Introduction: The Question That Changes the Conversation
At some point in every ERP conversation, the discussion stops being about features, timelines, or cost savings. It slows down. The room gets quieter. And someone often a board member asks the question that carries more weight than all the others combined:
“How do we know our data will be secure in the cloud?”
This question isn’t coming from a place of fear. It’s coming from responsibility.
When you move an ERP system to the cloud, you’re not just migrating software. You’re relocating financial records, customer data, employee information, operational intelligence, and in many cases, regulated data that carries legal consequences if mishandled. For a CEO, approving that move isn’t a technical decision. It’s a governance decision.
And the stakes are real.
According to IBM’s 2024 Cost of a Data Breach Report, the global average cost of a data breach is approximately $4.88 million, with breaches often taking several months frequently over 270 days to identify and contain.
That’s not just an IT problem. That’s a balance-sheet problem, a reputational problem, and often a board-level crisis.
So when organizations consider moving their ERP to Dynamics 365 on Azure, security can’t be treated as a checkbox or a vendor promise. It has to be understood, governed, and continuously managed.
Here’s where the conversation often goes sideways.
Many executives assume cloud security is binary: either the platform is secure, or it isn’t. In reality, cloud security especially with Microsoft Azure is shared. And misunderstanding that shared responsibility is where most organizations get exposed.
This guide exists to answer the questions your board will ask before approval is granted. It explains how Azure security actually works, where Microsoft’s responsibility ends, where yours begins, and how CEOs can evaluate whether their organization is truly ready for a secure Dynamics 365 migration.
Caliberfocus has guided healthcare providers under HIPAA, financial services firms operating under SOX, and manufacturers protecting intellectual property through secure Dynamics 365 migrations. Across industries, we’ve seen the same pattern: the platform is rarely the problem. Configuration, governance, and accountability usually are.
This is the briefing you want to read before you sign off on a cloud ERP investment.
Understanding the Microsoft Shared Responsibility Model
The most important shift a leadership team must make when moving to the cloud is mental, not technical.
Security is no longer something you fully own or fully outsource.
It’s shared.
Moving to Azure doesn’t eliminate your responsibility for security. It redefines it. And clarity around that division is what separates confident migrations from risky ones.
What Microsoft Secures: The Infrastructure Layer
Microsoft is responsible for securing the foundational layers that Dynamics 365 runs on. These are areas where individual organizations simply cannot match the scale, investment, or expertise.
Physical Security
Azure data centers are designed with a level of physical security that goes far beyond traditional enterprise facilities.
Access is controlled through biometric authentication, multi-factor verification, and layered entry points. Facilities are monitored 24/7, and access is limited to a small group of vetted personnel. Every action is logged and audited.
Microsoft’s data centers undergo thousands of independent security audits annually and maintain global certifications including SOC 1, SOC 2, and SOC 3. For most organizations, achieving this level of physical security internally would be cost-prohibitive.
Network Security
Azure operates one of the largest private networks in the world.
Traffic between Dynamics 365 and Azure services stays on Microsoft’s private backbone, not the public internet. Distributed Denial of Service (DDoS) protection is built into the network edge, absorbing attacks before they ever reach applications.
Even when multiple customers share physical infrastructure, their environments remain logically isolated. One customer’s breach does not become another customer’s exposure.
Infrastructure Hardening
Microsoft continuously patches hypervisors, host operating systems, and firmware. Customers don’t schedule downtime or scramble to apply emergency fixes when vulnerabilities emerge.
Gartner research consistently shows that hyperscale cloud providers like Microsoft remediate critical vulnerabilities significantly faster than most organizations can patch comparable on-premises infrastructure. In a threat landscape where exploits can appear within hours, patch speed matters.
Platform Services Security
Dynamics 365 relies on Azure platform services such as Azure SQL Database and Microsoft Entra ID. These services include built-in security capabilities encryption, automated backups, identity protection that would cost millions to build and maintain independently.
Encryption at rest is enabled by default and cannot be accidentally turned off. Backups are automatic. Redundancy is built in.
This is the foundation Microsoft secures and it’s exceptionally strong.
What You Control: The Application and Data Layer
Here’s where responsibility shifts.
While Microsoft secures the foundation, you control how Dynamics 365 is configured, accessed, and governed. And this is where most security failures occur.
Identity and Access Management
You decide who can access Dynamics 365, what they can see, and what they can do.
Microsoft provides tools like multi-factor authentication, conditional access, and privileged identity management but they don’t enforce them by default. Enforcement is a governance decision.
A common failure we see is excessive administrative access. According to the Verizon 2024 Data Breach Investigations Report, 74% of breaches involved the human element, with stolen credentials as the leading cause.
Security tools only work when they’re applied intentionally.
Data Classification and Protection
You decide what data enters Dynamics 365 and how sensitive data is handled.
Should certain fields be masked? Should encryption keys be customer-managed? Should exports be restricted? These are not platform defaults. They are policy decisions.
Organizations that fail to classify data often fail to protect it appropriately.
Application Configuration
Session timeouts, audit logging, mobile access, export permissions Dynamics 365 provides secure defaults, but those defaults may not meet your risk profile.
Highly regulated industries often require stricter controls than what’s enabled out of the box.
Compliance Enablement
Azure maintains certifications for GDPR, HIPAA, ISO, SOC, and more. But compliance is not automatic.
For example, HIPAA requires specific audit controls, access logging, and data handling procedures. Azure supports these requirements but you must enable, monitor, and maintain them.
Compliance lives in configuration and operations, not in marketing claims.
The Critical Gap: Integrations
If there’s one area where ERP security fails most often, it’s not inside Dynamics 365.
It’s at the edges.
Integrations payment processors, legacy systems, e-commerce platforms, third-party APIs create pathways that sit squarely in your responsibility domain.
Microsoft secures the Dynamics 365 endpoint. It does not secure how a third-party system authenticates to it.
Caliberfocus has investigated multiple incidents where Dynamics 365 remained secure, but attackers entered through poorly authenticated or poorly monitored integrations built outside Microsoft’s ecosystem.
ERP security rarely collapses at the core.
It fails at the connections.
The Four Pillars of Dynamics 365 Security on Azure
Microsoft structures Azure security around four core pillars. Understanding these pillars gives CEOs a practical framework to evaluate whether the platform aligns with enterprise risk requirements.
Pillar 1: Identity and Access Management
Every security model starts with identity.
Dynamics 365 uses Microsoft Entra ID as its identity provider, meaning all access decisions flow through centralized identity policies.
Single Sign-On (SSO)
Users authenticate once and access Dynamics 365 alongside Microsoft 365 and integrated systems. This reduces password fatigue and lowers the risk of credential reuse.
Multi-Factor Authentication (MFA)
Independent academic research and Microsoft security telemetry consistently show that multi-factor authentication reduces account compromise risk by over 99% compared to password-only access.
Conditional Access
Access decisions can consider location, device compliance, risk signals, and role sensitivity. For example:
- Blocking access from unapproved countries
- Requiring compliant devices for financial data
- Adding MFA for high-risk sessions
Privileged Identity Management (PIM)
Administrative privileges are granted only when needed, for a limited time, with approval and audit trails. This dramatically reduces the impact of compromised admin accounts.
Role-Based Access Control in Dynamics 365
Security roles control what users can see and do. Field-level security allows sensitive data such as salaries or payment details to be masked even when users can view the rest of a record.
Pillar 2: Data Protection and Encryption
Data must be protected in three states: at rest, in transit, and in use.
Encryption at Rest
Dynamics 365 data is encrypted using AES-256. Backups and logs are encrypted automatically. For regulated industries, Azure supports customer-managed encryption keys.
Encryption in Transit
All data uses TLS 1.2+ encryption. Traffic between data centers is encrypted at the physical network layer as well.
Data Residency
Organizations choose where data resides. Azure’s global footprint supports GDPR, healthcare regulations, and financial data residency requirements.
Data Loss Prevention (DLP)
DLP policies restrict unauthorized exports, flag abnormal access patterns, and prevent sensitive data from being shared improperly.
Pillar 3: Threat Detection and Response
Prevention is important. Detection speed is critical.
Microsoft Defender & Security Center
Continuous monitoring detects abnormal behavior across identity, data access, and configuration changes.
Microsoft processes over 65 trillion security signals daily, feeding threat intelligence that protects every Dynamics 365 tenant.
Microsoft Sentinel (SIEM)
For advanced environments, Sentinel correlates signals across cloud, identity, endpoints, and integrations detecting complex attacks and automating responses.
Audit Logging & Forensics
Dynamics 365 logs user actions, data access, and configuration changes. Logs support compliance, investigations, and insider-threat detection.
Pillar 4: Compliance and Governance
Azure maintains certifications across 90+ regulatory frameworks, including HIPAA, SOC, ISO, PCI DSS, FINRA, and GDPR.
Azure Policy
Governance rules enforce compliance automatically blocking non-approved regions, requiring encryption, and preventing configuration drift.
Microsoft Purview
Provides enterprise-wide data governance: discovery, classification, lineage, and visibility across Dynamics 365, cloud, and on-prem systems.
Critical Security Questions CEOs Must Ask Before Migration
Before approving a Dynamics 365 migration, leadership should be able to answer these questions clearly:
- Where will our data reside and why?
- How are administrative privileges controlled and audited?
- What is our ransomware and disaster recovery plan?
- How are third-party integrations secured?
- How are human risks reduced through training and controls?
- What metrics prove security effectiveness to the board?
If the answers are vague, security isn’t ready.
Common Misconfigurations That Undermine Security
Most breaches are not caused by weak platforms. They’re caused by weak configuration.
Common failures include:
- Overly broad default roles
- MFA not enforced for all users
- Incomplete audit logging
- No geographic or device restrictions
- Outdated password policies
These issues are preventable and common.
Building a Secure Dynamics 365 Migration Roadmap
Security must be embedded across five phases:
- Pre-Migration Planning – Risk assessment and architecture
- Secure Configuration – Identity, roles, encryption, audit
- Integration Security – API authentication and monitoring
- Migration Execution – Secure data transfer and validation
- Ongoing Operations – Monitoring, training, audits
Security isn’t a milestone.
It’s an operating discipline.
Securing Your Dynamics 365 Future
Migrating Dynamics 365 to Azure is a strategic business decision. Security is what makes that decision sustainable.
Microsoft provides world-class infrastructure security. Governance, configuration, and accountability remain yours.
Organizations that succeed understand the shared responsibility model and operationalize it across people, process, and technology.
Caliberfocus helps organizations design and implement secure, compliant Dynamics 365 environments without slowing the business down. We combine deep technical expertise with regulatory understanding and executive-level risk alignment.
If your board needs confident answers before approving your Dynamics 365 migration—Caliberfocus can help.
Visit CaliberFocus or speak with our security and compliance team.
Let’s build a Dynamics 365 deployment your board can trust.
FAQs
In most cases, yes but only when configured correctly. Microsoft secures the physical data centers, network infrastructure, and platform services at a scale few organizations can replicate internally. Azure provides built-in encryption, continuous patching, DDoS protection, and global threat intelligence. However, cloud security is shared. If identity controls, access policies, and integrations are poorly governed, cloud environments can be just as exposed as on-prem systems. Security outcomes depend more on configuration and governance than on deployment model alone.
Organizations retain full responsibility for identity and access management, data classification, application configuration, integration security, and compliance enforcement. Microsoft does not decide who gets administrative access, how long sessions last, which devices can connect, or how sensitive data is protected. CEOs should understand that Azure provides powerful security tools, but leadership must ensure those tools are actively enforced, monitored, and audited across users, roles, and third-party connections.
Azure maintains certifications for major global regulations, but compliance is not automatic. Dynamics 365 supports encryption, audit logging, access controls, data residency, and monitoring capabilities required by HIPAA, GDPR, SOX, and ISO frameworks. However, compliance lives in operational controls how logging is enabled, how access is reviewed, how data is handled, and how incidents are documented. Regulators assess how systems are used, not just where they are hosted.
The highest risks typically come from identity mismanagement, overly broad user roles, unsecured integrations, and incomplete logging during transition. Migration projects often focus heavily on data movement and timelines, while access policies, API authentication, and monitoring are deferred. This creates temporary exposure windows. A secure migration requires enforcing identity controls before go-live, validating integrations, and ensuring security monitoring is active from day one not after deployment.
Effective security is measurable. Boards should expect clear metrics such as MFA enforcement rates, privileged access reviews, audit log coverage, integration authentication status, incident detection time, and compliance control validation. Security maturity should be reviewed alongside financial and operational KPIs. If leadership cannot see objective evidence of controls functioning, security is assumed not governed.