Dynamics 365 security

Microsoft Dynamics 365 and Microsoft Power Platform are subscription-based, software as a service (SaaS) services hosted within Microsoft Azure datacenters. These online services are designed to provide performance, scalability, security, management capabilities, and service levels required for mission-critical applications and systems used by business organizations.

At Microsoft, trust is a focal point for service delivery, contractual commitments, and industry accreditation, which is why we've embraced the Trusted Cloud Initiative. The Trusted Cloud Initiative is a program of the Cloud Security Alliance (CSA) industry group created to help cloud service providers develop industry-recommended, secure, and interoperable identity, and access and compliance management configurations and practices. This set of requirements, guidelines, and controlled processes ensures that we deliver our cloud services with the highest standards regarding engineering, legal, and compliance support. Our focus is on maintaining data integrity in the cloud, which is governed by the following three key principles:

Security: Protecting you from cyberthreats. Privacy: Giving you control over access to your data. Compliance: Unparalleled investment in meeting global standards.

At Microsoft, our approach to securing our customers' information involves a security control framework of technologies, operational procedures, and policies that meet the latest global standards and can quickly adapt to security trends and industry-specific needs. Additionally, we provide a set of customer-managed tools that adapt to the organization and its security needs. Use the Microsoft 365 Security and Compliance Center to track user and administrator activities, malware threats, data loss incidents, and more. The Reports dashboard is used for up-to-date reports related to the security and compliance features in your organization. You can use Microsoft Entra reports to stay informed of unusual or suspicious sign-in activities.

Note

Azure Active Directory is now Microsoft Entra ID. Learn more

Our security policy defines the information security rules and requirements for the service environment. Microsoft performs periodic information security management system (ISMS) reviews, and results are reviewed with IT managers. This process involves monitoring ongoing effectiveness and improvement of the ISMS control environment by reviewing security issues, auditing results, and monitoring status, and by planning and tracking necessary corrective actions.

These controls include:

• Physical and logical network boundaries with strictly enforced change control policies.
• Segregation of duties that require a business need to access an environment.
• Highly restricted physical and logical access to the cloud environment.
• Strict controls based on the Microsoft Security Development Lifecycle and Operational Security Assurance practices that define coding practices, quality testing, and code promotion.
• Ongoing security, privacy, and secure coding practices awareness and training.
• Continuous logging and audit of system access.
• Regular compliance audits to ensure control effectiveness.

To help combat emerging and evolving threats, Microsoft employs an innovative "assume breach" strategy and uses highly specialized groups of security experts—known as the Red Team—to strengthen threat detection, response, and defense for its enterprise cloud services. Microsoft uses the Red Team and live site testing against Microsoft-managed cloud infrastructure to simulate real-world breaches, conduct continuous security monitoring, and practice security incident response to validate and improve the security of online services.

The Microsoft Cloud security team carries out frequent internal and external scans to identify vulnerabilities and assess the effectiveness of the patch management process. Services are scanned for known vulnerabilities; new services are added to the next timed quarterly scan, based on their date of inclusion, and follow a quarterly scanning schedule thereafter. These scans are used to ensure compliance with baseline configuration templates, validate the installation of relevant patches, and identify vulnerabilities. The scanning reports are reviewed by appropriate personnel, and remediation efforts are promptly conducted.

All unused I/O ports on edge production servers are disabled by operating system–level configurations that are defined in the baseline security configuration. Continuous configuration verification checks are enabled to detect drift in the operating system–level configurations. In addition, intrusion detection switches are enabled to detect when a server is physically accessed.

We've established procedures to investigate and respond to malicious events detected by the Microsoft monitoring system in a timely manner.

Microsoft employs the principles of separation of duties and least privilege throughout Microsoft operations. To provide customer support for selected services, Microsoft support personnel can only access customer data with the customer's explicit permission. The permission is granted on a "just-in-time" basis that's logged and audited, then revoked after the engagement is completed. Within Microsoft, operations engineers and support personnel who access its production systems use hardened workstation PCs with virtual machines provisioned on them for internal corporate network access and applications (such as email and intranet). All management workstation computers have Trusted Platform Modules (TPMs), their host boot drives are encrypted with BitLocker, and they're joined to a special organizational unit in the primary Microsoft corporate domain.

System hardening is enforced through use of group policy, with centralized software updating. For auditing and analysis, event logs (such as security and AppLocker) are collected from management workstations and saved to a secure central location. In addition, dedicated jump-boxes on the Microsoft network that require two-factor authentication are used to connect to a production network.

Next steps

Security strategy in Dynamics 365 implementations
Microsoft Trust Center Microsoft Power Platform security documentation
Security model in Dynamics 365 Customer Engagement (on-premises)
Audit data and user activity for security and compliance