I am often asked to about the architecture and compliance for Business Central SaaS. There is a huge amount of info to be found on this topic across multiple Microsoft docs pages.
Below I have collected together a few handy links and images from these pages.
Architecture
Here is a simple diagram of the Business Central Architecture Component and System Topology - Business Central | Microsoft Learn
 |
| Figure 1 - BC system architecture simplified overview |
With BC SaaS direct access is not possible to any of the elements shown in the grey box as these are all managed by, and are the responsibility of, Microsoft.
- Web Servers
- Application Servers
- SQL Databases
Data Protection
On the SaaS platform your data is treated in the following manner Security in Business Central - Business Central | Microsoft Learn
Here is a simplified view of the authentication layers to access the application Layered security model in Business Central - Business Central | Microsoft Learn
 |
| Figure 2 - BC uses a layered approach to application security |
Authentication
Business Central uses Microsoft Entra ID (previously known as Azure Active Directory) as the authentication method, which is automatically set up and managed for you. You can apply further layers of control with Azure Conditional Access policies. What is Conditional Access in Microsoft Entra ID? - Microsoft Entra ID | Microsoft Learn
Data isolation and encryption
Data belonging to a single tenant is stored in an isolated database and is never mixed with data from other tenants. This ensures complete isolation of data in day-to-day use and in backup/restore scenarios. Furthermore, Business Central uses encryption to help protect tenant data in the following ways:
- Data at rest is encrypted by using Transparent Data Encryption (TDE) and backup encryption.
- Data backups are always encrypted.
- All network traffic inside the service is encrypted by using industry-standard encryption protocols.
Software as a Service - Shared Responsibility Model
Using business central as a Software as a Service (SaaS), brings the following changes to the responsibilities for these elements shown in Figure 1 vs a traditional on-prem deployment Shared responsibility in the cloud - Microsoft Azure | Microsoft Learn
 |
| Figure 3 - The SaaS shared responsibility model |
Compliance and Regulatory
Here is a link to some other relevant information regarding the BC SaaS application & service compliance :
- Security in Business Central https://aka.ms/BCSecurity
- Business Central - Application Compliance https://aka.ms/BCAppCompliance
- Service Compliance and SLA - Business Central | Microsoft Learn
- External Compliance Listing, refer to Dynamics 365 Business Central column https://aka.ms/d365-compliance-list
- Threat and vulnerability management - Microsoft Service Assurance | Microsoft Learn
What do you think?
Please let me know your thoughts in the comments
Connect or follow me on LinkedIn to get all my updates Andrew Wingate | LinkedIn