When to Use the Secure vs Unsecure Configuration for Plugins

Dynamics CRM provides two different configuration fields for plugins, the unsecure configuration and the secure configuration. The biggest difference that you’ll seen mentioned between these two settings is that the secure configuration is only viewable by CRM Administrators while the unsecure configuration is viewable by any CRM user. However, there’s another important difference: the unsecure config will automatically move between environments with your CRM solutions.

This means that even a setting that you might consider fine to let any CRM user read like the URL of a website or settings to enable more verbose trace logging in a development environment might be more appropriate in the secure configuration if you want it to be different between environments. Otherwise, you have to worry about overriding the unsecure config setting in production with the value you have in your development environment every time you import a solution containing the plugin step.

Example Uses

Web service credentials Secure Config
Website URL that differs between environments Secure Config
Log settings that you don’t want to move with a CRM solution Secure Config
Template string that you’d want to move with a CRM solution Unsecure Config
Constants that you’d want to move with a solution like “MaxRetries” or “NumberOfDaysToFollowUp” Unsecure Config


Use the secure config when a setting is sensitive and shouldn’t be readable by any CRM user OR if you don’t want that setting to move between environments when importing/exporting solutions.

Unsecure Config Secure Config
Readable by any CRM User Yes No
Moves Between Environments with Solutions Yes No
Available when Plugin is Registered for Outlook Offline Mode Yes No
Free Guide
On-Premises vs. Cloud CRM

A guide to help you determine the best solutions for you.