Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Dynamics 365 Business Central runs on Azure as a multitenant service. Multiple customers' deployments, virtual machines, and data are stored on the same physical hardware. Azure uses logical controls to provide the scale and economic benefits of multitenant services and prevents customers from accessing each other's data. Data Handling and Encryption controls make sure customer data in Business Central environments stays in its original source.
Dynamics 365 Business Central uses Azure SQL Database for data persistence. Azure SQL Database encrypts customer data using Transparent Data Encryption (TDE) technology. All persisted data is encrypted by default with Microsoft-managed keys, but Dynamics 365 Business Central customers can encrypt their environment database with customer-managed encryption keys (CMK).
For an overview of security controls that help you protect your data and prevent unauthorized access to Dynamics 365 Business Central, see aka.ms/bcsecurity.
Tenant data isolation
Each Dynamics 365 Business Central environment data is in a dedicated, isolated database. Customer data stays separate and isn't combined with data from other tenants. This isolation is a key security and sovereignty feature that keeps an organization's data separate and protected from others.
Encryption and key management
Dynamics 365 Business Central encrypts data at rest in real time with SQL Server Transparent Data Encryption (TDE) using strong keys that Microsoft manages. Power Platform managed environment customers with the right licenses and subscriptions can use customer-managed Keys to encrypt data in their Dynamics 365 Business Central environment database with their own key. They can:
- Rotate encryption keys on demand for compliance or security policy reasons.
- If needed, revoke Microsoft’s access to the key to instantly make the Dynamics 365 Business Central database undecipherable by Microsoft’s service. This option gives them more control—if they revoke their key, Microsoft (the operator) can't access their data. To revoke Microsoft's access to encryption keys, use Azure Managed HSM (mHSM).
All network communication involving Dynamics 365 Business Central uses industry-standard encryption in transit. The encryption ensures that data sent between the client, the service, and any integrated services can't be intercepted or read by unauthorized parties.
Service integration security
Dynamics 365 Business Central can integrate with other services, such as Microsoft 365, Power Platform, and various third-party applications. When integrating with Dynamics 365 Business Central, you can set up a firewall or network security group to limit traffic to/from Business Central using the Dynamics365BusinessCentral service tag. The service tag defines the IP address range used by Dynamics 365 Business Central services, and is updated automatically when those IP addresses change.
Operational security, monitoring, and auditing
The cloud infrastructure that supports Dynamics 365 Business Central adheres to rigorous security practices, including just-in-time access for engineers, extensive monitoring, and audits. All access by Microsoft personnel to customer data is logged and monitored. For instance, anytime a Microsoft engineer elevates access to the production environment, the action is tracked in a tamper-evident system. This option gives assurance that any operator access is tightly controlled.
Datacenter security describes how your data is physically protected from external and internal threats in the Azure regional data centers.