST be enforced server-side with C# plugins. Client-side logic is for user experience only, never for security.
No-Code Form Logic
What business rules can do:
- Set field requirement levels (required, recommended, optional)
- Show or hide fields, sections, or tabs based on conditions
- Enable or disable fields (lock/unlock)
- Set default values for fields
- Show validation error messages
- Set field values based on simple conditions
Business rule structure:
IF [Condition]
THEN [Action]
Example:
IF Account Type = "Premium"
THEN
- Set Discount Rate = 15
- Show Premium Benefits section
- Set Priority = HighWhen to use business rules:
- Simple conditional visibility (show field if checkbox is ticked)
- Basic field validation (make field required if status changes)
- Setting default values based on other field selections
- Locking fields after certain workflow stages
- Showing recommendation messages to users
- No developer resources available
Business rule capabilities:
| Action Type | What It Does | Example |
|---|---|---|
| Set Field Value | Populate field with specific value or another field | Set Discount = 10 when Type = VIP |
| Set Business Required | Make field required or optional | Require Manager Approval when Amount > 10000 |
| Show Error Message | Display validation error preventing save | Error if End Date before Start Date |
| Show/Hide Field | Toggle field visibility | Show Reason when Status = Cancelled |
| Lock/Unlock Field | Enable or disable field editing | Lock Price when Status = Approved |
| Set Visibility | Show/hide sections or tabs | Show Shipping tab when Type = Physical Product |
Creating a business rule:
1
Navigate to table in make.powerapps.com
Select table, go to Business rules, click New business rule.
2
Define condition
Drag Condition component, set field, operator, and value.
3
Add actions
Drag action components to True or False branches.
4
Set scope
Choose Entity (all forms) or specific form.
5
Activate and publish
Save, activate, and publish customisations.
Business rule example scenarios:
Scenario 1: Conditional field requirement
IF Status = "Closed"
THEN Set Close Reason as Business Required
Scenario 2: Auto-populate related field
IF Account Type = "Premium"
THEN Set Discount Percentage = 15
Scenario 3: Show additional fields
IF Product Category = "Custom"
THEN Show Custom Specifications section
Scenario 4: Validation error
IF End Date < Start Date
THEN Show Error: End date cannot be before start date
Scenario 5: Lock approved records
IF Approval Status = "Approved"
THEN Lock Budget Amount fieldClient-Side Scripting for Complex Form Logic
What JavaScript can do:
- All business rule capabilities plus advanced logic
- Complex calculations with loops and conditionals
- Call external APIs and web services
- Manipulate form UI dynamically (add buttons, custom controls)
- Access and manipulate subgrids and related entities
- Execute custom validation with detailed error messages
- Respond to form events (load, save, field change)
- Integration with third-party JavaScript libraries
JavaScript form events:
| Event | When It Fires | Common Uses |
|---|---|---|
| OnLoad | Form opens | Set defaults, load external data, configure UI |
| OnSave | Before record saves | Validation, prevent save, last-minute calculations |
| OnChange | Field value changes | Update related fields, show/hide sections, validate |
| TabStateChange | Tab selected | Load tab-specific data on demand |
| ProcessStatusChange | Business process stage changes | Stage-specific validation or field updates |
When to use JavaScript:
- Complex conditional logic beyond business rule capabilities
- Real-time calculations as users type
- Integration with external APIs during form interaction
- Dynamic form UI changes based on user actions
- Advanced validation requiring loops or complex conditions
- Manipulating lookup filters based on other field values
- Custom ribbon buttons with form context
JavaScript example scenarios:
Scenario 1: Filter lookup based on another field
function filterAccountLookup(executionContext) {
var formContext = executionContext.getFormContext();
var accountType = formContext.getAttribute("accounttype").getValue();
// Build filtered view XML
var fetchXml = "<filter><condition attribute='type' operator='eq' value='" +
accountType + "'/></filter>";
// Apply filter to lookup
formContext.getControl("parentaccountid").addCustomFilter(fetchXml);
}
Scenario 2: Call external API for address validation
async function validateAddress(executionContext) {
var formContext = executionContext.getFormContext();
var address = formContext.getAttribute("address1_line1").getValue();
try {
var response = await fetch("https://api.addressvalidation.com/validate", {
method: "POST",
body: JSON.stringify({ address: address })
});
var result = await response.json();
if (!result.valid) {
formContext.ui.setFormNotification(
"Address validation failed", "ERROR", "addressError");
}
} catch (error) {
console.error("Address validation error:", error);
}
}
Scenario 3: Calculate total from subgrid items
function calculateSubgridTotal(executionContext) {
var formContext = executionContext.getFormContext();
var gridContext = formContext.getControl("orderlines");
if (gridContext.getGrid) {
var grid = gridContext.getGrid();
var rows = grid.getRows();
var total = 0;
rows.forEach(function(row) {
var entity = row.getData().getEntity();
var lineTotal = entity.attributes.getByName("amount").getValue();
total += lineTotal || 0;
});
formContext.getAttribute("totalamount").setValue(total);
}
}
Scenario 4: Prevent save with custom validation
function onSaveValidation(executionContext) {
var formContext = executionContext.getFormContext();
var startDate = formContext.getAttribute("startdate").getValue();
var endDate = formContext.getAttribute("enddate").getValue();
if (endDate < startDate) {
executionContext.getEventArgs().preventDefault();
formContext.ui.setFormNotification(
"End date must be after start date",
"ERROR",
"dateValidation"
);
}
}JavaScript deployment:
1
Create JavaScript file with functions
Write functions using Dataverse Client API.
2
Upload as web resource
Type: Script (JScript), upload .js file to solution.
3
Add to form events
Form properties → Events → Add library, register event handlers.
4
Publish and test
Publish customisations, test in form with browser console open.
Server-Side Business Logic Enforcement
Why plugins are the only true enforcement mechanism:
- Cannot be bypassed – Execute server-side regardless of entry method (forms, API, imports, flows)
- Security enforcement – Users cannot disable or manipulate server-side code
- Data integrity guarantee – Validation runs on every create, update, delete operation
- Transaction control – Rollback database changes if validation fails
- Audit and compliance – Server-side logging cannot be tampered with
- Cross-entity consistency – Enforce rules across related records atomically
What C# plugins can do:
- Enforce validation regardless of how data enters Dataverse
- Execute complex business logic with full .NET framework access
- Modify data before or after database operations
- Call external systems synchronously or asynchronously
- Query and update multiple related records in transactions
- Implement audit trails and logging
- Prevent operations based on complex business rules
- Integrate with legacy systems or external databases
- Recalculate multiple columns simultaneously (e.g., order totals, taxes, discounts)
- Prevent record progression when business conditions not met
Critical scenarios requiring plugins (not client-side):
- Prevent status regression – Stop users moving records backwards in workflow (Approved → Draft)
- Financial calculations – Recalculate order totals, tax, discounts atomically when line items change
- Prevent deletion with dependencies – Block deleting customers with active orders
- Enforce approval hierarchies – Validate approver authority based on amount thresholds
- Duplicate detection – Prevent duplicate records based on complex matching rules
- Data encryption – Encrypt sensitive fields before database storage
- External system synchronisation – Keep ERP, CRM, and Dataverse in sync
- Complex business rules – Multi-step validation requiring database queries
Plugin execution pipeline stages:
| Stage | Timing | Use Cases |
|---|---|---|
| PreValidation | Before database transaction | Lightweight validation, security checks, external API validation |
| PreOperation | Inside transaction, before database | Modify data, critical validation, calculate fields, set defaults |
| PostOperation | Inside transaction, after database | Update related records, create child records, maintain totals |
| PostOperation (Async) | After transaction completes | Logging, external notifications, non-critical updates |
When plugins are mandatory (not optional):
- Validation must be enforced regardless of entry method (API, import, flows, Excel)
- Security or compliance requires server-side enforcement
- Business rules would cause financial or legal risk if bypassed
- Data integrity is critical (financial records, medical data, legal documents)
- Multiple records must be updated atomically (order lines and order totals)
- Calculations must be guaranteed accurate (tax, discounts, commissions)
- External system integration must be transactional
Plugin example scenarios:
Scenario 1: Prevent status regression (SECURITY CRITICAL)
public void Execute(IServiceProvider serviceProvider)
{
var context = (IPluginExecutionContext)serviceProvider.GetService(
typeof(IPluginExecutionContext));
if (context.MessageName == "Update")
{
var target = (Entity)context.InputParameters["Target"];
// Get current status from database
var preImage = (Entity)context.PreEntityImages["PreImage"];
var currentStatus = preImage.GetAttributeValue<OptionSetValue>("statuscode").Value;
if (target.Contains("statuscode"))
{
var newStatus = target.GetAttributeValue<OptionSetValue>("statuscode").Value;
// Define allowed progressions
var allowedProgressions = new Dictionary<int, List<int>>
{
{ 1, new List<int> { 2, 3 } }, // Draft can go to Review or Cancelled
{ 2, new List<int> { 4, 3 } }, // Review can go to Approved or Cancelled
{ 4, new List<int> { } }, // Approved cannot change (locked)
{ 3, new List<int> { 1 } } // Cancelled can return to Draft
};
// Check if progression is allowed
if (!allowedProgressions[currentStatus].Contains(newStatus))
{
throw new InvalidPluginExecutionException(
string.Format("Cannot change status from {0} to {1}. This transition is not allowed.",
GetStatusName(currentStatus), GetStatusName(newStatus)));
}
}
}
}
Scenario 2: Recalculate order totals when line items change
public void Execute(IServiceProvider serviceProvider)
{
// When order line is created, updated, or deleted
if (context.PrimaryEntityName == "salesorderdetail")
{
var orderId = GetOrderId(context);
// Calculate totals from all line items
var query = new QueryExpression("salesorderdetail");
query.Criteria.AddCondition("salesorderid", ConditionOperator.Equal, orderId);
query.ColumnSet.AddColumns("quantity", "priceperunit", "tax", "discount");
var lineItems = service.RetrieveMultiple(query).Entities;
decimal subtotal = 0;
decimal totalTax = 0;
decimal totalDiscount = 0;
foreach (var line in lineItems)
{
var qty = line.GetAttributeValue<decimal>("quantity");
var price = line.GetAttributeValue<Money>("priceperunit").Value;
var tax = line.GetAttributeValue<Money>("tax").Value;
var discount = line.GetAttributeValue<Money>("discount").Value;
subtotal += qty * price;
totalTax += tax;
totalDiscount += discount;
}
// Update order header with calculated totals
var order = new Entity("salesorder");
order.Id = orderId;
order["subtotal"] = new Money(subtotal);
order["totaltax"] = new Money(totalTax);
order["totaldiscount"] = new Money(totalDiscount);
order["totalamount"] = new Money(subtotal + totalTax - totalDiscount);
service.Update(order);
}
}
Scenario 3: Prevent deletion of records with dependencies
public void Execute(IServiceProvider serviceProvider)
{
if (context.MessageName == "Delete" &&
context.PrimaryEntityName == "account")
{
var accountId = (Guid)context.PrimaryEntityId;
// Check for active orders
var orderQuery = new QueryExpression("salesorder");
orderQuery.Criteria.AddCondition("customerid", ConditionOperator.Equal, accountId);
orderQuery.Criteria.AddCondition("statecode", ConditionOperator.Equal, 0); // Active
var activeOrders = service.RetrieveMultiple(orderQuery);
if (activeOrders.Entities.Count > 0)
{
throw new InvalidPluginExecutionException(
string.Format("Cannot delete account with {0} active orders. " +
"Please close or cancel all orders before deleting the account.",
activeOrders.Entities.Count));
}
}
}
Scenario 4: Enforce approval hierarchy based on amount
public void Execute(IServiceProvider serviceProvider)
{
if (context.MessageName == "Update" &&
context.PrimaryEntityName == "quote")
{
var target = (Entity)context.InputParameters["Target"];
if (target.Contains("approverid") && target.Contains("totalamount"))
{
var approverId = target.GetAttributeValue<EntityReference>("approverid").Id;
var totalAmount = target.GetAttributeValue<Money>("totalamount").Value;
// Get approver's authority limit
var approver = service.Retrieve("systemuser", approverId,
new ColumnSet("approvallimit"));
var approvalLimit = approver.GetAttributeValue<Money>("approvallimit").Value;
if (totalAmount > approvalLimit)
{
throw new InvalidPluginExecutionException(
string.Format("This approver can only approve quotes up to ${0:N2}. " +
"This quote requires approval from a manager with higher authority.",
approvalLimit));
}
}
}
}🚨
Security Reality Check
A skilled user can bypass ANY client-side validation in minutes using browser developer tools, Postman, or the Dataverse Web API. Business rules can be disabled in the browser console. JavaScript can be deleted from web resources. If a malicious user, integration, or import can violate your business rules, your validation MUST be in a plugin. Client-side is convenience, server-side is security.
Choosing the Right Approach
The fundamental question: Can this be bypassed?
Before choosing an approach, ask: "What happens if a user bypasses this validation using the API or an import?" If the answer is data corruption, financial loss, compliance violation, or security breach—you MUST use a plugin.
Comprehensive comparison:
| Capability | Business Rules | JavaScript | C# Plugins |
|---|---|---|---|
| No code required | ✓ Yes | No | No |
| Provides security | No | No | ✓ Yes |
| Enforced via API | No | No | ✓ Yes |
| Enforced in imports | No | No | ✓ Yes |
| User can bypass | Yes | Yes | No |
| Complex logic | Limited | ✓ Yes | ✓ Yes |
| Multi-record updates | No | Limited | ✓ Yes (atomic) |
| Transaction control | No | No | ✓ Yes |
| User experience | ✓ Immediate | ✓ Rich | Slower (enforced) |
| Maintenance | ✓ Easiest | Medium | Complex |
Security and enforcement reality check:
| Entry Method | Business Rules | JavaScript | C# Plugins |
|---|---|---|---|
| Model-driven app forms | Executed | Executed | ✓ Enforced |
| Canvas apps | Bypassed | Bypassed | ✓ Enforced |
| Power Automate | Bypassed | Bypassed | ✓ Enforced |
| Web API (Postman, code) | Bypassed | Bypassed | ✓ Enforced |
| Data imports (Excel, CSV) | Bypassed | Bypassed | ✓ Enforced |
| Excel integration | Bypassed | Bypassed | ✓ Enforced |
| Browser dev tools disabled JS | Bypassed | Bypassed | ✓ Enforced |
Revised decision tree (security-first):
START: Need to implement validation or business logic
Question 1: Is this a CRITICAL business rule? (financial, compliance, security, data integrity)
→ YES: Use C# Plugin (MANDATORY - cannot be bypassed)
→ NO: Continue to Question 2
Question 2: Could bypassing this rule cause problems? (wrong data, business impact)
→ YES: Use C# Plugin (enforced) + Business Rule/JavaScript (UX)
→ NO: Continue to Question 3
Question 3: Does this prevent status regression or enforce workflow progression?
→ YES: Use C# Plugin (users can manipulate browser to bypass client-side)
→ NO: Continue to Question 4
Question 4: Does this calculate financial fields (totals, tax, discounts)?
→ YES: Use C# Plugin (calculations must be server-side and atomic)
→ NO: Continue to Question 5
Question 5: Is this just UI guidance to help users fill forms correctly?
→ YES: Business Rule (simplest, sufficient for UX-only)
→ NO: Continue to Question 6
Question 6: Does this require complex UI logic or external API calls?
→ YES: JavaScript (rich UX) + Plugin if enforcement needed
→ NO: Business Rule (keep it simple)Common scenario recommendations (security-aware):
| Scenario | Recommended Approach | Why |
|---|---|---|
| Show/hide field for user convenience | Business Rule only | Pure UX, no enforcement needed |
| Prevent approved records being edited | Plugin (mandatory) | Security - API can bypass client-side locks |
| Stop status moving backwards (Approved → Draft) | Plugin (mandatory) | Workflow integrity - must be server-enforced |
| Calculate order total from line items | Plugin (mandatory) | Financial accuracy - must be atomic and accurate |
| Filter lookup based on another field (UX) | JavaScript | UX improvement, not security-critical |
| Prevent duplicate email addresses | Plugin (mandatory) | Data integrity - imports can bypass client-side |
| Validate credit card format | JavaScript + Plugin | JS for UX, plugin for security (PCI compliance) |
| Prevent deletion if child records exist | Plugin (mandatory) | Referential integrity - API can bypass UI |
| Show friendly reminder message | Business Rule only | User guidance, no enforcement |
| Enforce approval amount limits | Plugin (mandatory) | Compliance - SOX requires server-side enforcement |
🚨
Common Dangerous Mistake
Using business rules or JavaScript for financial calculations, approval enforcement, or status progression control is a CRITICAL ERROR. These rules protect your business and MUST be server-side. A malicious user, rogue integration, or simple data import will bypass client-side validation completely. If the rule matters, it belongs in a plugin. Period.
Long-Term Impact of Each Approach
Performance comparison:
| Approach | Execution Speed | User Impact | Scalability |
|---|---|---|---|
| Business Rules | Instant (client-side) | None - immediate feedback | Excellent - no server load |
| JavaScript | Very fast (client-side) | Minimal if well-written | Good - runs in user browser |
| Sync C# Plugin | Adds 100-2000ms latency | Noticeable on save operations | Limited - server resources |
| Async C# Plugin | No immediate impact | None - runs after response | Better - queued execution |
Maintenance burden:
- Business Rules – Visual designer, non-developers can update, changes visible immediately
- JavaScript – Requires developer for changes, version control recommended, browser debugging
- C# Plugins – Full development lifecycle (code, compile, test, deploy), requires Visual Studio and SDK knowledge
Debugging complexity:
| Approach | Debugging Method | Skill Level |
|---|---|---|
| Business Rules | Visual designer shows logic flow | Non-technical |
| JavaScript | Browser console, breakpoints, logging | Intermediate |
| C# Plugins | Plugin Profiler, Visual Studio debugging, tracing logs | Advanced |
Common performance mistakes:
- Business Rules: Too many rules on one form creating evaluation overhead
- JavaScript: Synchronous API calls blocking UI, inefficient DOM manipulation
- Plugins: Complex queries in synchronous plugins, missing caching, excessive external calls
Performance optimization techniques:
Business Rules:
- Minimise number of active rules
- Use specific scopes (form vs entity)
- Combine related conditions into single rules
JavaScript:
- Use async/await for external calls
- Debounce OnChange events
- Cache lookup data in session storage
- Minimise DOM manipulations
C# Plugins:
- Move non-critical logic to async plugins
- Cache reference data in static variables
- Use early-bound classes for performance
- Batch operations where possible
- Set timeout limits for external callsALM and deployment considerations:
| Approach | Solution Export | Environment Promotion | Version Control |
|---|---|---|---|
| Business Rules | Automatic in solution | Simple (part of solution) | XML in solution file |
| JavaScript | Web resource in solution | Simple (web resource) | Source .js files in Git |
| C# Plugins | Assembly in solution | Medium (assembly + steps) | Full source code in Git |
Guidelines for Effective Logic Implementation
General best practices across all approaches:
- Document business logic clearly in solution documentation
- Test thoroughly in development before deploying to production
- Use meaningful names for rules, functions, and plugins
- Implement proper error handling and user-friendly messages
- Version control all code (JavaScript files, plugin source)
- Monitor performance impact after deployment
- Plan for maintenance—who updates logic when requirements change?
When to combine approaches:
- Business Rule + Plugin: Rule provides immediate UI feedback, plugin enforces server-side
- JavaScript + Plugin: JavaScript for rich UI experience, plugin for data integrity
- All three: Business rule for simple visibility, JavaScript for complex UI, plugin for enforcement
Example: Layered validation approach
Requirement: Validate email address format
Layer 1 - Business Rule (immediate feedback):
IF Email does not contain "@"
THEN Show error: "Email must be valid format"
Layer 2 - JavaScript (rich validation):
function validateEmail(executionContext) {
var formContext = executionContext.getFormContext();
var email = formContext.getAttribute("emailaddress1").getValue();
var regex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
if (email && !regex.test(email)) {
formContext.getControl("emailaddress1").setNotification(
"Please enter a valid email address", "emailValidation");
} else {
formContext.getControl("emailaddress1").clearNotification("emailValidation");
}
}
Layer 3 - C# Plugin (server-side enforcement):
public void Execute(IServiceProvider serviceProvider)
{
var entity = (Entity)context.InputParameters["Target"];
if (entity.Contains("emailaddress1"))
{
var email = entity.GetAttributeValue<string>("emailaddress1");
if (!IsValidEmail(email))
{
throw new InvalidPluginExecutionException(
"Invalid email format. Please provide a valid email address.");
}
}
}Migration path from simple to complex:
1
Start with Business Rule
Implement requirement using visual designer, no code needed.
2
Identify limitations
Monitor user feedback, note scenarios where business rule falls short.
3
Add JavaScript for complex UI needs
Supplement business rule with JavaScript for advanced scenarios only.
4
Implement plugin when enforcement required
Only add plugin if validation must apply via API, imports, flows.
Common anti-patterns to avoid:
- Building plugin for simple field visibility (business rule sufficient)
- Using JavaScript for validation that must be enforced server-side (plugin required)
- Creating dozens of business rules when one JavaScript function would be clearer
- Synchronous plugins for operations that could be asynchronous
- Duplicating logic across business rules, JavaScript, and plugins
- Not documenting why specific approach was chosen
Decision checklist before implementation:
- Can business rule meet 80% of requirement? → Start there
- Is validation only needed in forms? → Avoid plugins
- Must logic execute via API/imports? → Plugin required
- Do you have JavaScript developers? → Consider for complex UI
- Do you have C# developers? → Enables plugin option
- What is long-term maintenance plan? → Influences complexity choice
Testing requirements by approach:
- Business Rules: Test in all supported browsers, verify on mobile apps, check all conditional branches
- JavaScript: Browser compatibility testing, console error checking, performance profiling, offline mode testing
- C# Plugins: Unit tests, integration tests, performance testing, profiler debugging, error scenario testing
The Microsoft client scripting documentation and plugin development guide provide comprehensive information on implementing form logic, best practices, and advanced patterns for building robust Dataverse solutions.