The invisible guardian angel – Security in Business Central
Business Central security is not entirely handled in Business Central. BC benefits from its own guardian angel: Entra. Often referred to as Azure AD, Entra performs many tasks behind the scenes that are totally invisible to the user.
Let’s look into this in more details.
Single Sign-On
A user accessing Business Central may think “I am logging into Business Central”, when in fact they are being allowed in by Entra. The authentication process is entirely delegated to Entra. After having validated the user request, it will return an access token that will authorize BC to let the user in. That user should instead think: “I am connecting to Entra and obtaining a digital passport so I can access BC”.
This is how Single Sign-On (SSO) becomes possible across all solutions on the Microsoft cloud. How is that more secure?
First, BC does not store any passwords. Secondly, security policies are centralised and thus, risks of a breach are reduced.
MFA, Conditional Access, Zero Trust
Data is protected by permission sets in Business Central. Permission Sets define how objects will be accessed, in other words, what can the user see or modify. On the other hand, again behind the scene, Entra will handle who gets in via:
-
Multi Factor Authentication
-
Geographical restrictions
-
Barred access from a non-conform device
-
Enforcing access for devices linked to Intune
-
Automatic blocking in case of suspicious behavior
This is the Zero Trust policy defined in Entra ID.
Sessions and Tokens
At login, Business Central receives an access token, as mentioned earlier, valid for a few minutes.
Once the user is connected, it will then receive a refresh token, valid for a few hours. Entra ID automatically renews these tokens until a token expires and the session is closed.
This enables continued security, automatic disconnection if the account is compromised, and centralized session management.
Without this, someone could access Business Central just by sitting at a user’s desk when he or she is out for lunch.
Entra ID secures APIs
When Business Central is called by an external application such as Power Automate or a web site, it must first obtain a token, including the appropriate permissions, from Entra ID before the request is executed.
Once again, BC’s guardian angel at work.
Entra ID protects your ecosystem
To conclude, every sandbox and production environment inherits Entra ID policies pertaining to MFA, Conditional Access, Device Restrictions, Guest Accounts and certificate and key cycles.
Please don’t hesitate to write if you have questions or comments.
Cordially,
Sylvain.
Last updated: June, 2026





