Dynamics 365 BC - Architecture and Compliance

I am often asked to about the architecture and compliance for Business Central SaaS. There is a huge amount of info to be found on this topic across multiple Microsoft docs pages.

Below I have collected together a few handy links and images from these pages.


Here is a simple diagram of the Business Central Architecture Component and System Topology - Business Central | Microsoft Learn 

Figure 1 - BC system architecture simplified overview

With BC SaaS direct access is not possible to any of the elements shown in the grey box as these are all managed by, and are the responsibility of, Microsoft.
  • Web Servers
  • Application Servers 
  • SQL Databases

Data Protection

On the SaaS platform your data is treated in the following manner Security in Business Central - Business Central | Microsoft Learn

Here is a simplified view of the authentication layers to access the application Layered security model in Business Central - Business Central | Microsoft Learn

Figure 2 - BC uses a layered approach to application security


Business Central uses Microsoft Entra ID (previously known as Azure Active Directory) as the authentication method, which is automatically set up and managed for you. You can apply further layers of control with Azure Conditional Access policies. What is Conditional Access in Microsoft Entra ID? - Microsoft Entra ID | Microsoft Learn

Data isolation and encryption

Data belonging to a single tenant is stored in an isolated database and is never mixed with data from other tenants. This ensures complete isolation of data in day-to-day use and in backup/restore scenarios. Furthermore, Business Central uses encryption to help protect tenant data in the following ways:
  • Data at rest is encrypted by using Transparent Data Encryption (TDE) and backup encryption.
  • Data backups are always encrypted.
  • All network traffic inside the service is encrypted by using industry-standard encryption protocols.

Software as a Service - Shared Responsibility Model

Using business central as a Software as a Service (SaaS), brings the following changes to the responsibilities for these elements shown in Figure 1 vs a traditional on-prem deployment Shared responsibility in the cloud - Microsoft Azure | Microsoft Learn

Figure 3 - The SaaS shared responsibility model

Compliance and Regulatory 

Here is a link to some other relevant information regarding the BC SaaS application & service compliance :