Threat Risk Assessment for Microsoft Dynamics 365

Objective

Engage a seasoned Subject Matter Expert (SME) to perform a comprehensive Threat Risk Assessment (TRA) of our Microsoft Dynamics 365 implementation. The assessment will identify security gaps, evaluate risks, and recommend remediation aligned with leading practices and compliance requirements.

Scope of Work

Pre Assessment Planning

Review existing architecture, deployment model (SaaS), shared responsibility matrix

Define assessment boundaries, stakeholders, rules of engagement

Build TRA template

Functional Security Assessment (sample list - TBD)

Identity & Access Management

Conditional Access & MFA - Enforce adaptive policies including device state, location, untrusted network, legacy auth, and require MFA for high-risk situations

Privileged Identity Protection and PIM - Require dedicated admin workstations, JIT (Just-In-Time) access, and session timeouts

Least-Privilege Role Reviews - Annual audits of custom roles and RBAC; immediate revocation upon employee departure

Credential Hygiene - Monitor client secret/certificate expiration (

Authentication & Authorization

Strong Auth Protocols - Prefer OAuth, certificate authentication; enforce secure password policies

Shadow Admin Detection - Regularly identify undocumented or implicit administrative privileges in Azure AD

Monitoring, Logging & Auditing

Unified Audit Log Enablement - Ensure all audit logs (Dynamics, SharePoint, Exchange, Azure AD) are enabled and retained per NIST and CMMC

Real-Time Threat Monitoring - Use Defender for Cloud Apps, Azure Sentinel, Security Center to detect anomalies, high-risk sign-ins, API misuse

Data Protection & Governance

Encryption in Transit & at Rest - Validate TLS enforcement, Transparent Data Encryption, IRM, BitLocker, and MDM policies

DLP & Data Classification - Ensure classification across PII/CUI, group policy, alerting/blocking, and use monitoring in a test-before-enforce mode

Configuration & Hardening

Feature Hardening - Disable unused modules, APIs, integrated tools, and third-party features

Secure Configuration Review - Use Microsoft Secure Score and SDL guidance to benchmark settings

Integration & Third-Party Risk

API & OAuth Clients - Review third-party app consents, limit guest access, enforce scope restrictions and client secret expiration

Incident Response & Recovery

IR Planning & Playbooks - Align incident response with NIST RMF (, ) covering detection, containment, recovery

Backup & Ransomware Protection - Evaluate third-party backups, ransomware detection, isolation mechanisms

Compliance & Framework Alignment

Findings are to be scored via NIST risk impact/likelihood scales and mapped to mitigation roadmaps

Finding mapped to MITRE ATT&CK framework

Training & Security Culture

Phishing Simulations & User Education - Routine drills, ATP Safe Links, and Safe Attachments training for staff and admins

Awareness Programs - Foster continuous learning on data handling, reporting suspicious activity, updates on threats