Episode Details
Back to Episodes
Zero Trust by Design in Microsoft 365 & Dynamics 365: How to Close the Security Gaps Between Your Connected Microsoft Cloud
Season 1
Published 8 months, 1 week ago
Description
Zero Trust by Design in Microsoft 365 & Dynamics 365
If your Microsoft 365 tenant talks to Dynamics 365, Azure and other SaaS tools, your attack surface is bigger than any single product team can see. In this episode, I show why “Zero Trust = MFA in M365” is a dangerous illusion—and how Zero Trust by design treats M365 and D365 as one interdependent system, so attackers can’t simply bypass your hard work in one platform by walking through a weaker door in another.
We start with the classic mistake: rolling out strong Conditional Access and MFA for Microsoft 365 while Dynamics 365 quietly runs on looser or mismatched rules. You’ll hear how this creates real incidents in the gaps between systems: stolen credentials blocked at SharePoint but still accepted in Dynamics, finance data exposed via bookmarks and tokens, and users who never see a single warning prompt while attackers generate exports and invoices in the background.
Then we look at what changes when your policies share live risk signals across workloads. Azure AD Conditional Access evaluates every sign‑in for risk, while Dynamics 365 role‑based security decides what a user can actually do—but they only become truly effective when they respond to the same risk state in real time. We walk through how to let identity risk, device health and session context flow into D365 decisions, so a risky sign‑in in M365 can automatically restrict sensitive exports or finance actions in Dynamics without you duplicating rules manually.
Finally, we zoom out to identity segmentation that doesn’t break everyday work. Zero Trust by design means segmenting users and access based on real risk and business roles across M365 and D365, not handing everyone a “master key” because it’s convenient. By the end, you’ll have a clear mental model and practical starting points for aligning Conditional Access, D365 roles and cross‑system risk signals—so every login, every transaction and every API call across Microsoft 365 and Dynamics 365 goes through the same level of scrutiny.
WHAT YOU’LL LEARN
The core insight of this episode is that Zero Trust only works when every connected service enforces it the same way. Once Microsoft 365, Dynamics 36
If your Microsoft 365 tenant talks to Dynamics 365, Azure and other SaaS tools, your attack surface is bigger than any single product team can see. In this episode, I show why “Zero Trust = MFA in M365” is a dangerous illusion—and how Zero Trust by design treats M365 and D365 as one interdependent system, so attackers can’t simply bypass your hard work in one platform by walking through a weaker door in another.
We start with the classic mistake: rolling out strong Conditional Access and MFA for Microsoft 365 while Dynamics 365 quietly runs on looser or mismatched rules. You’ll hear how this creates real incidents in the gaps between systems: stolen credentials blocked at SharePoint but still accepted in Dynamics, finance data exposed via bookmarks and tokens, and users who never see a single warning prompt while attackers generate exports and invoices in the background.
Then we look at what changes when your policies share live risk signals across workloads. Azure AD Conditional Access evaluates every sign‑in for risk, while Dynamics 365 role‑based security decides what a user can actually do—but they only become truly effective when they respond to the same risk state in real time. We walk through how to let identity risk, device health and session context flow into D365 decisions, so a risky sign‑in in M365 can automatically restrict sensitive exports or finance actions in Dynamics without you duplicating rules manually.
Finally, we zoom out to identity segmentation that doesn’t break everyday work. Zero Trust by design means segmenting users and access based on real risk and business roles across M365 and D365, not handing everyone a “master key” because it’s convenient. By the end, you’ll have a clear mental model and practical starting points for aligning Conditional Access, D365 roles and cross‑system risk signals—so every login, every transaction and every API call across Microsoft 365 and Dynamics 365 goes through the same level of scrutiny.
WHAT YOU’LL LEARN
- Why focusing Zero Trust on just Microsoft 365 leaves exploitable gaps in Dynamics 365.
- How attackers abuse inconsistent Conditional Access and MFA policies across connected systems.
- How Azure AD Conditional Access and D365 role-based security can share live risk signals.
- How to think about identity segmentation across M365 and D365 without breaking real workflows.
The core insight of this episode is that Zero Trust only works when every connected service enforces it the same way. Once Microsoft 365, Dynamics 36