Edit

Classifying Data in Dynamics 365

  • Article
  • 5 minutes to read

Dynamics 365 includes development features for tagging business data with specific classifications. Specifically, this includes data that is stored in table fields of the database and telemetry data that is emitted from the application.

About Data Classification

Classifying data serves different purposes. It can make data easier and more efficient to locate and retrieve, and also help to add another layer of protection and security for handling private and sensitive data. It can supplement your process for making the application compliant with legislative and regulatory requirements for collecting, storing, and using personal information.

Important

You should consider the data classification features offered in Dynamics 365 as the first layer of classification - done by developers (Dynamics 365 and partners) on customizations, add-ons, and extensions. The second layer is to classify the sensitivity of the data itself. For more information, see Classifying Data Sensitivity. It is also important to consider end-users, and how they handle data they provide and that is made available to them.

What are the different data classifications?

The following table describes the different classifications that you can apply to data:

Data classification Description Example
CustomerContent Content directly provided/created by admins and users.
  • Customer generated BLOB or structured storage data
  • Customer-owned/provided secrets (passwords, certificates, encryption keys, storage keys)
EndUserIdentifiableInformation (EUII) Data that identifies or could be used to identify the user of a Microsoft service. EUII does not contain Customer content.
  • User name or display name (DOMAIN\UserName)
  • User principle name (name@company.com)
  • User-specific IP address
AccountData Customer billing information and payment instrument information, including administrator contact information, such as tenant administrator’s name, address, or phone number.
  • Tenant administrator contact information (for example, tenant administrator’s name, address, e-mail address, phone number)
  • Customer’s provisioning information
EndUserPseudonymousIdentifiers (EUPI) An identifier created by Microsoft tied to the user of a Microsoft service. When EUPI is combined with other information, such as a mapping table, it identifies the end user. EUPI does not contain information uploaded or created by the customer (Customer content or EUII)
  • User GUIDs, PUIDs, or SIDs
  • Session IDs
OrganizationIdentifiableInformation (OII) Data that can be used to identify a tenant, generally config or usage data. This data is not linkable to a user and does not contain Customer content.
  • Tenant ID (non-GUID)
  • Domain name in e-mail address (xxx@contoso.com) or other tenant-specific domain information
SystemMetadata Data generated while running the service or program that is not linkable to a user or tenant.
  • Database table names, database column names, entity names

Classifying data in tables and fields

Table objects and field controls include the DataClassification property that you can use to tag data with one of the classifications previously described.

Dynamics 365 operates with some standard rules for classification:

  • When you add a new field to a table, the field is assigned an initial value of ToBeClassified.
  • FlowField and FlowFilter fields are automatically set to the SystemMetadata data classification. This cannot be changed.
  • Existing tables and fields (except for FlowFields and FlowFilters) in an application that has been upgraded from a Dynamics 365 version without the DataClassification property, will automatically be assigned the CustomerContent classification.

Important

Microsoft is providing this DataClassification property as a matter of convenience only. It is your responsibility to classify the data appropriately and comply with any laws and regulations that are applicable to you. Microsoft disclaims all responsibility towards any claims related to your classification of the data.

For more information about this property, see DataClassification Property.

Data classification on upgrade

When you upgrade an application from a Dynamics 365 version that does not contain the DataClassification property, existing tables and fields (except for FlowFields and FlowFilters) will automatically be assigned the CustomerContent classification. You can then access the DataClassification property on these tables and fields, and change the classification as needed. FlowFields and FlowFilters will be assigned the SystemMetadata classification automatically.

Important

After upgrade or import of objects, using fob files, that introduce new tables and/or fields, make sure to synchronize new tables and/or fields to enable Data Sensitivity Classification by running SyncAllFields method in Data Classification Mgt. Codeunit (Codeunit 1750). No action is needed when extensions are installed, as installation of extension automatically triggers SyncAllFields method. See example below.

Run the script below from Developer Shell:

Invoke-NAVCodeunit -Tenant <TenantID> -CompanyName <CompanyName> -CodeunitID 1750 -MethodNAme 'SyncAllFields' -ServerIntance <ServerInstance>

Bulk-classifying data

The Field Data Classification report, which is described in the Viewing current field classifications section in this topic, provides an overview of the data classifications for fields. The report also lets you assign data classifications for more than one field. For example, this is useful if you are assigning classifications for the first time, or have changed several fields and want to update their classifications. You can bulk-edit classifications only for fields in AL Language development environment. The script does not update fields in extensions.

To bulk-edit classifications, export the report to Excel, update the classifications, and then save your changes. Then, in Windows PowerShell, run the following commands to run the Import-Module script and set the classifications on the fields.

To run the script from the default folder on the DVD, run:

Import-Module WindowsPowerShellScripts\DataClassification\DataClassification.psm1

To update the DataClassification property, run the following command. Replace <FilePath> with the full path to the client files. For example, C:\Program Files\Microsoft Dynamics 365 Business Central\160\RoleTailored Client.

Set-FieldDataClassificationFromExcelFile -ExcelFilePath "C:\BC\W1 Fields (Main).xlsx" -SheetName 'Field Data Classification' -RTCFolder "<FilePath>" -DBName BC2 -OutputFolder C:\BC2\Classifications

Viewing current field classifications

To view the data classification on all fields, you can do one of the following:

  • From the client, search for and open the Data Classification Worksheet page.
  • Create a page that has the virtual table Field (ID 2000000041) as its source, and open the page in the client.

Classifying data in custom telemetry trace events

Custom telemetry trace events are defined by calls to the SENDTRACETAG method in the application code. The SENDTRACETAG method includes an optional parameter called DataClassification that you can use to tag the telemetry trace event with a data classification.

For more information, see SendTraceTag and Instrumenting an Application for Telemetry.

See Also

Data Classification
Classifying Data Sensitivity