Whether you’re developing Business Central apps internally or managing a partner team, security must be a top priority. It’s not just a development issue—security affects compliance, data privacy, user trust, and operational stability.

Here are five essential practices for keeping your Business Central apps secure, explained in simple terms that align with both technical and managerial priorities.

Security starts at the design phase—not after the app is already built. Microsoft’s Security Development Lifecycle (SDL) is a set of best practices that helps teams:

• Identify and mitigate security risks early.
• Reduce vulnerabilities in production.
• Stay aligned with regulatory and compliance standards.

SDL is not exclusive to Business Central—it’s used across Microsoft products and works for on-prem, cloud, and hybrid applications. By embedding SDL into your DevOps pipeline, you ensure that security becomes a standard part of your software development process.

For more information, see: Microsoft Security Development Lifecycle

Business Central uses a multi-layered security model, covering everything from user authentication to data-level access control. As a manager, it’s critical to understand that:

• Authentication confirms a user is who they say they are.
• Authorization controls what that user can actually do within the system.
• Auditing tracks what actions were taken, by whom, and when.

This layered model provides defense-in-depth—ensuring that even if one layer is bypassed, others are still in place.

For Business Central online, authentication is handled via Microsoft Entra ID (formerly Azure AD), while on-prem setups may also support Windows authentication.

Once users are authenticated, authorization defines their access. This is managed through:

• Permission sets that dictate which objects, pages, and data a user can access.
• Entitlements that relate to licensing, especially important for AppSource apps.

Proper configuration ensures that users only access what they need, reducing the risk of accidental or malicious actions.

Business Central includes auditing and telemetry features that let you:

• See who’s accessing what.
• Monitor permission changes.
• Identify potential misconfigurations or security gaps.

For example, developers can use telemetry data to assess whether their app maintains stable and expected permission behavior across customer environments.

Security doesn’t stop with access control—you also need to protect data and application secrets at every stage:

• At rest: Business Central encrypts stored data (especially in the cloud).
• In transit: All connections use HTTPS to secure data between systems.
• In memory: Developers can use secure data types to prevent exposure during debugging or memory dumps.

For managing secrets (like API keys), Business Central integrates with Azure Key Vault, allowing for secure storage and retrieval directly from AL code.

As security threats evolve, so must our approach. These five tips offer a clear framework for securing your Business Central apps—whether you’re developing in-house solutions or publishing to AppSource.

By aligning development with SDL, enforcing layered security, managing access properly, auditing regularly, and protecting sensitive data, you’re not just building apps—you’re building trust.

Contact us or stay informed through our newsletter!

Sources:
Business Central security for AL developers – Business Central | Microsoft Learn
Microsoft Security Development Lifecycle