Regulatory Compliance and Data Management in Dynamics 365: A Complete Guide

Regulatory compliance in Microsoft Dynamics Finance & Supply Chain Management cannot be taken lightly. In 2024, global regulatory fines reached a record $19.3 billion. Although these numbers are not specifically tied to users of Dynamics 365, companies using the platform may incur penalties for non-compliance.  

Compliance is directly connected to the way critical financial data is accessed, reported, and audited. And an organization’s critical financial data resides in the ERP. Therefore, it is important to plan your data security strategy keeping in mind regulatory compliance in Dynamics 365.  

Although Microsoft offers top-notch security, a module to manage security roles, and also processes to ease auditing, it comes with its own set of challenges due to the complexity of the platform. In this blog we will help you navigate regulatory compliance, understand the challenges that come with it, and share best practices to work on your security and compliance framework. 

If you are looking for a solution to improve your role management and auditing processes in Microsoft Dynamics 365, check out STAEDEAN’s no-code embedded Data Security & Compliance solution.

Understanding regulatory compliance for Dynamics 365 

Regulations are mandated by the government, industry body, and supplier/business partner agreements. To ensure compliance, your financial reports from Dynamics 365 submitted to regulatory bodies and audits have to be carried out in accordance with mandated regulations. Inaccuracies or delays in reporting can result in hefty fines and penalties.  

Adhering to compliance is more than just avoiding penalties. Ensuring regulatory compliance for Dynamics 365 ensures transparency, reduces risks, and builds trust with your stakeholders and team members.  

Below are regulations and standards affecting Dynamics 365 compliance implementations: 

While assigning security roles or setting up auditing processes in Dynamics 365, organizations need to keep in mind regulations and standards relevant to their industry and region. Below, we share some key regulations and standards that we commonly come across. 

GDPR (General Data Protection Regulation): 

This European regulation protects the privacy of personal data. It impacts how data is collected, processed, and stored within Dynamics 365.  

Sarbanes-Oxley (SOX) Act  

This US law was implemented to prevent corporate fraud. Organizations need to implement security controls, file regular reports with the regulatory body, and conduct an annual audit for SOX compliance.  

California Consumer Privacy Act of 2018 (CCPA) 

Similar to GDPR, the California Consumer Privacy Act of 2018 (CCPA) safeguards personal data and how businesses collect, use, and process that information.  

ISO/IEC 27001  

ISO/IEC 27001 is a globally renowned standard that provides organizations guidance for managing a robust information security management system (ISMS). You must define security policies and implement secure access controls in Dynamics 365.  

Industry-specific compliance for Dynamics 365 

Highly regulated industries have to adhere to specific regulatory requirements. Below are some examples:  

1. Financial Services

• SOX is a law enacted to improve the accuracy of financial reporting.  

• Payment Card Industry Data Security Standard (PCI DSS) is a global standard for credit cards. It secures cardholder data and reduces credit card fraud. 

• GLBA (Gramm-Leach-Bliley Act) is a US law that protects consumer financial information held by financial institutions and insurance organizations.

   

2. Healthcare

• Health Insurance Portability and Accountability Act (HIPAA) issued by the US federal government protects the privacy and security of patients' health information and sets standards for how the data is handled, stored, and transmitted.   

• The Health Information Technology for Economic and Clinical Health (HITECH) Act is a US law that complements HIPAA. The law promotes the adoption and meaningful use of health information technology, particularly electronic health records (EHRs). 

3. Public Sector (FedRAMP, CJIS)

• FedRAMP (Federal Risk and Authorization Management Program) is a U.S. federal compliance program for the standardization of authorization and continuous monitoring for cloud products and services.  

• CJIS (Criminal Justice Information Services Security Policy) is a security standard issued by FBI's Criminal Justice Information Services (CJIS) division to safeguard criminal justice data handled by law enforcement and affiliated entities. 

Microsoft's shared responsibility model for compliance 

While Microsoft Dynamics 365 provides native tools and features such as security role assignment, Azure Active Directory, encryption, and more, users are responsible for managing access controls, setting up data governance processes, and a compliance framework. Although Microsoft invests heavily in cloud infrastructure security (about $ 1 billion annually), it is the consumer’s responsibility to configure and implement data security in accordance with industry and government laws and standards in their cloud applications. 

(Source: Microsoft) 

Key compliance features in Dynamics 365 

Although Microsoft Dynamics 365 offers a lot of functionalities that support regulatory compliance, each of them comes with its own set of challenges. Below, we share Dynamics 365 security and compliance features that you need to configure to safeguard your data. We also share features available within the platform for data security. While Microsoft Dynamics 365 offers a host of features that can be configured for data security, risk management, and auditing, some controls need to be set up using enterprise-ready solutions. 

Security Controls and Access Management 

(Source: Microsoft Docs) 

Role-based security model 

Microsoft offers role-based security, where each role is assigned specific duties and privileges. By default, 100+ roles are provided within the solution. The administrator can modify or create new security roles based on business requirements. The security roles follow a hierarchy with Duties, Privileges, and Permissions. Each of these is described below: 

• Privileges: an access assigned for individual tasks. 

• Permissions: access to individual securable objects. 

• Duties: access to a group of duties for a job function. 

• Data security is a configurable security framework that allows users to add control access for tables, fields, and rows in the database. 

However, security role management in Dynamics 365 is complex. If not properly configured, users can be granted excessive permissions and standard roles may not fully eliminate segregation of duties (SoD) conflicts.  

Microsoft offers the functionality to create, modify, and delete roles, duties, and privileges using a role creation wizard. However, if you need to merge existing roles, lock or disable roles, you will have to use customizations or can consider an Independent Software Vendor (ISV) solution such as STAEDEAN’s Data Security solution.  

Record and field-level security 

While this is not a feature available in Microsoft Dynamics 365 Finance and Supply Chain Management, STAEDEAN’s Master Data Management Solution offers field-level security to limit and protect sensitive data access to key team members. 

Authentication options  

Dynamics 365 integrates with the Azure Active Directory (Azure AD), now known as Microsoft Entra, for authentication, including Multi-Factor Authentication (MFA). Users can authenticate using various methods, including passwords, security defaults, or per-user MFA configurations.  

Database logging  

Database logging helps you track changes to the tables and fields using configuration in Dynamics 365, including insert, update, delete, and rename. This feature can be used to create an audit log for sensitive fields or to monitor electronic signatures. While D365 F&SCM offers database logging it can occupy a lot of storage space. STAEDEAN’s Data Security solution offers a feature for sensitive data logging. 

Security reports 

Dynamics 365 also provides several options to configure security and tailored reports using customizations. These include the user role assignments, role to user assignments, security role access, and security duty assignments report.  

Data protection and privacy features 

Data encryption  

Microsoft Dynamics 365 offers data encryption for data at rest in Microsoft data centers and in transit between user devices and Microsoft’s cloud infrastructure. Once encryption is active on your system, it cannot be turned off. This helps companies using Dynamics 365 ensure compliance with frameworks such as FIPS 140-2 and ISO 27001. 

Data loss prevention (DLP) 

The platform allows you to configure DLP policies for critical Dynamics 365 data protection and prevent it from leaving the environment. 

Data retention policies 

Similar to DLP, organizations can set up data retention policies to manage the storage, archival, and deletion of data based on regulatory requirements. 

Audit and monitoring capabilities 

Audit logs and trails 

While Microsoft provides some functionality to setup an audit log, it doesn’t share a detailed audit trail with all activity tracking for security setup changes. STAEDEAN’s Data Security solution provides more comprehensive logging functionality for sensitive data logging, continuous user action logs, 360-degree security overview, and securable objects overview. 

Snapshots 

Microsoft provides security snapshots to some extent. However, STAEDEAN’s no-code embedded Data Security solution provides the ability to compare snapshots at the security object level. Our solution can also provide dynamic snapshots, which are real-time security snapshots. 

Sensitive data management 

STAEDEAN offers data logs for sensitive data and a feature to configure sensitive data definitions. Our Data Security solution also tracks all security setup history and allows you to export that data. 

Segregation of duties 

Microsoft allows you to manage segregation of duties (SoD) at the role and duties level. However, if you want to manage SoD conflicts at the privilege and entry point level, you need to either use customizations or can opt for STAEDEAN’s Data Security solution. Additionally, Microsoft doesn’t share automatic alerts on SoD conflicts which is a risk for compliance. 

STAEDEAN’s Data Security solution also offers roles violating SoD, preset of standard SoD rules, and a hierarchical Business Risks register that is aligned with SoD rules for better insight for risk mitigation. 

Implementing a compliance framework for Dynamics 365 

Implementing a compliance framework for Microsoft Dynamics 365 Finance (ERP) involves several structured steps, each requiring careful planning and execution. Below is a step-by-step breakdown: 

1. Step 1: Conduct a compliance risk assessment

• Based on the regulatory standards and laws you need to comply with, identify potential compliance risks within the Dynamics 365 environment.  

• Involve your legal, finance, and IT teams for the evaluation. Conduct workshops to identify sensitive data stored or processed in Dynamics 365. 

• Use a risk matrix to categorize risks, focusing on data privacy, financial integrity, and access control. 

• Review Dynamics 365 compliance controls (modules in use, security roles, user access, and SoD rules). 

• Identify gaps in compliance, such as sensitive data management or insufficient audit trails. 

2. Step 2: Map regulatory requirements to Dynamics 365 features

• Break down specific requirements for each regulation. For example, segregation of duties for SOX. 

• Review Dynamics 365’s compliance, security, and auditing features and evaluate whether they cover all your business requirements. 

• Map each regulatory requirement to specific Dynamics 365 capabilities for your security and compliance needs. 

• If you need to use customizations or look at ISV solutions, it is time to identify the right fit for your business case. 

3. Step 3: Design security architecture

• Work on a security architecture design document detailing roles, permissions, access control measures, and data protection protocols. 

• Based on your compliance risk assessment in stage 1, create security roles in Dynamics 365 to define user access levels. 

• Implement segregation of duties (SoD) to prevent conflicts of interest. For example, the same user can’t create and approve payments. 

• For highly sensitive data, mask or anonymize information when displayed to users. 

• Add Multi-factor Authentication (MFA) for high-risk areas such as financial transactions. 

• Use Azure Security Center and Azure Sentinel for centralized security management and real-time threat detection. 

4. Step 4: Configure compliance controls

• Enable audit logging in Dynamics 365 to track changes to data, transactions, and configurations. If you need detailed audit logs, you need to configure them using an ISV solution or customizations. 

• Define compliance policies within Dynamics 365 (e.g., data retention, backup schedules, user access policies). 

• Use Data Loss Prevention (DLP) policies and data residency to prevent unauthorized sharing of sensitive information. 

• Maintain documentation with detailed descriptions of each compliance setting. 

5. Step 5: Implement monitoring and reporting

• Establish continuous monitoring and reporting mechanisms to track compliance status and potential violations. Use Power BI to create dashboards displaying key metrics. 

• These reports can be configured to be generated periodically (e.g., monthly or quarterly). 

• You can include metrics such as user access reviews, audit logs, and policy compliance status in the reports. 

6. Step 6: Test and validate compliance measures

• Conduct user acceptance tests (UAT) for security roles to check for gaps in security role assignment. 

• Evaluate audit logs and ensure all the information you need is being tracked by Dynamics 365. 

• Simulate various compliance scenarios (e.g., GDPR requests, data breaches, fraud detection) and test how the system responds. 

• Use third-party tools or consultants to validate that the system meets regulatory standards. 

7. Step 7: Document compliance policies and procedures

• Update documentation for compliance policies and procedures based on periodic evaluations. 

• Share communications for security incident response, user training, and internal audits in advance. 

• Ensure users are equipped with guidelines on Dynamics 365 compliance best practices, including how to handle sensitive data and perform secure transactions. 

By following this step-by-step implementation approach, you can establish a compliance framework for Microsoft Dynamics 365 that aligns with regulatory requirements, reduces risks, and ensures security.  

Although not mentioned in this framework, to ensure compliance, implementing Dynamics 365 data governance is a must. Below are some data management compliance best practices to consider: 

• Establish clear data ownership and stewardship with responsibilities outlined for each role.  

• Implement data classification and handling policies and document those. 

• Create a comprehensive data lifecycle management strategy with policies for each stage. 

• Configure data quality rules and policies that are regularly reviewed. 

• Set up regular compliance reviews and audits, and plan for changes based on feedback and results. 

For more best practices, read our blog: Top 9 Data Governance Best Practices for Dynamics 365 F&SCM 

Measuring and maintaining compliance 

Establishing and maintaining robust compliance processes within Microsoft Dynamics 365 Finance & Supply Chain Management requires periodic reporting, analysis of the assessments, and adapting based on changing business requirements and industry mandates.  

1. Establish compliance metrics and KPIs

You can set up dashboards to track metrics in Power BI. Below are some recommended metrics that organizations can track. 

• User access review completion rate (% of roles reviewed monthly/quarterly) 

• Audit Log Coverage (% of critical entities being logged) 

• Compliance Incident Response Time 

• SoD conflicts 

• Number of Policy Violations Detected 

• Compliance Training Completion Rate 

2. Create a compliance monitoring program

• Continuously track activities that could pose compliance risks. 

• Leverage Dynamics 365 compliance reporting and audit logs for monitoring. Configure detailed audit logs if required using STAEDEAN’s Data Security solution. 

• Setup and monitor processes to detect abnormal behavior, such as large data exports, access anomalies. 

3. Perform regular compliance assessments

• Perform internal audits on a quarterly basis of user access, system configurations, and SoD. 

• Evaluate risk analysis after a Microsoft release for new features for any data security threats. For example, new AI agents launched in April 2025 for supply chain management. 

• Schedule third-party audits from external compliance specialists periodically. 

4. Respond to compliance issues

• Define a clear Compliance Incident Response Plan for handling compliance violations, breaches, or control failures. 

• Automate notifications and workflow escalations for critical events (e.g., unauthorized access). 

• Maintain a record of compliance issues for documentation, investigation, and resolution. This documentation can be used to troubleshoot in the future. 

5. Stay current with regulatory changes

• Evaluate and maintain compliance controls aligned with evolving legal and regulatory requirements. 

• Subscribe to updates from regulatory bodies (e.g., SEC, GDPR authorities, HIPAA). 

• Monitor Microsoft compliance blogs and roadmap updates for Dynamics 365. 

• Assign a compliance officer or team to track changes and evaluate impacts. 

6. Update compliance controls as needed

• Adjust compliance controls in Dynamics 365 based on new risks or regulations. 

• Update security roles, auditing processes, and approval hierarchies. 

• Refresh data retention policies, DSR configurations, or audit settings. 

• Test new configurations before going live. Lastly, create a documented change control process that includes compliance review steps before implementing changes. 

Establishing a continuous improvement loop ensures that compliance evolves with your organization and the regulatory landscape. Key steps in the continuous improvement cycle are to monitor, measure, assess, improve, document, and train/communicate improvements with your organization. 

Below is a sample Compliance Dashboard Template using Power BI. You can tweak this based on your organization’s regulation and compliance requirements. 

Conclusion: Are you ready to strengthen your compliance processes in Dynamics 365?  

Maintaining regulatory compliance within Microsoft Dynamics 365 Finance and Supply Chain Management demands systematic planning and documentation. Adopting a proactive approach to compliance reduces the risk of legal penalties, ensures data integrity, and enhances customer and stakeholder trust.  

From mapping requirements to implementing controls, monitoring systems, and responding to changes, each step will bring you closer to your compliance goals. 

Compliance is not a one-time project and requires a continuous improvement approach. This is possible only if you have clear KPIs defined to measure compliance performance. Besides using Dynamics 365’s compliance reporting and compliance controls, consider ISV solutions that can help you ensure robust security and compliance of sensitive financial data. 

If you are in a highly regulated industry and are looking for a solution to help you streamline your security and compliance processes in Dynamics 365 F&SCM, download our Data Security factsheet from the link below.