ūüĒź Thank you GDPR! A new Dynamics 365 security feature is available: Audit User Read Access to CRM Records

With GDPR being effective since May 25 2018, Microsoft has released a large set of tools and security mechanisms, both on Office 365 and Dynamics 365, to ensure their customers can be compliant and offer the highest level of security.

I will focus in this article on the new option to audit read actions.

Dynamics 365 now allows to track these actions:

  • Display of a single CRM record.
  • Display of a list of records¬†in a view or¬†export of a set of records.

In the past, it was only possible to audit Create, Update, and Delete events, not the Read event, unless you implemented specific developments with plugins that would be triggered on Retrieve and RetrieveMultiple.

This Microsoft Docs article does a very good job at explaining how Activity Logging works, its requirements, and how to set it up: Enable and use Activity Logging

Let’s make one thing clear: if people can have a read access to data, they can manage to export the data one way or another. So security should come from your security model, and not based on whether or not you display or hide fields on a form, or if you disable the Export to Excel button for your users (remember the data is available through the APIs, so it’s quite easy to export, for example through a Power BI report).

How to set up Activity Logging?

  • Have a¬†Production¬†instance with¬†version or higher¬†and an Office 365 Enterprise¬†E3 or E5¬†subscription.
  • Go to your instance¬†System Settings, in the¬†Auditing¬†tab and make sure that¬†Start Auditing,¬†Audit user access¬†and¬†Start Read Auditing¬†are checked. You must also enable Auditing¬†in one of areas¬†of your sitemap:
  • In the customizations, activate¬†Auditing¬†at the desired entity level, and then¬†Single recording auditing¬†to track when a record is opened (Retrieve message) and¬†Multiple record auditing¬†to track when a list of records are retrieved, either in a view or through an Excel export (RetrieveMultiple message).

What does it look like in practice?

This is what the Audit History looks like on a contact record where we have enabled audit. If you look carefully, you will see no signs of a read action, but instead the classic Create and Update history of events:

You will also notice a new Delete Change History button that allows to wipe the audit history for a single record. This action will also be tracked in the Audit History:

Where to find the Dynamics 365 Read Audit Log?

As this kind data can rapidly accumulate in huge volumes, it is logged in a dedicated place, in the Office 365 Security & Compliance Portal.

  • Under¬†Search & investigation, go to¬†Audit log search
  • You will notice that events from many different Office 365 applications are logged here. You can¬†filter the list¬†of audited activities by application, by selecting¬†Dynamics 365 activities:
  • You will notice that¬†many Dynamics 365 events are tracked. So you can also filter down the list of results with¬†Users,¬†Dates¬†or¬†Custom filters¬†applied to your view:
  • When you open an audit record, you will get access to a bunch of additional information, that are not very user friendly, such as the record URL that was displayed. Here is an example for the¬†Retrieve contact¬†audit activity:
  • Here is a¬†RetrieveMultiple Contacts¬†log. Notice how the system records the¬†FetchXML¬†query associated with the displayed list of records, and not the collection of displayed records.

This means that you do not know precisely the records that were displayed without doing some more advanced analysis.

Initial thoughts

Well, as you can see, it’s not very simple to get to the “Read” event for a CRM record. But at least, these events are tracked somewhere. No doubt Microsoft will improve the experience in future versions.

While it’s still not possible to display that kind of information from the Dynamics 365 application (be it from the¬†Audit Summary View¬†or directly from the¬†Audit Summary¬†of a specific record), I get a feeling that Microsoft will be progressively moving most or all audit tracking features to the Security & Compliance portal, as a lot of Dynamics 365 events are already being tracked in it (the full list of admin and user events is available here):

Example of an Update contact activity that stores the updated values:

To programmatically download data from the Office 365 audit log, you can use the Office 365 Management Activity API (REST web service).

The future of xRM / CRM is here! ūüĒ• A first (impressed) look at the new PowerApps and Common Data Service for Apps

Note: this article was first published on LinkedIn.

Following my article¬†The new PowerApps and CDS for Apps run on xRM!, I’m happy to share with you my first steps in the CDS for Apps and PowerApps “Model-Driven App” world!

The Common Data Service (CDS) enables customers and partners to build and deliver rich LOB applications using data from the Dynamics 365 family of services and Office 365. CDS is ubiquitously available in Dynamics 365, Office 365 and as a standalone aPaaS platform through PowerApps.

Creating a new CDS for Apps environment

Creating a new CDS environment is quite easy, but you need an appropriate subscription! Check out the¬†PowerApps Plan 2 subscriptions¬†($40 / user / month). It’s available for a 30 day trial.

Now that you’re licensed, simply log into the¬†Microsoft Business Platform admin center¬†(or in the¬†PowerApps admin center, in fact it’s the same thing). Here, you will find all your existing¬†Dynamics 365 Customer Engagement¬†and¬†Common Data Service for Appsinstances / environments:

Click on “New environment”, fill-in a name, a region (the region must be the same as your Azure AD if you plan to create a database), and the type of environment (Production or Trial).

After you click create, you will be prompted to configure the base language and currency (yes, just like CRM!)

After creating the database, just wait a few minutes and your instance should show up (and it will display the Dynamics 365 Administration Center as well!).

As you can see in the screenshot below, it offers the same options as a “classic” Dynamics 365 Customer Engagement instance: you can edit the instance Name, URL, Type (Production / Sandbox), Security Group, and you can also copy it to a sandbox (even a Dynamics 365 Customer Engagement one).

If you navigate to the instance, you will be surprised (or not) to see that the sitemap only includes the Settings and Trainings areas. No more default areas for Sales, Service and Marketing as we used to know:

But wait, there is more!

Microsoft has accomplished quite a tour de force! They completely striped down the environment from what used to be core business entities¬†such as Lead, Opportunity, Case, Campaign… Those are now included in dedicated solutions and packaged as apps.

The Default Solution contains in fact very few functional objects: Account, Contact and Activity entities. The rest is just configuration related. Out-of-the-box, the system contains only 56 entities (these are the entities visible in the solution, if you browse the metadata, there are 312 entities, a lot of them technical, but still no opportunity, case, etc.). To give you a comparison, vanilla instances of Dynamics 365 Customer Engagement (with no applications such as Field Service, Sales, etc. installed) contain 130 entities in the Default Solution.

Now that’s pure xRM, isn’t it?

There are also only a few dashboards and reports:

4 security roles (on top of System Administrator, of course):

What solutions are installed by default?

  • Common Data Services Default Solution. This unmanaged contains all customizations you have done¬†from¬†PowerApps (https://web.powerapps.com/).
  • CDS Management.¬†A managed solution that only contains the “Environment Maker” security role.
  • Base Custom Controls Core. This managed solution contains 52 controls (based on the new¬†Custom Control Framework).

What about users?

You will find in the Security / Users part of the instance¬†the full list of users of your Office 365 tenant.¬†That’s right, even those who don’t have a single PowerApps or Dynamics 365 Customer Engagement license!

I’ve created a dummy user with a simple Office 365 E3 license to check if he could access the instance with a proper security role, and it works. I was even able to configure Server-Side Synchronization for his Exchange account. There was however no options to enable / configure the Dynamics 365 App for Outlook.

What about model-driven apps?

You can either create Apps from the CDS for Apps instance, in the classic Dynamics UI (either is Settings / My Apps, or within a Solution), or you can create an App from the PowerApps interface:

Whether you create the App from the CDS instance (the Dynamics 365 experience) or from PowerApps is quite similar. It will open the the app designer (https://xxxxx.crm.dynamics.com/designer/app/…) of your CDS instance. The only difference is that the App you create from PowerApps will have¬†CDS Default Publisherprefix.

Just like any app, your App can contain system or custom entities, and you will be able to customize the system the same way you did on a classic Dynamics 365 Customer Engagement instance.

Here, I have created a little Model-Driven App for my dummy user containing a “Show” custom entity. The user was able to access it from the Web:

And from the mobile Dynamics 365 for phones application:

What about customizations done from the PowerApps side?

You can easily create and modify Entities, Fields, Keys, Relationships, Views, Business rules, shared option sets, directly from within the PowerApps user interface. New fields and entities will be prefixed with the CDS Default Publisher prefix (just like new apps), and all new or modified customizations will be added to the Common Data Service solution.

What data integration options does PowerApps bring to the table?

PowerApps comes with some Power Query Data integration options. Here are the available sources as of today:

Final words

The new CDS for Apps is a fantastic opportunity for customers and ISVs to easily create new cost-effective business applications on top of the same robust foundation that powers Dynamics 365 Customer Engagement.

I was surprised my dummy user did not need a PowerApps Plan 2 license to access the CDS for Apps instance and app, but this could because this is all brand new.

I tried to trick the system and install the Dynamics 365 Sales Application, but it failed, maybe because of missing dependencies or by protection mechanism to prevent people to add Dynamics 365 Customer Engagement apps on basic PowerApps Common Data Service for Apps environments.

The new PowerApps and CDS for Apps run on xRM

How the Dynamics CRM technology foundations have come the beating heart of the Microsoft Business Application Platform.

NB: I’ve changed the initial title to avoid confusion: xRM is not dead, it just got reincarnated into a new product and has a new official name. The new PowerApps & CDS for Apps platform is now the platform that the Dynamics 365 for Sales, Service, Marketing, etc. applications are natively built on.

A little history…

A long time ago, there was Dynamics CRM. A solution that integrated sales, service and marketing automation features.

People quickly started talking about xRM because of the great extensibility of the platform. It became possible (and easy!) to manage new business processes and objects. Customizers could create new entities to meet business requirements that were not supported of the box, and customize them with their own fields, relationships, business rules, workflows forms, charts, dashboards…

Dynamics CRM then became Dynamics 365 Customer Engagement. A platform that was able to integrate various business application packages that could be activated (and licensed) independently: Sales, Customer Service, Field Service, Project Service Automation, Marketing… But Dynamics 365 Customer Engagement remained an “xRM” platform that allowed to create your own business applications or integrate prebuilt industry verticals or more advanced modules (such as ClickDimensions, for marketing automation).

In parallel, Microsoft developed PowerApps. A solution that allowed to easily create new business applications with a WYSIWYG approach, mainly to create mobile / tablet applications in a PowerPoint-like editor. One could mix various sources of data (Dynamics, SharePoint, Office, but also from non-Microsoft editors such as Salesforce.com). PowerApps leveraged the Common Data Service, a kind of transverse database for applications.

It might not be obvious to the eyes, but the July Update of Dynamics 365 (9.0) was a big architecture update of the Dynamics CRM / 365 platform (watch this video if you haven’t, to better understand what happened). Under the hood, Microsoft worked very hard to separate the “core” features and entities of the platform from the various business modules (sales, service, marketing) that were historically embedded in the core. One of the goals was to remove dependencies between the different business applications packages lifecycles:¬†for example you could update the Sales app without touching the Service app. To me, this big architecture makeover is one of the reasons that v9.0 is still not available On-Premise.

With the Spring 2018 Release, PowerApps and the Common Data Service for Apps become the beating heart of the Microsoft Business Application Platform.

With the migration of more an more Dynamics 365 Customer Engagement components to Azure (since v9.0, the database runs on Azure SQL), Microsoft transformed the old-fashioned xRM platform and made it the foundation to the various lines of business business applications running on PowerApps.

Dynamics 365 Customer Engagement was the ideal choice for this new foundation, as it already offered many out-of-the-box no-code extensibility features. Any customizer can quickly create new entities and fields (including roll-up and calculated fields), business process flows, workflows, business rules, forms, views, dashboards, etc. that would seat within dedicated application packages. These applications can be associated with target user groups and integrate a powerful and robust security model.

What was yesterday the Dynamics 365 Customer Engagement platform has become the Common Data Service for Apps. Applications created within the Common Data Service for Apps (so the Dynamics 365 Customer Engagement core, if you follow me) are now called PowerApps Model-Driven Apps. These apps leverage the new Unified Interface (UI). CRM instances have become CDS instances / environments.

Dynamics 365 Customer Engagement app modules (for Sales, for Customer Service, for Marketing, for Field Service, for Project Service Automation…) are based on the Common Data Service for Apps.

In front of the Common Data Service for Apps, the Common Data Service for Analytics. What ties them together: the Common Data Model.

Intimately related to Power BI, the Common Data Service for Analytics brings intelligence and insights to the business data coming from Common Data Service for Apps (or from external sources) and stored in the Common Data Model.

CDS Architecture



The evolution of PowerApps

Existing PowerApps applications (now called “Canvas Apps”) will continue to work, and the legacy CDS environments will be migrated to the new CDS for Apps architecture.

Canvas and Model-Driven types of apps will both appear on home.dynamics.com. On the mobile side, those types of apps will remain separated, but that should change later this year.

What subscription for some pure xRM application design?

For customers who need to create their own applications (if their functional requirements are not covered by existing Dynamics 365 modules) they can use this SKU: “Microsoft PowerApps P2” (catalog price: 33,70 ‚ā¨ / user / month). ISV will certainly also offer prebuilt applications to extend the existing Microsoft Business Application Platform offering.

Where to start to better understand all changes brought by the Spring 2018 Release?

For a global vision:

CDS Digital Feedback Loop

On PowerApps and the CDS for Apps:

On instance management:

On Flow:

On the Common Data Service for Analytics:

What role for ClickDimensions with the release of Dynamics 365 for Marketing?

Microsoft recently lifted the NDA on Dynamics 365 for Marketing and it is now in Public Preview: you can try it yourself here. Microsoft did a very good job at documenting the solution on Microsoft Docs.

You may get a little confused as to which marketing automation solution to choose for your Dynamics 365 Customer Engagement deployment between Adobe, Dynamics 365 for Marketing, and ISVs such as ClickDimensions.


Dynamics and Marketing… wait a minute!

Now this is not the first time Microsoft launches a Marketing product. Remember Microsoft Dynamics Marketing (MDM)? Microsoft had acquired MarketingPilot in 2012 and launched it as Dynamics Marketing. Unfortunately, it was a failure. It never really got much adoption due to its limited integration with Dynamics CRM and even though it covered a broad functional scope, it was quite complex for end-users. As a result, Microsoft decided to discontinue Dynamics Marketing as of May 15, 2018.

These last years, Microsoft has been hard at work to fill the gap with a Marketing offer for its different segments of customers: Adobe integration for large enterprise scenarios, and a new Marketing solution for more simple needs. At first, Dynamics 365 for Marketing was only meant to be available to small businesses with a limit on the number of users, but this seemed to have changed since last summer.

OK. So what has changed with Dynamics 365 for Marketing?

Well for once, it is built on the Dynamics 365 Customer Engagement (previously known as Dynamics CRM) platform, leveraging familiar UI and extensibility options.

Now this should ring a bell… Other ISVs have done the exact same thing. ClickDimensions is one of the most famous Dynamics 365 Customer Engagement add-on for marketing, and it is completely integrated with its own custom entities and logic, leveraging services sitting in Azure to manage want can’t be done in CRM (emailing delivery at scale, web forms, landing pages, web analytics tracking…).

But almost all ClickDimensions data sits in the CRM database. And that’s one of the issue with such solutions: it literally fills the database with behavioral data. And even though it is scalable (even more so now that it leverages Azure SQL since v9.0), the CRM database was never really meant to store large volumes of behavioral data. Instead, it was more meant to store a customer database with associated transactional data related to sales or service processes and customer interactions (appointments, phone calls…).

Storing behavioral data can rapidly grow your database to very large volumes, especially if you start tracking emailing deliveries, email opens, clicks, website browsing… And Dynamics 365 storage is not known to be cheap: extra storage is billed around 10 $/GB/month (the good news being you get 5 GB free storage for every 20 user licenses).

What does Dynamics 365 for Marketing do differently?


Microsoft has built Dynamics 365 for Marketing with the future in mind.

Instead of storing behavioral data within the Dynamics 365 Customer Engagement database, it leverages instead an embedded version of Dynamics 365 Customer Insights. While this product (still in preview) did not received a lot of coverage, it is meant to bring Big Data, Machine Learning and Intelligence to the hands of business users. It is built on the Microsoft Azure AI platform.

So in short, Dynamics 365 for Marketing uses the Dynamics 365 Customer Engagement as its foundation for integration, where you will find your contacts, customer journeys (for marketing automation), emailing templates, segments (marketing lists) etc. but the heavy works (advanced segmentation, smart matching, customer 360¬į view that leverages all kinds of data sources) is done in Customer Insights.

Dynamics 365 for Marketing also leverages other existing components to offer a very complete set of features: Voice of the Customer for surveys, Portals, LinkedIn Lead Gen Forms, etc.

How do they compare in features?

Feature ClickDimensions Dynamics 365 for Marketing
Campaign Automation Yes Yes
Email Marketing Yes Yes
Web Forms Yes Yes
(with Portals)
Event Management (Webinar) Yes
(GoToWebinar, WebEx,
Cvent, Eventbrite)
(natively with ON24 or
storing links for others)
Event Management (Conferences…) No Yes
Reporting Yes
(CRM Dashboards,
Power BI Content Packs)
(CRM Dashboards,
Power BI Content Packs)
Surveys Yes

(Voice of the Customer)

Web Intelligence / Analytics Yes Yes
Lead Scoring  Yes Yes
Landing Pages Yes Yes
SMS Messaging Yes
(with 3rd party)
(with 3rd party)
Social Marketing Yes  Yes
(with Social Engagement,


How to choose?

First, you should know that Dynamics 365 for Marketing is still in preview (some say it will hit GA in April 2018) while ClickDimensions has been around since 2010 and has a well established situation and a strong customer base. So you shouldn’t rush.

In terms of pricing, there is still no information on what Dynamics 365 for Marketing will cost, and this will certainly be a major criteria.

Technology-wise, Dynamics 365 for Marketing was built with the latest cloud technologies available when ClickDimensions inherited design choices that were driven by earlier versions of CRM and their limitations. Nonetheless, ClickDimensions offers very regular updates and has a rich roadmap for the future.

Even though both products tend to have a similar functional scope, I believe Dynamics 365 for Marketing has a more “future-proof” architecture and will be better scaled for large volumes of data and complex 360¬į customer view and dashboards.

Wait & see!

The right questions to ask when designing a security model in Dynamics 365

Where to start when it comes to security in Dynamics 365 Customer Engagement?
In this post I will help you ask and hopefully answer the key questions that arise when you design a security model.
I will also provide important warnings to consider and I will give you a simple method on how to lay down on paper the foundations of your security model and its business rules.

Dynamics 365 Security Design

What type of owner for your records?

It’s a crucial question. As I mentioned in my last article dedicated to the security context, the owner of a record defines the record’s position in the hierarchy of business units, and to which user or team it is linked to.

A user?

This means that the record belongs to the business unit of its owning user.

This is the default behavior in CRM, but is it always for the best?
Pay attention to scenarios where users are cross-departments and could work on records that can be functionally linked to different business units.
Example: I am part of the global management of a firm and as such, I sit on top of the hierarchy. At the same time, I work on an opportunity that is functionally related to the “Analytics – France” business unit. How to make sure that users belonging to that business unit also see my opportunity, if it is technically linked to a business unit above them (mine), and if they can only see opportunities that belong to their business unit? (You’are allowed to draw!)

A team?

Teams can become quite handy when it comes to dispatching data in the right place in the hierarchy of business units.
This also lets you manage independently how you dispatch users between business units (and this might not be even necessary!)

On the other hand, choosing to assign data to teams requires a bit of consideration on how to (possibly) automate these assignments, depending on business rules.
Example: when an opportunity is related to the “Business Apps – France” business unit (through a custom lookup), then assign the opportunity to the default owning team that is configured on this business unit.

A few good questions you should ask…

Beyond the classic “who should do what?”

  • Where to dispatch my users? Sometimes it is not even necessary to dispatch them in business units, especially if your security model is based on teams.
  • Where to dispatch my data? That’s the critical point

Don’t forget!

  • Who can see notes?
    Be careful with received ideas!
    Note security is not inherited from the entity it is attached to.
    They also have an owner and should not be forgotten in your security model. Otherwise you might have a surprise one day if a user makes an advanced find.
  • Who can see activity feeds publication?
    Just like for notes, visibility on publications does not depend on the visibility of records they are attached to.
    In fact, the Publication entity does not have an owner… everybody can see all of them, provided they have at least a read privilege on the entity.
  • Can we distinguish the rights on different types of activities?
    It is not possible to have different privileges on different types of activities.
    The security of an email, appointment or task should be handled in a single way.
  • What is the impact for the Outlook synchronization if my activities belong to teams?
    Be careful with Outlook default filters. They are often based on the owner.
    You should review each type of activity individually and update your organization’s default filters accordingly, for example with¬†this great tool by Tangy Touzard:¬†Sync Filter Manager.
  • How to manage security for a record that can be assigned to anybody in the organization?
    For example, a task can be assigned to different people, or a case can be handled by multiple users in their life-cycle.
    You should carefully review the path and life-cycle of your records, and make sure that they remain visible to the right users during their processing.

Warning: designing and implementing a security model can take time!

We rarely plan enough time to handle complex security models, thinking that it’s “just” configuration.

Security can require quite some work:

  • Automatic creation and configuration of owning teams
    Especially if your model is complex, with a large number of business units that evolve in time.
    Keep in mind that teams also need a security role in order to own records!
  • Automatic assignment of records based on business rules
  • Automatic configuration of users based on their profile

Document your model and create a data security inventory 

Create a spreadsheet with the entities that you use in your projet, their type of owner, and how the owner should be determined.

For example:

Entity Owner Business rule to identify the owner
Contact Team Depending on the contact’s country:

  • Contact > Country > Country’s owning team
Lead User The user who creates the lead (default behavior)
Account Not relevant, as in this model all users should see all accounts
Opportunity Team Depending on the managing department of the opportunity

  • Opportunity > Department > Department’s owning team
Note User / Team It depends:

  • If the note is attached to a contact or opportunity, then the note should be assigned to the same owner as the contact or opportunity
  • If the note is attached to another kind of entity, then the owner should be its creator.
Product Organization N/A
Price List Organization N/A

Dynamics 365 Security: context, context, context!

Have I mentioned how important the context is?

Whenever you address a security question in Dynamics 365 Customer Engagement, there are always two contexts that you must take into consideration: the data context and the user context.

LockThe data context:¬†it is provided by the record’s owner but also (and it’s very important), by the Business Unit of its owner (whether it is a user or a team).

The user context: his or her Business Unit as well as his or her different security roles. Whether those roles are assigned directly to the user, or to the teams he or she belongs to. The respective context (especially Business Unit) of these various roles is crucial.

How should you configure your user rights?

There are several ways, but you mainly have two options to configure the rights of users in Dynamics 365:

  • With security roles that are directly assigned to them.
    …and that apply in the context of the user’s Business Unit.
  • With security roles that are assigned to teams they belong to.
    …and that apply in the context of the team’s Business Unit.

It is of course possible (and sometimes necessary) to mix and match the two options, with both roles that are directly assigned to the user and others that are assigned to teams he or she belongs to:

Team or User security role

How to know the context of a security role?

Well, that’s an easy one: it’s written on it when you assign it!
A security role’s access level is only defined¬†by the context of the user or team to which it is assigned:
Security Role and Context

Why should you assign at least one security role directly to a user instead of relying solely on team-based security?

It is recommended that even with a security model based on roles that are assigned to teams, users should have at least one security role directly assigned to them. It is mandatory if you want your users to be able to access personal CRM options, formats, languages, or have default forms, personal views, personal charts and personal dashboards (because they would need to be the owner of them, as it can’t be a team).

Base security role

You should also know that if you want users to be owner of records that only them should see, a security role containing a “read” privilege with a “user” access level, assigned to a team the user belongs to would not work. That would mean that the team can be the owner of the record, not the user belonging to the team.

Yes, security roles are additive… but be careful, they are additive in their respective context!

Security roles apply exclusively in the context of the user or team they are assigned to (and so in the context of the Business Unit of the user or team)


 Security Roles Cumulation
It is a misconception to think that because a user is part of a team, they can benefit from the team’s security role in their own user context. In fact, they benefit from each security role, but in their respective contexts.
Security Roles Accumulation
Stay tuned for more hands-on examples!

CRM Trends for 2018

It’s now been years since CRM solutions don’t restrain themselves to traditional customer relationship management processes. This broadening of their functional scope has even led editors to¬†rename their solutions.¬†CRM solutions have become cloud-based powerful, scalable and extensible platforms that can welcome a great deal of new business objects and processes. While these processes are still customer-oriented (or partner, employee, citizen, patient, student… depending on what is tracked within them) they go well beyond basic follow-up of a sales or service process.

New customer expectations have encouraged CRM editors to deeply transform their solutions. Modern CRM solutions must  meet two crucial needs: to be customer-centric, and to offer an optimal and smart User Experience (UX).

Customer-centric so that customer experience and engagement are the beating heart of the application. Consumers expect more and more from organizations: they expect proactiveness, intelligence, and no more barriers between departments who must speak with a single voice. And this is the very least! Today, each detail and attention that is added at touch points between the customer and the organization contribute to making a unique customer experience. These details and attentions have become major competitive advantages. Emotion is now the currency of experience, but it is crucial to respect intimacy and not be intrusive when providing these emotions.

User Experience because to remain competitive, organizations must do more with less. Applications must effectively guide users by being more intelligent, intuitive and simple. Expectations in terms of productivity and operational efficiency are higher than ever. Users expect great tools to achieve their business goals, and the tasks they perform must be of high value.

So what are the trends for 2018?


Social Selling and LinkedIn integration

Social Selling

Salespeople already use LinkedIn to forge ties with existing relations and to find new potential customers. CRM solutions are now also connected with LinkedIn. On top of helping to target the right people and companies, they make intelligent leads suggestions depending on organisations’ needs.

To start the conversion and engage with new leads, LinkedIn also suggests icebreakers (relations in common, shared interests, societies…). To continue the work as a team, leads can be imported into CRM and go further within the sales funnel.

Targeted ad campaigns on LinkedIn can also push interested leads directly into CRM. They can be automatically qualified based on the rules that have been defined, and teams can pick up from there and collaborate on the opportunity.

IoT and connected field service

Dynamics 365 Field Service

The Internet of Things and connected objects are a huge opportunity for consumers and companies. Maintenance activities can be optimized, failures can be anticipated, and reactivity to incidents can be strongly increased. Management platforms for connected objects are now mature and are integrated with CRM solutions for customer service and field service.

When a failure is detected on a connected object, a case can be created in CRM. Next, the customer can receive a notification, and an available technician can automatically be assigned a work order on his or her mobile phone, in order to take action. All of this is done in a smart way: depending on the task required skills, the customer’s preferences, availability and distance.

With connected field service, companies can broaden their offering with new services. They also improve customer experience and satisfaction while optimizing resource use at the same time. And all of this within a single platform.

Big Data, Data Science and Machine Learning at the service of customer insights and a complete and smart 360¬į view

The volume and diversity of data related to customer is constantly increasing. Beyond a basic transaction history, organizations now track marketing interactions, clicks, web or mobile navigation, online but also offline behaviors, on their own platforms or on social networks… They also receive large amounts of data coming from connected objects. Traditional databases cannot handle such volume of information and variety of formats, but Big Data solutions are here to take over.

Of course, the idea is not to store all these information within the CRM database, but instead to have the possibility to cross-reference them, detect patterns and identify models. Setting up analysis models help organizations define relevant indicators for the business: consumption trends, anomalies (are you losing your customer?), potential additional business, forecasts, and in the end, smarter Next Best Actions to suggest to their teams. These KPIs and Next Best Actions can reside (or be displayed) in CRM, as they are useful to users.

Modern Big Data and analytics solutions have become more simple and they can be put in the hands of business users. These tools can enable them to define advanced marketing segmentation, cross multiple data source, and perform smart predictive matching between a social network username, a website visitor, and a customer record sitting in the CRM database. This profile matching is a big challenge today for organizations, even though they are crucial to define and follow an end-to-end customer journey and offer a complete 360¬į view.

IA, Chatbots and Intelligent Automation 

Customers can engage with organizations thanks to chatbots deployed on their websites, mobile applications, Facebook pages, or via SMS. Chatbots can leverage multiple data sources (including CRM of course), and the idea is to handle part of the customers’ requests with Artificial Intelligence: fixing an appointment, following up with a request, suggesting a solution to a problem from the Knowledge Base, opening and qualifying new cases…

Smart services can automate similar recurring tasks. For example, a robot can make a first analysis of the picture of a damage before creating a case. Text-recognition technologies (OCR) can also be used to scan sales orders and create associated guarantee contracts in CRM.

In addition, CRM users can be pushed smart action cards that help them go through their work day, directly from their dashboards or from their mobile application. Action cards can be pushed for diverse topics: an email in their inbox that has been identified as urgent based on keywords, an opportunity closing soon, or a customer with no activity for too long…

Portals to open CRM data to a broader audience and customers

Customer Portal

A large part of customer requests can be handled without any interaction with your teams. How? By providing customers with an access to their data (contact details, deliveries, orders, requests, invoices…)

When creating a new request, customers can be automatically suggested relevant Knowledge Base articles and avoid low added value interactions with customer service.


On May 25th 2018, the General Data Protection Regulation (GDPR) will be unilaterally enforced. Companies of 28 European Union countries will have to be compliant, as this will deeply change how personal data will have to handled. Will your CRM be ready?

Advanced integration of CRM with Digital Marketing solutions

It’s all about bridging the gap between marketing and sales teams. Digital Marketing and CRM solutions are often distinct, especially the ones that can handle large entreprise scenarios, but they are increasingly better connected and integrated. Marketing teams can identify and define lead scoring models within a marketing automation tool, and those leads can be sent to CRM to be qualified by a salesperson as soon as they reach a certain score.

Marketing automation workflows can be defined to leverage data coming from marketing campaigns, social networks, websites as well as CRM. Cross-referencing these data allow to refine customer segmentations and as a result to better personalize customer experience on websites, applications or even in stores.

Data driven organizations and empowered users
Empowered Users

Even after putting the best reports at the service of users, their needs will continue to change, and always have to be treated urgently.

With modern BI tools, users can create their own reports and dashboards with simple self-service data visualization tools. These tools not only let users access CRM data, but they can also connect to many other sources that can be mixed in order to create more relevant cross-applications KPIs.

Users can then share their reports and dashboards with other users and teams within the organization. Whether they are embedded within CRM solutions or whether they sit in dedicated applications, reporting and analytics options are now at the hand of users who can easily create their own dashboards, reports, document templates, and formatted spreadsheets.

An increasing variety of business processes handled in CRM tools

CRM solutions keep getting enhanced with new modules. These modules go beyond traditional sales and services, or industry verticals. In fact, the new business applications that get integrated in CRM cover processes that were often managed in separate software. The similarity between them and traditional CRM processes is that they revolve around the customer. The goal is to achieve better experience as well as a complete 360¬į view within a single platform.

With Field Service, organizations can increase customer satisfaction and optimize resources with intelligent scheduling, mobile support, and remote asset monitoring. Project service automation is dedicated to projects and resources management, in order to increase productivity and by bringing people, processes, and automation technology together through a unified experience.

Transforming and realizing results by empowering teams

By broadening their functional scope and by being increasingly integrated, modern CRM solutions question the current distribution of business processes across the Information System applications. CRM solutions are more than ever a crucial cornerstone of any transformation strategy.

This article was first published on my LinkedIn profile (in French).

Basic (but important) considerations about the Dynamics 365 security model

The Dynamics 365 security model

When it comes to data, security defines who has the right to do what on a record in the respective context of the user and the data.

Concerning the User Interface, security lets you adapt a number of items for users:
  • Forms
  • Dashboards
  • Command bar buttons
  • Business Process Flows
  • The sitemap (or sitemaps, since¬†8.2, thanks to¬†Business apps)
  • Views (since 8.2, thanks to¬†Business apps)
  • Charts (since 8.2, thanks to¬†Business apps)
On top of that, security also allows to define access to specific features, such as Excel Export, Printing, the use of the App for Outlook…

Standing at the crossroads

Data security must be conceived as a meeting point between data and the user’s rights. The security model’s¬†backbone, that enables those meetings, is the business units hierarchy.

I will elaborate more on importance of the context of the user and the data in an upcoming article.

CRM Crossing Paths Dynamics 365

 Customizing views and forms IS NOT securing data

Once configured, the security model applies regardless of the entry point of your users: through the Web interface, the Web Services, the SQL Filtered Views (On-Premise), the mobile application, the reports…

It is important to understand that forms that are associated with security roles do not restrict in any way access to CRM data. Contrary to field level security, forms are just an ergonomic presentation of your data (UI). The same goes for the columns you chose to display in a view, or the filter you decide to apply to it. Any user can bypass them by doing a simple Advanced Find.

Here’s an example of the impact of a JavaScript injected into a CRM form, that completely reveals and unlocks it:

CRM JavaScript Injection EN

On a similar note, resourceful users who have a read access to CRM data can access it through the Dynamics 365 Web Services, and thus be able to export them one way or another, even if the “Export to Excel” button is hidden to them.

Security can only be configured server-side, through the configuration of your users’ rights (business units hierarchy, users/teams configuration and their security role, entity relationships, field level security, positions…), and if necessary through custom logic that is executed with Plugins or Workflows.¬†

Example of hacks

By injecting this JavaScript code in a form, a user can display all hidden tabs, sections and fields, make editable all read-only fields, and remove any requirements for mandatory fields.

This injection can be done with the console of your browser, or by minifying this code and copying it as a bookmark URL (more examples here).

javascript: var form = $("iframe").filter(function () {
    return $(this).css("visibility") == "visible"
try {
    form.Mscrm.InlineEditDataService.get_dataService().validateAndFireSaveEvents = function () {
        return new Mscrm.SaveResponse(5, "")
} catch (e) { }
var attrs = form.Xrm.Page.data.entity.attributes.get();
for (var i in attrs) {
var contrs = form.Xrm.Page.ui.controls.get();
for (var i in contrs) {
    try {
    } catch (e) { }
var tabs = form.Xrm.Page.ui.tabs.get();
for (var i in tabs) {
    var sects = tabs[i].sections.get();
    for (var i in sects) {
Another option is to install and use¬†Sonoma Partners’ Dynamics CRM DevTools inthe¬†Google Chrome extensions store:
Sonoma Partners Dynamics CRM DevTools

Golden Rules to design a security model in Dynamics 365

I’m starting a new series of articles dedicated to security modeling in Dynamics 365 Customer Engagement.

The aim is to go beyond the basic principles that are already detailed in Customization and Configuration courses or on TechNet.
I will provide design tips, best practice and examples to simplify a CRM security model implementation and administration.

Dynamics 365 Security

Why is it crucial to address the security model early in a project?

  • The Dynamics 365 Customer Engagement security model is powerful and flexible: it offers many options that can be combined.
  • It must be addressed right from the start of your project, because chances are it will impact your data model and business rules.
  • You must always have in mind your security model, in particular when you design business processes or complex data models (e.g. business processes encompassing several entities, or entities with child records‚Ķ)

Security model design Golden Rules

  • Have the future in mind: think about the administration effort when you will have to configure hundreds of users.
  • Keep it simple:¬†at some point, new people will have to understand it and make it evolve.
  • Don’t sweep things under the carpet: it might be tempting to not address a potential security issue, but it’s best to spend time on it while you are designing your model rather than wait for users to notice it in production.
  • Negotiate: opinions can change on how strict or complex the security model should be!
  • Share: educate your customer on how the standard security model works and what different options it offers, it will then be easier to try to fit in.
  • Differentiate: are we talking about filtering what we see, or restricting access to data? Sometimes a filtered view is just what you need.
  • Scalability and performance: your model might work well for a few users, business units and records. How would it scale for hundreds of thousands / millions?

The different security model options and how you should address them

Dynamics 365 Security Options_EN

New certification: MB2-877 Microsoft Dynamics 365 for Field Service

5 new Business Applications exams were announced earlier this month. Among them, a Dynamics 365 Customer Engagement one: MB2-877: Microsoft Dynamics 365 for Field Service. It should count towards the MSCA and MCSE certification paths.

Dynamics 365 Field Service

Even though Field Service skills were already tested in the MB2-718: Dynamics 365 for Customer Service exam, it’s good to have a new, dedicated exam, as the MB2-718 exam was much too dense in terms of content in my opinion.

Skills measured:

  • Set up and configure Field Service (15 ‚Äď 20%)
  • Manage work orders (15 ‚Äď 20%)
  • Schedule and dispatch work orders (15-20%)
  • Manage Field Service mobility (10 ‚Äď 15%)
  • Manage inventory and purchasing (10 ‚Äď 15%)
  • Manage the Connected Field Service solution (5 ‚Äď 10%)
  • Manage Agreements (10 ‚Äď 15%)

More information here.

How to train for MB2-877: Microsoft Dynamics 365 for Field Service? Well, on top of hands-on experience, you should find everything you need on the Dynamics Learning Portal: there is an Exam Preparation Guide, a Self Assessment and 4 dedicated courses:

You should be able to pass this new exam on and after December, 11th 2017.

Let’s also expect a new exam for Project Service Automation for 2018!