Security Best Practices in Dataverse


  1. Create separate environments for dev, UAT, and production

  2. Creating separate environments for dev, UAT, and production enables you to resolve bugs and test new features before deploying to end users. In addition, resource administration is easier as all the resources are bound to the location of the Dataverse environment. You can also create environments based on geographical locations, although you must consider GDPR, as the database will be provisioned in the region you specify during creation.

  3. Restrict access to environments through security groups

  4. By default, security group is not selected, which means any user in the tenant can access the environment. To restrict access to environments and strengthen security, select a security group.

  5. Manage permissions through Azure Active Directory groups

  6. Security roles can also be associated with an Azure Active Directory group. To simplify permissions and data access, create Azure Active Directory groups and associate roles.

  7. Extend existing security roles

  8. Instead of creating a new security role from scratch, you can copy an existing role and update the privileges and access levels per the new role requirements.

  9. Use the rule of Least Privilege when creating security roles

  10. When creating security roles, use the rule of least privilege, i.e., grant only minimum level of privileges required to any security role. Provide access to the minimum amount of business data required for the task. Assign users the appropriate role for their job with minimum required access. Create a basic user role with the least permissions that all users must have.

  11. Limit the number of System Administrators

  12. Strictly limit the number of people assigned the System Administrator role. Don’t grant system admin or any other similar role with high level of privileges to too many users or service accounts especially on production environment.

  13. Use Teams to assign same roles to group of users

  14. If many users require the same access, it’s a good idea to create a team of users and assign the required security role to the team only instead of assigning it to all team members. Use teams to create cross-functional groups so that specific objects can be shared with the team.