Dynamics 365 Security Model and Its Synchronization to SharePoint: 2026 Update

Microsoft Dynamics 365 offers a robust security model to control access to your data.

But once you integrate it with SharePoint, that control breaks down. The native integration does not synchronize or replicate the Dynamics 365 security model to SharePoint, which can leave documents accessible to users who should no longer see them.

This creates a real security risk, which is relevant in its own right and of particular concern in environments with strict compliance requirements.

In this article, we’ll show exactly how this issue arises and how to solve it by aligning your SharePoint permissions with the Dynamics 365 security model you already have.

Dynamics 365 and SharePoint are commonly used together and Microsoft itself provides the option for native integration of the two systems. With it, SharePoint handles document storage (at a lower cost) and enables better collaboration, even allowing non-CRM users to access Dynamics 365 documents.

This integration is easy to deploy (here is a step-by-step guide), and it works well from a functional perspective, allowing organizations to move the documents they have in their CRM records to SharePoint while keeping a link to the documents in the CRM. For example, a user working on an Account record in Dynamics 365 can open related documents directly from the record, even if they are not stored in Dataverse. When the user clicks a file, it is opened from SharePoint without requiring any additional steps.

However, even though both systems are part of the Microsoft ecosystem, their security models are not synchronized. Dynamics 365 record-level access rules are not applied to SharePoint documents.

In fact, SharePoint permissions are not aligned with the Dynamics 365 security roles and security model from the start. Without additional configuration, users can have broader access to documents through SharePoint than intended, which is not always immediately apparent. For organizations subject to GDPR, HIPAA, PCI DSS, or NIST, this is a compliance risk: how will you demonstrate that access to sensitive documents was restricted to authorized personnel only?

On top of that, attempting to correct this manually quickly becomes difficult to maintain and error-prone because of changes in Dynamics 365, such as role updates, ownership changes, or team membership.

To address this misalignment, the Dynamics 365 security model needs to be replicated in SharePoint so that document access follows CRM permissions.

This requires copying access rights between both systems, ensuring that SharePoint permissions reflect the current security configuration in Dynamics 365 in terms of users, roles, and which documents each has access to.

In practice, synchronizing Dynamics CRM security with SharePoint involves:

• Mapping Dynamics 365 users, teams, and business units to SharePoint identities
• Translating security roles and privileges into SharePoint permission levels
• Assigning permissions at the folder or document level
• Updating access dynamically when changes occur in Dynamics 365

This means a user accessing via SharePoint will be able to access exactly what the current Dynamics 365 security model allows, preventing unauthorized access to sensitive documents.

Replicating the Dynamics 365 security model in SharePoint needs to be automated and driven by triggers based on changes in Dynamics 365 to ensure consistency between systems at all times.

To achieve this, CB Dynamics 365 to SharePoint Permissions Replicator, a Microsoft Preferred Solution, enables continuous synchronization of Dynamics 365 security roles and SharePoint permissions based on changes in Dynamics 365, providing an install-and-forget approach to permission management.

This suite is specifically designed for businesses that rely on the synergies of the Dynamics 365 SharePoint integration to carry out their successful daily operations. Including four of our innovative products, users of Dynamics 365 utilizing SharePoint as their document repository can:

• Automatically organize their SharePoint libraries and lists, preventing the often-dreaded unique permissions limit.
• Verify the integrity of documents stored in SharePoint directly from the user interface by using Blockchain technology. A must-have capability for maintaining the security and accuracy of Dynamics 365 documents stored in SharePoint.
• Optimize Dynamics 365 storage space through the transfer of files to alternative file storage solutions. This is critical for businesses aiming to efficiently manage their Dynamics 365 storage.
• Drag and drop multiple files to upload them and enable users to enter metadata without having to go from Dynamics to SharePoint and back.

And of course, CB Dynamics 365 to SharePoint Permissions Replicator solves the challenge of not having Dynamics 365 privileges reflected on the SharePoint side as seen above.

Organizations across industries rely on this solution to protect sensitive data and streamline collaboration. Learn how a leading association prevented data exposure in Preventing Sensitive Data Exposure in SharePoint, how a global enterprise scaled secure document management in Secure Documents, Global Success: The Systemair Story, and how hidden permission issues were resolved through partnership in ORBIS and Connecting Software Partner to Solve a Hidden Dynamics 365 Problem. You can also explore how non-profits enhanced security in Improving Document Security at the Waalitj Foundation.

At some point, employees advance within the organization, and with that progression comes a change in their access to company information. These shifts must be accurately reflected across your systems. This is no different for Dynamics 365 or SharePoint.

CB Dynamics 365 to SharePoint Permissions Replicator ensures you do not have to worry about this, as it will automatically make the team-related documents accessible to the promoted employee, without requiring any additional work from your IT admin. Similarly, when your company grows and opens new divisions in other countries, in Dynamics 365 you can create individual business units or teams for the corresponding markets. And thanks to multi-tenancy capabilities, by deploying a single installation of our solution you can configure the permission replication process for multiple Dynamics CRM instances, as well as for multiple SharePoint sites for a single Dynamics CRM organization.

While the permissions not being aligned is a security risk in itself, it also creates compliance challenges under data protection regulations:

• SharePoint permissions operate independently from the Dynamics 365 security model, making it difficult to enforce consistent access control.
• Users may therefore access documents containing personal data outside their authorized scope, even if CRM permissions are correctly configured.
• As a result, organizations may be unable to demonstrate that access to sensitive data is properly restricted and auditable.

This is where CB Dynamics 365 to SharePoint Permissions Replicator helps your organization meet the requirements of data privacy regulations such as GDPR, PCI DSS, and HIPAA. These standards apply across industries and regions, regardless of where your organization operates.

By ensuring that access rights defined in Dynamics 365 are consistently replicated to SharePoint, your organization can maintain control over document access and support regulatory compliance.