Today, CloudScope reluctantly removed all of our custom visuals from Microsoft AppSource and withdrew from further supporting Microsoft Power BI. Why did we feel it necessary to take this drastic step? As this post may be long, read the next paragraph which sums up where we are as of June 2, 2020.
Microsoft now prohibits certified custom visuals from displaying images hosted on external urls, making CloudScope's controls unusable. Plus the review process for certified custom visuals now stretches beyond 90 days, making it impossible to deliver timely features, fixes and updates to customers. Without contributions from third-party developers, the Microsoft Power BI platform will be less compelling.
First, a little background. CloudScope was an early supporter of Power BI. We immediately loved the analytic capabilities that it delivered to business users. With a basic understanding, anyone could create compelling dashboards and charts. As developers, we love to learn new products through development, so we released our first Power BI custom visualization, Image, on Sept 2, 2017.
Image was a simple visual control, but filled a need. It displayed an image bound to a user's dataset on a report page. Customers liked it, and responded by downloading it over 100,000 times. Up until today, it was the most popular image display control on Microsoft AppSource, and the only image display control that was ever Power BI certified. By being certified, the control could be used in exported PDF reports and PowerPoint files.
Over time, we released additional visuals, nearly all of which were Power BI certified. There was Overview, Collage, Timeline and UserList, among others. They were used by companies large and small in a variety of ways far beyond the social media display concepts that we originally anticipated.
Looking at the screen shots below from several of the custom visuals, a common theme appears. The visuals all feature extensive displays of images, which is exactly what customers liked about them. They could display relevant, engaging images within their Power BI reports.
The first problem we encountered was unexpected. Although we had been releasing certified custom visuals for nearly three years, Microsoft had now came up with a new interpreration of a requirement that cut deeply into the functionality of all of our visuals.
The requirements for certified visuals had long listed a requirement preventing "[A]ccessing external services or resources".
Most people would assume this is something like an external API (application programming interface) or something like a vendor's analytic tracking service. Which certainly seems reasonable.
However, as of March, 2020, Microsoft now interprets this to include links to images which are stored on external services (i.e. outside of a customer's dataset). So a link to an image on Azure, as shown above, is now prohibited for certified visuals. So, basically all of the CloudScope custom visuals are no longer certifiable by Microsoft.
The head-scratcher part about this requirement is that it does not apply to non-certified custom visuals. Remember, to become certified, visuals have to undergo a source-code review by a Microsoft developer, who checks for poor or insecure programming practices. The CloudScope visuals passed these reviews. But if our visual had not had a source code review and had simply been listed on AppSource, there would be no issue.
This position is just crazy. Certified visual developers are specifically penalized for becoming certified, while non-certified controls can link to whatever image location they choose. If Microsoft feels that it is a security risk to display external images, then it could prevent that by implementing restrictions in its Power BI display sandbox to block all controls, both certified and uncertified. It could start by blocking access for it's own visual control called Table, which displays images from external urls without warning.
But instead Microsoft chose to impact only certified controls, the controls that they have the most knowledge of, and the most control over through the source control review process. Fundamentally, Microsoft only wants developers to display images through binary display. Which is fine, but doesn't solve the security problem, and doesn't in any way match with what customers actually want to do. Customers will ultimately lose here, because they will be forced to lose functionality or use only non-certified controls.
Visuals distributed through Microsoft AppSource have long had a reputation for slow rollout timeframes. The delay is because once a visual has been staged for release, it takes an additional two weeks for Microsoft to roll it out through through their deployment pipeline. They say this delay is so that they can check that the custom control works as expected and doesn't break previous versions of the control, but we've never seen any testing activity during this stage.
Because certified visuals have to be source code reviewed, this process has always taken longer. But as of the beginning of 2020, this review process now stretches to over 90 days. Before we removed our custom visuals this morning, there was a visual that had been in the review cycle since March 16, 2020. That's 78 days, and the control hadn't even been looked at yet. If it had been magically approved tomorrow, it would have take an additional 14 days to deploy, making a total timeline of at least 92 days.
What's worse is that if the control fails review for any reason, you have to go back into the queue and start all over again. An additional 92 days anyone? Sure, sign me up. We've had controls fail for all sorts of non-source code related issues, such as not not having our source code repository in the exact format required by Microsoft.
But the long review cycle is not triggered just by source code changes. What about if you want to make a text edit to your AppSource listing or post a new picture to support your control? No changes to your visual control package, but you still have to go through a full source code review. For what reason? The insanity boggles the mind. We could literally change a comma to a semi-colon on my control's AppSource listing at this would require a review taking over 90 days that involves an additional source review. You would think Microsoft would be smart about this and segregate out different types of changes. You would be wrong.
So, let's recap the items that require a full source code review to a certified visual:
So, how do customers feel about this? They are confused and entirely unaware of the problem. When a developer seemingly waits forever to deliver a feature or bug fix they requested, who do they blame? The developer. The developer seems unresponsive and uncaring, when the reality is exactly the opposite. We can turn around a bug fix within a day or less, but it may continue impacting the customer for months because it can't get approved and deployed. I won't go into the details, but there is no way to skirt the process. If we manually deliver an updated version to a customer, it's immediately removed and reverted to the current "shipping" version by Power BI. Devlopers can only deliver new visuals that don't share the ID of a visual on AppSource.
As a developer who has spent hundreds of hours developing and supporting custom visuals for free, with no payment, the last thing I want is to look bad by my customers. And Microsoft makes us look terrible.
I haven't even started on the impact to our own business, CloudScope Social Analytics. We rely on the same visuals that are available on AppSource to power our Social Analytic reports and dashboards. We have fixes that need to be addressed, and new features that we want to deliver to customers, but we can't because of the review process. This has impacted our business and our ability to retain customers, without a doubt.
According to a Feb 11th, 2020 Axios article, Microsoft is the most valuable US company by market capitilization. So, the resources should be there to perform timely custom control reviews.
Apple has a similar model, where they must approve every application which will be distributed through the App Store. But Apple reviews 50% of the apps within 24 hours and 90% within 48 hours. There are over 1.8 million apps on the Apple App Store, but they still find a way to review each and every one of them. If only Microsoft could review apps in one week, it would make a world of difference. But it's so far from the current reality.
And are these apps allowed to display images from external URLs? Of course they can, and safely. Otherwise if Apple prevented this, entire classes of applications would be banned, and Apple would no longer be the premier handset vendor.
If Power BI wants to create a more useful application for its customers, it will have to allow third-party development of custom visuals and data connectors, as it does now. But creating the program is only part of the responsibility. Having created the program, they must ensure that certified apps can function according to customer needs and expectations, and that developers can receive a timely review.
Neither of these requirements are currently being fulfilled, so Microsoft needs to step up their developer program if they wish to maintain a market-leading position.