Is the cloud safe? A guide to security in Microsoft Dynamics 365


Lock icon representing Dynamics 365 security

Cloud computing has facilitated a shift in the way we work and collaborate.

However, for many would-be cloud users, including those organizations considering implementing Dynamics 365, security is still an issue that invokes dubiety.

“The cloud” has opened doors to massive opportunities, helping businesses of all sizes access technologies and services that would have been out of reach in the era of traditional computing. Through the cloud, we’re able to reach customers and clients in unprecedented ways, use advancing intelligence to inform our decisions, and automate tasks to help us focus on the bigger picture.

We use the cloud to communicate with our friends and family, watch television, do our shopping, manage our money, and even rent bicycles. But for all this potential, the idea of utilizing cloud technology for business purposes is still viewed with suspicion by many organizations.

Spending on cloud technology is set to soar in the next few years, and leading cloud providers are working hard to establish the trust of potential customers in order to sell their services to potential cloud customers.

But, by Microsoft CEO Satya Nadella’s own admission, cloud service providers need to earn the confidence of potential cloud users if “as a service” computing is to continue to grow. “Businesses and users,” Nadella sermonized some years ago, “are going to embrace technology only if they can trust it.”

According to Rémy Vandepoel, Technical Cloud Evangelist at cloud service provider OVH, concerns around SaaS security are often ill-placed.

“There’s a misconception around cloud that it is less secure than any on-premise server. It’s actually quite the opposite; data centers have to comply to certain standards to be authorized to host any information, and therefore are one of the safest places there is to store data.”Remy Vandepoel

“Data in the cloud is always co-located,” says Vandepoel, “which means that it’s copied somewhere else, and won’t disappear if something happens to the data center. For this reason, we would always advise keeping data in the cloud.”

Nevertheless, security remains a sticking point for many businesses planning their road to digital transformation. If security concerns are preventing your company from taking advantage of everything cloud computing has to offer, join us as we take a look at security in Dynamics 365, and how Microsoft is working to keep their users’ data safe in the cloud.

Image of Satya Nadella and a quote on Microsoft security

Is the Azure Microsoft cloud secure?

All of Microsoft’s cloud products, including cloud-based deployments of Dynamics 365, are hosted on the company’s own cloud platform, Azure.

Azure is operated from Microsoft data centers located all over the world; which data center an organization’s data is physically housed in will depend on where the organization is based, and the product it is using.

The company also operates the Microsoft Cyber Defense Operations Center: a cybersecurity and defense facility manned by security experts and data scientists that work to protect Microsoft’s cloud infrastructure, detecting and responding to threats around the clock.

Microsoft invests over $1B a year in ensuring the security of their users and their digital property. When it comes to Azure, there are many critical layers to its security model:


Azure utilizes industry-standard transport protocols to encrypt data in transit between users and datacenters, as well as within the datacenters themselves. Data at rest is encrypted by a wide range of capabilities up to AES-256, with users able to select the encryption solution that best fits their requirements.

Secure networks

Azure’s Virtual Network Gateway allows users to create encrypted IPSec tunnels, and segment instances within multiple deployments in one customer subscription by using private IPs and subnets that act as virtual firewalls.

Key logs

Azure keys are secured with 256-bit AES encryption, and Microsoft’s Security Vault uses FIPS 140-2 Level 2 validated HSMs that help simplify and automate tasks for SSL/TLS certificates.

Malware protection

Integrated protection can be enabled through the Azure management portal to help protect your Dynamics 365 instance from malware, ransomware, and other online threats.

Access management

Azure is protected by Microsoft’s Multi-Factor Authentication service, a two-step verification method of authentication that adds a second layer of security to user sign-ins and transactions. MFA requires two, or more, of the following verification methods to grant access to users:

  • A password
  • A trusted device
  • Biometric verification such as a fingerprint or a facial scan

Azure Security Center

Azure Security Center is a user’s one-stop-shop for everything they need to keep their Azure-hosted cloud solutions safe. The Security Center offers security management and advanced threat protection features, and from it, you can set security policies, manage your threats, and detect and respond to attacks. The Security Center also provides actionable recommendations for improving your defenses.

Want the inside scoop on the Dynamics industry?

Nigel Frank International’s annual Microsoft Dynamics salary survey report examines salaries, benefits, skills, motivations, sentiments, and movements across the global Microsoft Dynamics partner, ISV, and Microsoft Dynamics customer communities.

How does Dynamics 365 security work?

Microsoft Dynamics 365 and Microsoft Dynamics 365 (online) provide a security model that protects data integrity and privacy, and supports efficient data access and collaboration.

The goals of the model are these:

  • Provide users with access only to the appropriate levels of information that is required to do their jobs.
  • Categorize users by role and restrict access based on those roles.
  • Support data sharing so that users and teams can be granted access to records that they do not own for a specified collaborative effort.
  • Prevent a user’s access to records the user does not own or share.

There are many layers to Dynamics 365’s security model, helping users restrict access to their data in a structured, logical way, and help prevent data breaches.

Security settings can be tailored to various arms of an organization by creating business units, allowing organizations to segregate data between divisions or subsidiaries of the business. This could mean creating individual units for sales, distribution, marketing, and finance departments, for example, to ensure access to specific information is restricted to only those who need it.

Within these business units, organizations can then create individual user accounts. Users can be grouped into teams with those who require similar security privileges, making it much simpler to apply security settings to large groups of users:

Infographic showing structure of Dynamics 365 security

Here are a few key terms to get to grips with when dealing with Dynamics 365 security settings:

  • Role — a user’s position within the business. Often something like a sales manager, customer service coordinator, IT administrator, etc. The security privileges assigned to each role will be dictated by the functions and data required to perform this role.
  • Entity — an entity is an aspect of your Dynamics 365 database. This might be a customer record, an account, or a marketing campaign.
  • Access rights — used in role-based security, a user’s access rights dictate to which they have access. A user may only have access rights to entities that they own, or they may have access rights to entities contained only within their business unit.
  • User privileges — used in record-based security, user privileges dictate what the user can do with a record, for example, whether they can edit, delete, or share it with other users.

Role-based security

Within Dynamics 365 itself, security is managed by administrators, who can dictate exactly what data and functions each user has access to, based on their positions. This role-based security model means that users are only party to the information and processes that are necessary for them to do their jobs, keeping access to your data on a need-to-know basis.

Within each security role, varying levels of access rights can be assigned to individual record types, giving administrators strict control over precisely what the user can do with each specific entities, and within which departments.

Access rights are split into five levels:

  1. None — no access permitted.
  2. Basic (referred to as User) — gives a user access to records and entities that they own, have been shared with them, or their team. This access level would generally apply to sales and service representatives.
  3. Local (referred to as Business Unit) — Local is the next level up from Basic, and adds to the privileges of Basic access. Local gives the user access to all entities within their business unit. This access level is typically reserved for managers with authority over their business unit.
  4. Deep (referred to as Parent: Child Business Unit) — Deep is the next level up from Local, and adds to the privileges of Local and Basic access. Deep gives users access to all entities within their business unit, and all subordinate business units. This access level is typically assigned to managers with authority over all business units.
  5. Global (referred to as Organization ) — Global is the most extensive access level available, and includes all the privileges of Deep, Local and Basic access to entities across the entire organization, regardless of ownership. This access level is typically assigned to managers with authority over all aspects of the business.

There are some predefined security roles in Dynamics 365, such as system administrator, system customizer, marketing manager, and salesperson, that can be applied to users. However, if an organization finds that none of these roles suit its needs, it can modify or create new security roles from scratch.

Administrators can also assign task-based privileges which control each user’s ability to perform tasks, such as publishing articles or sending a mail merge.

Record-based security

Record-based security in Microsoft Dynamics 365 focuses on access rights to specific records.
The access level of each role is configured by dictating what a user can do to or with a particular entity.

User privileges are categorized into seven types:

  • Create — user is able to add a new record
  • Read — user is able to view a record
  • Write — user is able to edit a record
  • Delete — user is able to delete a record
  • Append — user is able to connect or associate other entities with a parent record
  • Append to — user is able to connect or associate other entities with a record
  • Assign — user is able to give ownership of a record to another user
  • Share — user is able to give access to a record to another user

Each of these privileges can be assigned different levels of access, restricting which entities they apply to depending on ownership, and location within the business.

For example, a sales manager may be granted the right to edit contacts across the entire organization, but have their ability to delete records restricted to records they have created themselves, and not records created by others.

The assignment of access levels and user privileges to each individual type of entity is what makes up each role’s security profile in Dynamics 365. Entities are grouped by function — marketing, business management, customization, etc. — so that administrators can find the entities they’re looking for quickly. An overview of a particular role’s security profile will be structured like this:

Infographic showing Dynamics 365 security roles

Field-based security

If you have fields within an entity that are particularly sensitive or valuable, you can assign specific, field-level security parameters to these individual fields.

Fields would usually inherit the settings of the record they sit within, but with field-level security, you can set special restrictions to make sure the data within these fields is only accessible by certain users or teams.

Dynamics 365 security tips

We’ve rounded up some essential tips and best practices to help you get the most out of Dynamics 365’s security model, and keep your critical business data on lockdown.

Amending security roles

When it comes to changing or updating security roles, it’s always advisable to create copies of existing roles and amending those, rather than altering the originals. Out-of-the-box roles should always be kept as a reference, and something you can roll back to if necessary.

Team ownership

Teams can be assigned as owners of records and entities, rather than individual users. Setting a team as the owner of an entity ensures that all members of that team have the same access and privilege levels across the board.

Administrator roles

Along with the other security roles that come out of the box with Dynamics 365, the omniscient, illimitable role of system administrator also comes pre-established with access and rights to every part of the system.

Similarly to any other predetermined security role, it’s a good idea to copy the system administrator role and amend it to your needs, ensuring any unnecessary privileges such as deletion rights or publishing rights are removed.

Deletion privileges

No one wants to see useful data deleted by mistake, but accidents do happen, especially when you have a lot of users. Unintentional deletion of data can be protected against by granting to deletion rights only to a limited number of senior users.

Data auditing

When records contain valuable data, it’s crucial that organizations can track any changes or alterations that are made to their records.

In Dynamics 365, administrators can track and audit changes made to business information, so that all user activity can be monitored to maintain data security and compliance.

With auditing configured in Dynamics 365, administrators can track:

  • The creation and deletion of operations
  • Updates
  • Changes to the share privileges
  • Changes to security roles
  • Audit changes at all system levels
  • Deletion of audit logs
  • When data is accessed, for how long, and from what source

User session management

User sessions automatically time-out after 24 hours in Dynamics 365, but you can further protect against any unauthorized access to your system by reducing this default timescale, and forcing users to re-authenticate their session after a set period.

This video from the Dynamics 365 team explains how to set session timeouts for users:

Who owns my Dynamics 365 cloud data?

Although Microsoft acts essentially as custodians of your cloud data, you will still be the sole owner and administrator of that data.

Microsoft was the first cloud provider to adhere to ISO 27018, a code of practice that ensures:

  • Customers know where their data is stored
  • Customer data won’t be used for marketing or advertising without explicit consent
  • Customers can demand the return, transfer, and secure disposal of personal information within a reasonable period
  • Microsoft will only disclose customer data when legally obliged to do so

Microsoft’s cloud services are also subject to scrutiny under ISO 27001, which contains hundreds of guidelines on how a CSP should manage its infrastructure to keep its customer data secure. Microsoft is regularly audited by the ISO to confirm its continued compliance with its rules and regulations.

As Microsoft states on its Trust Center webpage: “You are the owner of your data. We do not mine your data for advertising. If you ever choose to terminate the service, you can take your data with you.”

Who can access my Dynamics 365 data?

The short answer is you, and when necessary, Microsoft personnel or its subcontractors.

Under the terms and conditions of your subscription to Microsoft’s business services, users can access and extract their data at any time, for any reason, without the need to notify or involve Microsoft.

If you ever cancel your subscription, your data will be kept for 90 days to allow you to export and take it with you. After that period expires, Microsoft will delete your data, including any cached or backup copies.

Microsoft’s data centers are what is known as multi-tenant services, which means that your Dynamics 365 solution, and the data contained within it, may be housed on the same server as that of other users. Your data will not be combined with the data of other customers, however, nor will other users be able to access your data. Microsoft uses a technique called logical isolation to silo your data and protect it from unauthorized access. Logical isolation prohibits devices that share a physical infrastructure from being able to communicate with each other.

Unauthorized access to your data is further restricted both physically and virtually. Access to data center facilities is, according to Microsoft, “guarded by outer and inner perimeters with increasing security at each level, including perimeter fencing, security officers, locked server racks, multi-factor access control, integrated alarm systems, and around-the-clock video surveillance by the operations center.”

All virtual access to customer data is logged, recorded, and regularly audited to detect and identify and inappropriate access. A variety of native encryption capabilities also protects information.

Of course, there will inevitably be times that either Microsoft or the third-party organizations they employ will need to access your data to offer support.
However, engineers do not have access to customer cloud data by default, and must be granted access under managerial supervision, and only when strictly necessary to uphold services.

At times, Microsoft may utilize subcontractors to carry out support and maintenance work, but like internal personnel, subcontractors are granted access only to the data necessary to deliver the services they’ve been contracted to provide.

All subcontractors who come into contact with customer data must enroll in the Microsoft Supplier Security and Privacy Assurance Program, an initiative created to help standardize data handling processes, and ensure compliance among third-party vendors. They must also be compliant with any regional data protection regulations, as well as Microsoft’s own stringent data handling terms.

Microsoft also strictly regulates any governmental access to your data, and takes steps to eliminate any indirect or backchannel contact with your personal information. Data hosted by Microsoft is never disclosed to government and law enforcement agencies unless required by law, and in such cases will promptly notify customers of the disclosure, unless legally prevented from doing so.

Will my data be compliant with the appropriate regulations?

Dynamics 365 helps users stay compliant with the following major data regulatory standards and guidelines:

  • Argentina Personal Data Protection Act (PDPA)
  • Australian Certified Cloud Services List (CCSL)
  • Cloud Security Alliance (CSA) STAR Self-Assessment
  • EU accessibility requirement EN 301 549 for public procurement of ICT products and services
  • EU Standard Contractual Model Clauses guarantees for transfers of personal data
  • EU-U.S. Privacy Shield for protecting personal data transferred from the EU to the US
  • US Food and Drug Administration (FDA) CFR Title 21 Part 11
  • US Family Educational Rights and Privacy Act (FERPA)
  • Federal Info Processing Standard FIPS 140-2
  • Health Insurance Portability & Accountability Act (HIPAA/HITECH) Business Associate Agreements (BAAs)
  • ISO 27001 information security management standards
  • ISO 27018 code of practice for cloud privacy
  • Singapore Multi-Tier Cloud Security Standard (MTCS)
  • New Zealand CC Framework
  • Section 508 Voluntary Product Accessibility Templates
  • Service Organization Controls (SOC 1) standards for operational security
  • Service Organization Controls (SOC 2) standards for operational security
  • UK Crown Commercial Service G-Cloud v6
  • Web Content Accessibility Guidelines (WCAG) 2.0

Will Dynamics 365 be compliant with incoming GDPR regulations?

A new privacy law will come into effect in May 2018. Issued by the European Parliament, General Data Protection Regulation (GDPR) is intended to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

GDPR is the most significant overhaul in EU privacy law in 20 years, and aims to bring data regulation in line with the technological developments that have rendered existing legislation inadequate.

A significant legal obligation, GDPR will apply worldwide, to any and all organizations that handle the data of EU citizens, and consequences for those found to be breaching its directives are severe.

Microsoft has committed to ensuring all of its products will be compliant with GDPR by the time it comes into play in May. New contractual agreements have reiterated Microsoft’s focus on privacy and transparency, and promise to allow Dynamics 365 users to handle requests to update or delete personal data, spot and report data breaches, and demonstrate GDPR compliance.

That said, just being a user of Dynamics 365 does not guarantee compliance. Though Microsoft provides many tools to help companies discover and log issues, it’s up to businesses themselves to ensure any problems are addressed, and data is accessed and handled correctly.

So, is the cloud safe?

Cyber threats and the people who perpetrate them are evolving, and so are the security models that protect users against them. Security isn’t a destination, it’s a continually changing journey; both users and cloud service providers must work to stay one step ahead of those who would attempt to access your data illicitly.

Human error is the primary cause of so many privacy and data breaches, so responsibility for keeping your solution and your data safe, must be taken seriously at both the provider and the user end.

Cybersecurity is an arms race, and when you’re fighting a war, it’s undoubtedly better to be on the side of an expert tech company with a billion-dollar security budget.

The best Dynamics security talent, all in one place

Thanks to our decade-long presence in the Dynamics community, we have access to more Dynamics 365 talent than any other consultancy. Why don’t you take a look for yourself? Browse our bank of pre-screened, qualified professionals, for free, and find your perfect Microsoft pro today.