Many finance and operations teams will keep legacy AX, GP, or NAV in place for at least another budget cycle. The question isn’t “why haven’t you migrated yet?” It’s “how do you keep people productive and data safe while you plan the future?”

This post lays out a practical, security-first approach to delivering legacy Dynamics apps in 2025, backed by current support timelines and real operational constraints.

Why this is urgent now

• AX 2012 is fully out of support. AX 2012 R3 exited extended support on January 10, 2023. No new security fixes means every new vulnerability persists.
• GP has a published end-of-life runway. No new features since 2022, mainstream support ends Dec 31, 2029, and security updates stop April 30, 2031. New perpetual licenses ended April 1, 2025. If you stay indefinitely, you’ll eventually operate without patches.
• NAV 2018’s timer is ticking. Extended support runs through January 2028; earlier versions are already out, and Microsoft’s investment is in Business Central.
• Shrinking expertise and vendor focus. Fewer consultants know AX/GP/NAV, rates are rising, and Microsoft’s “major attention has moved to Business Central.”

Translation: even if a full reimplementation is on the roadmap, you still need a safer, simpler way to deliver what you have today.

The real problem to solve

Most pain isn’t inside AX/GP/NAV. It’s around them: brittle endpoints, aging OS images, VPN/VDI sprawl, and gaps in auditability. Traditional stacks layer VPNs, agents, and proxies to reach the ERP client, which increases attack surface and ops burden.

Some teams push workloads to AVD, but security still requires assembling Conditional Access, Purview DLP, SIEM, and constant patching. That’s doable, just heavy and still requires careful policy design and ongoing patching.

A security-first delivery plan for legacy Dynamics

The goal: reduce endpoint and network risk while preserving user productivity. A practical approach:

1. Move execution away from the endpoint. Deliver the ERP UI through the browser so devices don’t hold data, and your control plane can enforce policy centrally. This shrinks the threat surface and simplifies audits.
2. Anchor access in identity. Require SSO and MFA through your IdP. Sessions should honor existing Conditional Access without extra agent sprawl.
3. Apply contextual DLP. Enforce copy/paste, download, and print controls by app and content type. Support custom identifiers when “credit-card-like” strings collide with part numbers.
4. Record what matters; prove control. Enable session recording and watermarking for regulated roles, push logs to your SIEM, and support universal logout to kill dangling sessions.
5. Avoid inbound exposure. Use an outbound connector for on-prem ERP hosts so you don’t punch firewall holes or maintain site-to-site VPNs. Scope access to specific apps and machines.
6. Keep ops light. Favor delivery that doesn’t require VDI buildouts, device agents, or hardware refreshes.

Security checklist for Dynamics teams

• Identity-based access with MFA and session timeouts
• Per-app controls for clipboard, file I/O, printing, and USB
• DLP with custom classifiers for your data patterns
• Session recording and watermarking, role-based
• Centralized logging with SIEM export and real-time alerts
• No data persistence on endpoints
• Outbound-only connectors to on-prem ERP hosts

All of the above are feasible today with modern application delivery platforms that stream apps to the browser and enforce zero-trust policy at the delivery layer.

Productivity still matters

Security can’t come at the cost of a month-end close. Assess user experience in real workflows:

• Login-to-first-transaction time for AP/AR clerks
• Report runs and exports to Excel
• Peripheral needs such as print behavior and multi-monitor use
• Support flow when users need help mid-session (recordings and real-time visibility save hours)

Teams migrating from AX to D365 often see large productivity gains due to a modern UI and automation, but until you replatform, a browser-delivered client can stabilize today’s experience.

Budget: don’t trade one pile of cost for another

As you phase out VPN/VDI complexity and hardware refreshes, look at the total device and security stack you’re carrying like AV, DLP, CASB, EDR, VPN clients, and the hidden logistics of imaging and shipping. Centralizing control in the delivery layer can reduce that spend and variability.

What success looks like in a 30-day pilot

• Risk reduced: no data at rest on endpoints; enforced MFA and DLP
• Ops simplified: no device shipping, no inbound firewall changes
• Users productive: finance closes on time, reports run at parity or better
• Evidence captured: SIEM integration, session evidence for audits

Planning your long game

You should still plan for D365. The industry consensus is clear: migration brings long-term benefits and avoids growing support and compliance risk. But you don’t need to rush a reimplementation to fix today’s security and delivery challenges.

‍

Heading to Community Summit 2025?

We’ll be there in Orlando, October 19–23, to swap notes on safe delivery patterns for legacy AX, GP, and NAV while you plan Business Central or D365 F&O. If you want to see a security-first delivery model in action, stop by and say hi.

Show special: Save 10% on your pass with code Sonetio10 at registration.