Wednesday, 04 May 2022 11:41

Dynamics 365 Security Best Practices

When it comes to the topic of “Security” in Microsoft Dynamics 365 platform, we thought we would share a few simple best practices and maintenance considerations that have been beneficial to some of our clients over the years.

By following best practices and keeping in view the most common security mistakes made by other businesses, you can develop the right security approach that will minimise security risk and lower the licensing cost.

Microsoft Dynamics 365 Security

It’s common for businesses to overlook the security aspect among various other aspects of the Dynamics 365 implementations. It’s understandable since the complexities and intricacies involved with Dynamics 365 implementation often overwhelmed business leaders; thereby, it’s easiest for them to overlook the security aspect of the system.

In general, the Dynamics 365 security model follows the same architecture of the Azure security platform, which consists of various layers such as:

  • Encryption
  • Secure Virtual Network Gateway
  • Key Logs
  • Malware Protection and threat detection
  • Access management via authentication and authorisation mechanism
  • Multi - factor authentication service that includes two verification steps to validate user

On top of these security layers, the Dynamics 365 security model also uses the Azure security center to perform advanced threat detection and network monitoring.

Dynamics 365 Cloud Security Concerns & Risks

Our CEO, Graham Hill, says that it’s usually the CFO or private owners that raise concerns about the cloud. The concern revolves around the security of protecting their data. In those circumstances, we explain how Microsoft maintains their data center and what level of physical as well as virtual security is provided.

While concerns about moving to cloud are normal, it’s important to understand the threats you’re up against. Here’s a look at some of the big ones:

  • Cybercrime. It also applies to internal threats - manipulating financial reports, IP theft and insider fraud 
  • Compliance. Non compliance risks such as HIPAA, SOX, CCPA, GDPR, etc. Could lead to devastating consequences
  • Big Data. It's a big risk as hackers see it as chance to cash in by selling them and IP or demanding a ransom
  • Remote Work. Video conferencing, DDoS, and phishing attacks are on the rise for most remote workers because they are usually harder to secure
  • Shadow IT. It refers to IT solutions that bypass the official approval process. Example is personal accounts, workflows, SaaS tools employees use to make job easier

Dynamics 365 Security Best Practices

Role - Based Security

As mentioned earlier, this type of security framework allows you to create user roles, assign the corresponding data security privileges. You can mandate the exact data access rights and make sure users can access data only on a need basis. Access rights can be assigned depending on the user’s role and their corresponding business unit and team affiliation. The various access levels are:

  • None - No data access granted
  • Basic - Access to data entities that are owned by the user and can be shared within their team
  • Local - Access to data available within the business unit and typically granted to managers of the business unit
  • Deep - Access to data within the business unit and the related subordinate business units
  • Global - Organisational level data access that includes privileges of deep, basic, and local access rights. Assigned to admin – level users only

Record - Based Security

Record – based security defines the particular security privilege associated with each data record within the organisation. Users can be granted the privileges that allow them to create, read, write, delete, append, append to, assign and share.

Field - Based Security

Field – based security defines the security permissions granted to each specific data field within a record. For instance, for a customer data record, the sales representatives may be allowed to have write access only to the last interaction field while read – only access to the rest of the fields.

Dynamics 365 Security is not One - Time Task

When it comes to security, it’s not a one – time task. Rather, it is a periodic exercise. That’s because your organisation security isn’t static. Therefore, you will continuously be adding / removing users and role access. Here’s why you need to perform periodic reviews:

  • Check and validate that no user is over - provisioned with access
  • Ensure access removal for employees who are no longer part of the team 
  • Remove any temporarily assigned access
  • Validate the overall security level of the system

Leave the OOB Security Roles Alone !

The most important thing your IT person team can do to add more role to define various security roles to different resources is to find the out – of – the – box (OOB) role that most closely represents what you need and do a ‘Save – as’.

Add Only Privileges That Required By Specific Role

Another recommendation that we could think of is that avoiding adding unrelated privilege to a role for one or two users, because it will start to break down the control you are establishing by way of that security role. ONLY add privileges that are required by that specific role.

If you need to provide additional access as an exception to a few, then consider creating a special, separate security role for that specific function.

Consider Using "Teams" To Manage Large Numbers of Users More Easily

By assigning Security Roles to a Team instead of directly to a User, your ongoing administration of the end users can be made slightly more manageable. BUT, you do then have to commit to managing, members of Teams as part of your admin processes.

We recommend that when you are managing a large user counts and tend to assign multiple security roles per user.


The efficiency of a security model depends largely on the correct implementation. The Dynamics 365 security models allow for various features that can help you build a strong and secure CRM platform when adequately utilised. Ask your team and organisation which roles that suits their privilege the best, what are their needs in the system and how to tailor the implementation towards your organisation needs.