5 Best Practices to Reinforce Security in Dynamics 365 & Power Apps

minutes reading time

5 Best Practices to Reinforce Security in Dynamics 365 & Power Apps

As an administrator, the importance and non-negotiability of securing your data cannot be overstated. With growing threats and complex regulations, any breach could damage reputation and bottom-line performance.

That’s why creating a watertight security strategy is crucial to protecting your organisation against emerging threats, demonstrating compliance, and instilling confidence. With a strategic approach, you can better manage, secure, and maintain the integrity of your systems.

This post share five best practices for reinforcing security in Dynamics 365 CRM and Power Apps.

1. Review Role-Based Security Permissions

We recommend following the principle of least privilege (PoLP) when it comes to user security. This states that users should only have access to the specific applications and data needed to do their job.

Role-based security is essential for applying PoLP across teams and simplifying user management.

Custom security roles are always recommended to ensure they reflect your organisation’s unique security policy. By using custom roles, you can avoid potential issues if subsequent Microsoft updates automatically apply any changes made to the standard security roles.

We recommend regularly reviewing security roles at least annually to ensure they are correctly aligned with current business requirements. For instance, are all custom roles still needed? Do these permissions align with the PoLP? Did a specific privilege increase temporarily to allow certain access requirements that can now be reverted to the original settings?

2. Check Export Options

An integral part of a security role review should examine export permissions from Dynamics 365 or Power Apps.

While these permissions support data analysis and reporting, inadequate management could unintentionally turn them into conduits for data breaches.

Remember, granting export permissions allows users to export data from any table or entity they can access, such as contacts and leads.

Additionally, consider the export of data from apps through reports, especially those initiated by SQL Server Reporting Services (SSRS), as these may also contain detailed organisational information.

For a strong security posture, scrutinise these permissions closely. Restrict them based on necessity and unique role requirements, ensuring only those who genuinely need them are granted access.

3. Client Secrets Expiry Settings

In Microsoft Entra (previously Azure Active Directory), credentials are used by confidential client applications that access a web API. Credentials enable Dynamics 365 and other apps to identify themselves to the authentication service upon receiving tokens at a web location.

Certificates are the recommended credential type as they’re considered the most secure, but client secrets are popular due to ease of use.

What are client secrets?

These are essentially secret strings that serve as application passwords. Applications need a client secret to prove their identity when requesting a token. Client secrets play a vital role in authorising and authenticating applications and APIs in Azure.

Managing Client Secrets Expiry

If your organisation uses client secrets as its credential type for Dynamics 365 or other business applications, these expiry settings should be reviewed.

We recommend administrators set an expiration value of less than 12 months to change their client secrets or update the secrets whenever key IT staff leave the business.

Regular alteration mitigates the risk of outdated strings falling into the wrong hands.

Screenshot showing configuration of client secrets for CRM integration in Microsoft Entra admin centre

4. Multifactor Authentication (MFA)

Implementing MFA bolsters an organisation’s security by providing an extra protection layer beyond passwords.

The MFA feature in Microsoft Entra (previously Azure AD) requires people to authorise their identities using a second verification method in conjunction with their usual login credentials. This significantly enhances the defence mechanism of your cloud infrastructure for Dynamics and other business apps.

Supplementary verification can include a uniquely generated code sent to an authenticator app person’s mobile device. This can curb unauthorised access because even if passwords suffer a compromise, MFA will continue to act as a gatekeeper.

Database administrators are strongly recommended to implement MFA as part of their security strategy. MFA within Microsoft Entra offers a seamless and efficient solution to secure your CRM data, ensuring your organisation’s information is well-protected and your operations continue non-disrupted.

5. Audit Logging

Another tool is the auditing feature that tracks user activity, system changes, and data access.

By activating audit trails, you generate a detailed log, meticulously tracking user activity, system changes, and data access within your environment. Should an incident arise, these logs provide a reliable resource for investigation, allowing administrators to pinpoint issues and take corrective action swiftly.

Audit trails also offer invaluable support for compliance. They provide a chronological record of data access and alterations, demonstrating due diligence and adherence to regulatory requirements.

Final Thoughts

Prioritising data security in Dynamics 365 and Power Apps is fundamental for safeguarding your business data and meeting compliance requirements.

Align with ServerSys – your trusted partner to refine security protocols and uphold the highest data protection standards.

April 15, 2024

Join our Mailing List

Stay updated with developments and insights across Microsoft Dynamics 365 and the Power Platform.
Warren Butler

Warren Butler

Warren is the director of marketing at ServerSys. He brings over 20 years of experience covering business transformation, CRM and Microsoft Dynamics to help organisations grow by embracing technology.

If you have any questions, please get in touch with us at hello@serversys.com

Daniel Norris - Linkedin profile