Use Azure security service tags to restrict network access from/to Business Central
Note
Azure Active Directory is now Microsoft Entra ID. Learn more
An Azure service tag represents a group of IP addresses from/to which traffic from a specific service may come, which allows you to set up firewalls for a specific service to allow only traffic from certain services. The Dynamics365BusinessCentral service tag enables administrators to restrict access from/to Business Central using firewall and network security group rules. The Dynamics365BusinessCentral service tag is automatically updated as this group of IP addresses changes over time, so administrators can avoid frequent updates to network security rules to keep up with those changes.
Important
The scenario of customers explicitly allowlisting IP addresses on the network that their employees use to interact with Business Central isn't yet fully supported:
- Teams and Excel clients will be using IP addresses not included in service tags for the foreseeable future
- If you write data from your environment directly to a storage account in the same or a paired Azure region, requests on the storage account will originate from an internal IP address and not be affected by service tags applied to the storage account. Learn more here.
Note
It isn't possible to control traffic on more granular levels, for example per Microsoft Entra tenant of a Business Central environment.
The group of IP addresses making up the service tag are available through the Azure Management API and as downloadable JSON files to use for any systems that don't support service tags.
Traffic to Business Central requirements
- A Network Security Group that allows 443 to the
AzureFrontDoor.Frontendservice tag - A Network Security Group that allows 443 (and all other ports such as ODATA etc.) to the
Dynamics365BusinessCentralservice tag
Traffic from Business Central requirements
- A Network Security Group that allows traffic from the
Dynamics365BusinessCentralservice tag
Learn more about service tags Virtual network service tags.