Want to have SharePoint code approved by Microsoft?

If you ever wanted to know if your SharePoint code is good enough, then look no further than MSOCAF which stands for Microsoft Online Code Analysis Framework. This tool was primarily build to validate custom SharePoint code that will run in BPOS-D farms (SharePoint online dedicated) however nothing is stopping you from downloading the tool and validate your own WSP to see what Microsoft thinks of it! 😉

Code analysis within MSOCAF focuses on areas like memory management, security vulnerabilities, exception management, object model usage, quality gates for unsupported features and reporting. The framework leverages existing tools like FxCop, CAT.Net, and SPDisposeCheck to analyze custom solutions.

So how does it work? Well, first you need to download the tool from https://caf.sharepoint.microsoftonline.com/Default.aspx, then start it up, you will get this screen (looks nice and shiny eh?):


Next, click on Analyze. It will tell you how the folder structure of your deployment must look like:


Click on Next to move on, there you will be told which rules will be used to check the code:


Now, probably a lot of ‘standard’ rules will not really apply to your code. I mean, personally, I’ve never used any P/Invokes (at least, not that I’m aware off 😉 so the chances are unlikely that the “Move P/Invokes to NativeMethods class” rule in the Design section will be fired. So instead, focus on the rules that are defined in the custom rule set and the Memory Management one.

After reviewing the rules, click on Next to get the screen where you can locate the folder structure that holds your solution


Now, let me share that will be reviewed.. and be aware this is bad code!


Curious what the tool will be say of this? So am I!


And here we are, as a surprise, my code did not succeed in passing the rules. And the cool thing is that you can also where exactly (line number) the code was bad, and also in most cases there is a resolution you can click on.
In this case, it’s giving me the solution to fix this and also a helpful link to a blogpost every SharePoint developer should know better than the date he/she got married..


There you have it.. you might wonder what the audience is for this tool. I believe that it’s good for both developer and IT Pro.. it gives the developers a nice little framework on which they can validate their code own. On the other hand, it gives the IT Pro a better understanding if the customization that has been given to them is really that good as the developers say it is. And if something is wrong with it, they can go back to the developers and demand an explanation why they should put into production.


Let me know what you think about it!

Comments (6)
  1. Phillip says:

    I believe the link to MSOCAF has to be HTTPS to work. The HTTP link doesn't seem to resolve.

  2. Thanks Philip, I've updated the link 🙂

  3. joapen says:

    Many thanks for this explanation post

  4. Olaf says:

    Maybe a stupid question but what is a deployment manifest and how can it be made? I cannot find any explanation about it anywhere when googling.

  5. HOlietenk says:

    Robin — MSOCAF is great!!! Especially for customers.

    Do you know how long Microsoft will support MSOCAF and whether it is supported to use for on-premise environments? Is it valid to add a rule to our development guidelines which tells the developer to use MSOCAF as code analysis framework?



  6. Tom says:

    You might also want to check out the commercial competitor SPCAF which does many more things. The have a comparison chart between MSOCAF and SPCAF here http://www.spcaf.com/…/msocaf-vs-spcaf

Comments are closed.

Skip to main content