Is Your Dynamics 365 Audit Policy Aligned with Your Business?

Outdated audit settings can create critical gaps in compliance and data security, exposing your organisation to unnecessary risks.

The consequences of inadequate auditing can be severe, potentially leading not only to legal repercussions but also to reputational damage. Regulatory pressures vary across industries, but Microsoft Dynamics 365/Dataverse provides administrators with the flexibility to tailor audit configurations to meet specific requirements.

In this post, we’ll break down the available options and provide key considerations to ensure your audit trail aligns with your business needs. We suggest configuring your audit policy at the implementation stage of your Dynamics/Dataverse solution. But If you haven’t done so yet, we strongly encourage you to start this process soon.

Who Should Decide the Audit Policy?

Defining the audit policy for Dynamics 365 requires input from multiple stakeholders to ensure that both compliance and operational needs are met. Here’s a non-exhaustive list of business roles that typically should be involved:

IT Department/System Administrators: They are responsible for implementing the audit policy, understanding its impact on system performance, and managing storage. IT can assess the technical feasibility of audit configurations and their effect on system resources.
Business Unit Leaders: Leaders from various business units, such as sales, marketing, finance, and HR, provide input on which activities need to be audited. They understand which data is critical for business operations and can help identify key processes that require oversight.
Data Protection Officers (DPOs): The DPO ensures that audit policies adhere to data privacy laws and best practices. They play a crucial role in defining how personal data should be handled and monitored, ensuring that auditing does not infringe on data privacy rights.
Security Teams: Security teams determine the scope of audit logs needed to track suspicious activity, monitor access to sensitive information, and identify potential breaches. They also ensure that the audit logs themselves are secure and cannot be tampered with.
Finance and Accounting Teams: In industries such as banking or healthcare, the finance team must ensure that audit policies align with financial regulations. They also have insights into which financial records require long-term retention for adherence to regulations.
C-Suite/Executive Management: While executives do not handle day-to-day auditing, they play a key role in setting the overall risk management strategy and ensuring that the audit policy aligns with broader business objectives and regulatory obligations.

Global Auditing

To enable auditing and record changes to your data, you can control this in the Power Platform Admin Center by navigating to Environments > Your Environment > Settings > Audit Settings. Here, you can choose to start logging and determine how long to retain the logs.

Who Should Turn Global Auditing On?

In most scenarios, we recommend enabling auditing for production environments in most businesses. If you are configuring auditing for a development or staging environment, it is advisable to turn this off in many cases. Data in these environments is often synthetic is unnecessary for auditing; disabling this can improve performance and reduce storage requirements.

How Long Should Logs Be Retained?

Microsoft offers various options for how long you can keep your auditing information.

For IT Service Providers: We recommend retaining logs for 90 days to troubleshoot issues, track customer interactions, and review tickets. This retention period ensures that there is enough history to resolve recurring issues while limiting data storage overhead.
For Banks and Financial Firms: These organisations often need to keep logs for seven years to comply with regulations, such as the UK’s Financial Conduct Authority (FCA). These logs serve as proof for audits, legal cases, or regulatory inquiries.
For E-commerce Companies: Shorter retention periods of 30 days may be appropriate, as they often process high volumes of transactions. In such cases, long-term data can be backed up off-site to maintain performance and stay within data capacity limits.

App-Based Auditing

If your environment has global auditing enabled, the next step in implementing your auditing policy is to control which Dynamics 365 apps have auditing turned on. Currently, this can only be configured in the legacy interface under Administration > System Settings. We anticipate that Microsoft will enable administrators to manage this in the Power Platform Admin Center in the short to medium term.

You can control app-level auditing for:

Common Entities: This enables your organisation to start auditing typical entities/tables such as Accounts, Leads, and Change Requests.
Sales Entities: Selecting this option controls tables such as Invoices, Opportunities, and Competitors.
Marketing Entities: This option allows you to log entities such as Segments, Marketing Forms, and Customer Journeys.
Customer Service Entities: This turns on auditing for entities such as Cases, Articles, and Contracts.

Dynamics 365 administrators need to determine whether to enable auditing for each of these categories. In a production environment, we generally recommend enabling Common Entities and any apps that you use. Further optimisation can be achieved by analysing your tables individually and identifying which data requires an audit trail.

Table Managed Auditing

The best way to manage auditing for tables is through Power Apps. Navigate to the Power Apps website, select your environment, and choose a table. Click on Edit from the command bar, then Edit Table Properties. This will open a panel on the right-hand side where you can choose to enable audit logging. Turning this on will log any data creation, changes or deletions in this table for all columns by default. When choosing which tables to audit, remember that tables can be used across multiple applications, which affects various business functions.

Log any data creation, changes, or deletion in this table. When turned on, all columns are audited by default.

Just a heads-up: You’ll need to turn on global auditing for this to track changes.

You can also audit at a more granular level and identify individual columns within the table to log. For example, in the Account table, you may choose to audit only specific columns, such as the telephone number. This allows you to optimise your configuration for maximum performance and storage efficiency.

View an Auditing Log of an Individual Record

In your model-driven app, navigate to a table such as Contacts and select a record. Then select the Related drop-down menu and choose Audit History. This will display a list of changes made to that record over time. By default, it will show all fields, but you can have controls to filter this above the table.

There are many scenarios where you may need to view the audit log of a specific record. For example, for GDPR purposes, a Data Protection Officer or Marketing Manager may need to review the consent options of a specific contact to understand when and what options were changed.

Another scenario could involve an internal investigation of a financial discrepancy. For instance, a Finance Manager might need to track changes made to an invoice record. By reviewing the audit log, they can identify who modified the invoice, what changes were made (such as payment terms or amounts), and when the adjustments occurred. This level of detail helps ensure accountability and can be crucial in resolving disputes or ensuring financial regulatory adherance.

Is Your Audit Capturing What You Need?

Keeping your Dynamics 365 audit configurations up to date is essential for regulatory obligations, security, and efficiency. With flexible auditing options across environments, apps, and tables, businesses can control what data is monitored and for how long. By addressing regulatory and performance needs, organisations can prevent data gaps and future-proof their systems.

Is your audit trail optimised for your business needs? Don’t leave it to chance. Contact us at ServerSys to review your current Dynamics 365 auditing setup and ensure your configurations align with industry best practices.

Related Insights:

Dynamics Auditing: Frequently Asked Questions

Why is auditing important in Dynamics 365?

Auditing in Dynamics 365 is essential for maintaining compliance with regulatory requirements, ensuring data security, and providing accountability for data changes. It helps organisations track user activity, monitor access to sensitive information, and respond effectively to data breaches or compliance enquiries.

How often should I review my audit policy?

It’s advisable to review your audit policy at least annually or whenever significant changes occur in your organisation, such as new regulations, changes in business processes, or updates to Dynamics 365 features. Regular reviews ensure that your audit configurations remain relevant and effective.

What types of data should be audited?

The types of data to audit depend on your organisation’s specific needs and regulatory requirements. Generally, critical business processes, sensitive customer information, and financial transactions should be prioritised for auditing. Involve key stakeholders to identify which data is most important to monitor.

Can I turn off auditing once it's enabled?

Yes, you can turn off auditing at any time; however, it’s important to understand the implications of doing so. Disabling auditing can lead to gaps in compliance and may hinder your ability to investigate issues or respond to audits effectively.

Is Your Dynamics 365 Audit Policy Aligned with Your Business Needs?

Who Should Decide the Audit Policy?