Blog Author: Ankita Chavda

Ankita Chavda is a Solution Architect at Inferenz, specializing in designing scalable data and AI-driven solutions for complex business challenges. She focuses on architecting robust technology frameworks that enable digital transformation, streamline operations, and help organizations achieve measurable business outcomes through innovation.

Implementing Event-Driven CDC (Change Data Capture) in Azure with D365, Service Bus & Azure Functions

Posted on by inferenz.manage

Background Summary

Modern organisations today look beyond traditional batch-based systems. At Inferenz we build platforms that enable agentic AI and real-time data transformation, and this article shows a concrete architecture that makes that possible. 

Using Microsoft Dynamics 365, Azure Service Bus and Azure Functions we implement an event-driven Change Data Capture pipeline that powers up-to-the-second data delivery. Read on to understand how you can shift from static snapshots to continuous, intelligent data flows.-

Event-driven CDC pipeline: Dynamics 365 → Azure Service Bus → Azure Functions → target system

Introduction

Change Data Capture, or CDC, is a design pattern that captures inserts, updates and deletes in source systems so downstream workflows can react immediately. Traditional batch or polling-based mechanisms often lag and consume excessive resources. Thanks to event-driven architectures, CDC now supports near-real-time processing. That means faster insights, smoother data flow and tighter coupling between business events and system responses.

In this blog, we walk through how to build a real-time CDC pipeline using Microsoft Dynamics 365 (D365), Azure Service Bus, and Azure Functions. This architecture ensures that every data change in D365 is captured, transformed, and routed in near real-time to downstream systems like Redis Cache or Azure SQL.

The challenge: Timely data sync from D365 to target system

We worked with a client who needed updates from Dynamics 365 to show up in the target system and be query-able via APIs within just 3–5 seconds. Meeting this SLA meant designing a pipeline with minimal end-to-end latency and consistent performance across all layers.

Key challenges faced:

  • Single-entity query limitation
    D365 Web API allows querying only one entity at a time, which led to multiple sequential calls when fetching data from related entities — increasing end-to-end latency.
  • Lack of business rule enforcement
    Since data was extracted directly from plugin event context and pushed to the target system, D365 business logic or calculated fields were not applied. Any additional transformation had to be implemented after retrieval, adding to the overall response time.

Solution architecture overview

Architecture diagram:

Components:

  • Dynamics 365 (D365): Acts as the data source generating change events (create, update, delete).
  • Azure service bus: An enterprise-grade message broker that decouples the sender and consumer.
  • Azure functions: Serverless compute that consumes the event and applies business logic.
  • Target system: Any data sink or consumer (e.g., Redis, Azure SQL) that receives updates.

Azure Service Bus and Azure Service Functions in action

Azure-native advantage:

Because we built every component in Azure (Service Bus, Function Apps, Redis Cache, etc.), we could manage the full pipeline end-to-end. That offered us:

  • Better control over retries, scaling and performance tuning
  • Native observability using Application Insights and Log Analytics
  • Rapid troubleshooting with no reliance on third-party services

Publishing events to Azure Service Bus

    1. Create Service Bus namespace with Topic or Queue.
    2. Message structure:
      • The message sent to Service Bus via the Service Endpoint will follow the standard structure defined by Dynamics 365 for remote execution contexts. The format may evolve over time as Dynamics updates its schema, so consumers should be built to handle possible changes in structure.

Setting up change tracking in Dynamics 365

Steps:

    1. Enable change tracking:
      • Navigate to Power Apps > Tables > enable ‘Change Tracking’ for each entity required for CDC.
    2. Plugin registration:
      • Use Plugin Registration Tool (PRT) to:
        • Register external service endpoint for Service Bus endpoint.
        • Link this endpoint to a step so that the message is sent from D365 to the specified external service when a data event (Create, Update, etc.) occurs.
        • Register message steps like Create, Update, Delete, Associate, Disassociate on specific entities
        • Configure execution stage and filtering attributes
      • Associate/Disassociate events in Dynamics 365 represent changes in many-to-many relationships between entities. Capturing these events is essential if downstream systems rely on accurate relationship mappings.
      • Important: The PRT only registers and connects the plugin code to events in D365. The logic inside the plugin (such as sending a message to Azure Service Bus) must be written in the plugin code itself using supported libraries like Microsoft.Azure.ServiceBus.
    3. Authentication & Access:
      |The authentication setup provides the foundational credentials and access paths that allow Azure services to securely communicate with Dynamics 365 APIs and other Azure components.
    • Register an Azure AD App for D365 API access.
      • This provides the Application (Client) ID and Tenant ID, which will be used later in service connections or token generation to authorize calls to D365 APIs
      • The app also holds the client secret (or certificate), which acts like a password in service-to-service authentication flows.
    • Assign a user-assigned managed identity to secure resources.
      • This identity is linked to services like Azure Functions and used to securely access resources like D365 and Service Bus without storing credentials. It allows Azure Functions to authenticate when interacting with APIs or retrieving secrets.
    • Grant permissions in Azure AD and D365.
      • Granting API access in Azure AD allows the app to interact with D365, while assigning roles in D365 ensures the app or identity has the necessary data permissions. These access levels determine the ability to publish or process events.

Event handling with Azure Functions

  1. Create Azure Function with a Service Bus trigger.
  2. Process Message:
    • Deserialize JSON
    • Apply business logic (e.g., enrich, transform, validate)
    • Insert/Update target system
  3. Writing to Target System:
    • The processed message is then written to the configured target system.
    • For Redis Cache, Azure Functions typically store data as JSON objects keyed by entity ID, enabling fast lookups.
    • For Azure SQL, the function may use INSERT, UPDATE, or MERGE operations depending on the change type (e.g., create/update/delete).
    • Ensure that data mapping aligns with the entity schema from Dynamics 365.
    • For our use case, we had a time goal to apply CDC changes in the target system under 3–5 seconds along with the LOB apps that would query the data from the target system using APIs exposed via APIM. Redis proved to be both faster and more cost-effective compared to Azure SQL.
    • Additionally, our data size was relatively small and expected to remain limited in the future, making Redis a more suitable choice.
  4. Best Practices Implemented:
    • Used DLQ for unhandled failures
    • Ensured idempotency for retries
    • Added structured logging in Log Analytics Workspace

Monitoring and observability

  1. Enable Application Insights for Azure Functions.
  2. Use Azure Monitor to:
    • Track execution metrics (Success, Failures)
    • Setup alerts for Service Bus dead-letter queues
  3. Use Log Analytics queries for debugging and advanced insights
  4. Create dashboards in Azure portal for quick insights for business users and monitoring for developers

Testing & validation

  • Create a test record in D365.
  • Verify plugin execution and message delivery in Service Bus.
  • Check Azure Function logs for event processing.
  • Introduce controlled failures to test DLQ behavior.

Best practices & lessons learned

  • Use RBAC + MSI for secure access
  • Define message contracts (schema) early
  • Track event versions to handle schema evolution
  • Avoid sending sensitive PII data without encryption
  • Design for failure and retry from day one
  • Design the schema evolution for target system thoughtfully

From event-driven CDC to agentic AI

This architecture does more than move data quickly. It sets the foundation for agentic AI workflows that respond to change in real time. When events from Dynamics 365 flow through Azure Service Bus into function-based processing, that data can power:

  • Real-time scoring models that assess risk or customer intent as updates occur
  • Automated alerts and triggers for operational teams when certain thresholds are crossed
  • Predictive recommendations that learn from continuous data streams instead of daily batches

Such event-driven systems become the nervous system of AI-enabled enterprises—where every update feeds insight and every event leads to action.

 

Conclusion

Event-driven CDC unlocks real-time integration between D365 and downstream systems. By combining Service Bus, Azure Functions, and plugin-driven triggers, you can create a scalable and reactive architecture that meets modern enterprise needs.

Explore how this can be extended to support data lakes, event analytics, and multiple system syncs — all using Azure-native tools.

FAQs

1) What is event-driven CDC in Azure with Dynamics 365?
Event-driven CDC captures create, update, and delete events from Dynamics 365 and publishes them to Azure Service Bus. Azure Functions consume these messages and write to targets like Redis or Azure SQL for a real-time data pipeline.

2) How fast can a D365 to target sync run with this design?
With Service Bus and Functions on consumption plans, sub-5-second end-to-end times are common for moderate loads. Tune message size, prefetch, and Function concurrency to hit strict SLAs.

3) Should I choose Redis or Azure SQL as the target for CDC data?
Use Redis when you need very low latency lookups for APIs and short-lived data. Choose Azure SQL when you need relational joins, reporting, or long-term storage tied to CDC events.

4) How do we keep this CDC pipeline reliable and secure?
Use RBAC and Managed Identities for D365, Service Bus, and Functions. Add DLQ, idempotent handlers, replay controls, Application Insights, and Log Analytics for full traceability.

5) Can this CDC setup feed analytics or agentic AI use cases?
Yes. The same event-driven CDC stream can power real-time scoring, alerts, and agentic AI actions. You can also route change events to APIM and data stores that back dashboards.

6) What does implementation involve on the Dynamics 365 side?
Enable Change Tracking on required tables. Register a Service Bus endpoint and plugin steps for Create, Update, Delete, and relationship events, then publish structured messages for Azure Functions to process.

The Importance of PII/PHI Protection in Healthcare

Posted on by inferenz.manage

Background summary

This article explains how a healthcare data team secured PII/PHI in an Azure Databricks Lakehouse using Medallion Architecture. It covers encryption at rest and in transit, column-level encryption, data masking, Unity Catalog policies, 3NF normalization for RTBF, and compliance anchors for HIPAA and CCPA.-

Introduction

In healthcare, trust starts with how you protect patient data. Every lab result, claim, and encounter add to a record that links back to a person. If that link leaks, the cost is more than penalties. It affects patient confidence and care coordination.
In 2024, U.S. healthcare reported 725 large breaches, and PHI for more than 276 million people was exposed. That is an average of over 758,000 healthcare records breached per day, which shows how urgent this problem has become.
With cloud analytics and healthcare data lakes now standard, teams must protect Personally Identifiable Information (PII) and Protected Health Information (PHI) through the entire pipeline while meeting HIPAA, CCPA, and other rules.
This article shows how we secured PII/PHI on Azure Databricks using column-level encryption, data masking, Fernet with Azure Key Vault, and Medallion Architecture across Bronze, Silver, and Gold layers. The goal is simple. Keep data useful for analytics, but safe for patients and compliant for auditors. Microsoft and Databricks outline the technical controls for HIPAA workloads, including encryption at rest, in transit, and governance.

The challenge: securing PII/PHI in a cloud data lake

Healthcare data draws attackers because it contains identity and clinical context. The largest U.S. healthcare breach to date affected about 192.7 million people through a single vendor incident, and it disrupted claims at a national scale. The lesson for data leaders is clear. You must plan for data loss, lateral movement, and recovery, not only for perimeter events.

Our needs were twofold:

  • Data security
    Protect PII/PHI as it moves from ingestion to analytics and machine learning.
  • Compliance
    Meet HIPAA, CCPA, and internal standards without slowing down reporting.

We adopted end-to-end encryption and column-level security and enforced them per layer using Medallion Architecture:

Bronze

Raw, encrypted data with rich lineage and tags.

Silver

Cleaned, standardized, 3NF-normalized data with PII columns clearly marked.

Gold

Aggregated, masked datasets for BI and data science, with policy-driven access and role-based access control.

For scale, we added Unity Catalog controls and policy objects that apply at schema, table, column, and function levels. This helps enforce row filters and column masks without custom code in every job.

Protecting PII/PHI: encryption at every stage

We used three layers of protection so PII/PHI stays safe and still usable.

Encryption in transit

Data travels over TLS from sources to Azure Databricks. For cluster internode traffic, Databricks supports encryption using AES-256 over TLS 1.3 through init scripts when needed. This reduces exposure during shuffle or broadcast.

Encryption at rest

Raw data in Bronze and refined data in Silver/Gold stay encrypted at rest with AES-256 using Azure storage service encryption. Azure’s model follows envelope encryption and supports FIPS 140-2 validated algorithms. This satisfies common control requirements for HIPAA encryption standards and workloads.

Column-level encryption

This is the last mile. We encrypted specific fields that contain PII/PHI.

  • Identify sensitive columns. With data owners and compliance teams, we tagged names, contact details, SSNs, MRNs, and any content that can re-identify a person.
  • Fernet UDFs on Azure Databricks. We used Fernet in a User-Defined Function so encryption is non-deterministic. The same input encrypts to different outputs, which reduces linking risk across tables.
  • Azure Key Vault for key management. We stored encryption keys in Azure Key Vault and used Databricks secrets for retrieval. We set rotation, separation of duties, and least privilege to keep access tight. Microsoft documents customer-managed key options for the control plane and data plane.

Together, these patterns form our Azure Databricks PII encryption approach and support HIPAA control mapping.

Identifying PII in healthcare data: a collaborative and automated approach

PII storage

  • Collaboration with business teams
    Subject-matter experts show which fields matter most for care and billing. They confirm what counts as PII/PHI by dataset and by jurisdiction, since a payer file and an EHR table carry different fields and retention rules. We document these rules in a data catalog entry and bind them to  Unity Catalog policies.
  • Automated Python scripts for data profiling
    Our scripts look for regex patterns, outliers, and value density that point to contact info or identifiers. We score each column for PII likelihood and tag it at ingestion. We also write the score and the supporting evidence to the catalog. That way, audits can see when we marked a column and why.
  • Analyzing nested data for sensitive information
    Clinical feeds often arrive as JSON or XML with nested groups. We flatten with stable keys, then scan inner nodes. We also search free-text fields for names or IDs. The same rules apply: detect, tag, then protect.
  • What we do with tags
    Tags flow into policies for masking, access control, and key selection. This reduces manual steps and keeps rules consistent as teams add new feeds.

This practice underpins data governance in healthcare and makes PII/PHI classification repeatable.

SCD-2 and data masking for compliance

Healthcare keeps history for clinical and financial reasons. That means Slowly Changing Dimensions (SCD-2) and audit trails.

SCD-2 with MD5 hashing and fernet encryption

We create stable MD5 hashes for record identity and apply Fernet to the sensitive attributes. Hashing preserves version tracking. Encryption keeps versions private. When downstream jobs need to join on keys, they can rely on the hash while leaving names and contact details protected.

Data masking for specific user groups

In Gold, we apply policy-based masking. Analysts who need names for outreach can see decrypted values. Others see tokens. We keep the policy in Unity Catalog as a column mask and reference the same function from SQL. Databricks documents row filters and column masks for this purpose.

Masking function steps

  • Define roles and permissions
    Map roles to the minimum fields needed.
  • Apply masking functions
    Use a CASE expression or a catalog mask to return masked or decrypted values based on role.
  • Log access
    Write grants and exceptions to an audit table so you can answer who saw what and when.

Example of masking in SQL


This is the core of our data masking and compliance solutions.

Managing CCPA and GDPR requests: right to be forgotten (RTBF)

GDPR and CCPA give people the Right to be Forgotten. Azure and Databricks document how to prepare data, set deadlines, and confirm erasure. We designed for this from day one. Microsoft Learn+1

Data normalization and separation

We encrypt PII at ingestion into Bronze, then normalize to 3NF in Silver. This separates PII from facts so we can delete or anonymize a person’s data without breaking joins. When a request arrives, we touch fewer tables and keep referential integrity intact.

GDPR/CCPA control table

We keep a table for requests with user ID, request type, received date, deadline, and status. We attach actions to a runbook so ops can trace evidence in audits.

Challenges in managing delete requests

  • Data coupling
    PII often sits close to clinical history and billing lines. If you delete a name in one table, you may create orphans in another. The 3NF split keeps link keys active while PII columns are removed or anonymized.
  • Data redundancy
    The same PII appears in multiple layers and extracts. A single job must sweep Bronze, Silver, and Gold, plus exports.

Why 3NF?

  • Separation of PII. Deleting in the PII table does not break unrelated metrics.
  • Efficient deletion. Scoping the change to one place avoids full-dataset churn.
  • Auditable control. The request table and job logs prove action within the required time window. Databricks explains timelines for RTBF and patterns for Delta Lake deletes. Microsoft LearnDatabricks

Automated deletion process

  • Bronze layer. Delete or overwrite the raw files related to the user.
  • Silver layer. Remove records by user_id and anonymize linked attributes.
  • Gold layer. Delete or mask as needed, then re-build derived views.

This pipeline supports right to be forgotten workflows and keeps reporting stable.

Compliance considerations and final thoughts

We tied our controls to key standards.

  • HIPAA on Azure Databricks
    Databricks provides a compliance security profile for PHI workloads. It adds hardened images, monitoring agents, and limits preview features that do not meet the profile. You still own your compliance program, but the platform closes common gaps.
  • Encryption controls
    Azure documents AES-256 encryption at rest and supports customer-managed keys for the control plane and DBFS. This helps you prove key ownership and rotation.
  • Governance controls
    Unity Catalog centralizes access controls, masks, and row filters so policies live with the data. This reduces manual steps as teams add domains and products.
  • Risk context
    Large breaches continue across the sector, including the UnitedHealth incident that reached about 192.7 million people. Breach volumes remained high in 2024 and 2025, which is why encryption, masking, and RTBF must work together.

Our architecture keeps PII/PHI private at every stage and still lets analysts get their work done. It protects patient trust and gives auditors the evidence they expect.

Conclusion: a secure and compliant data lake for healthcare

Securing PII and PHI in a cloud-based data lake calls for clear rules and consistent automation. We used Medallion Architecture, column-level encryption with Fernet, Azure Key Vault for keys, policy-based masking in Gold, and RTBF workflows tied to 3NF design. The result is a system that resists breach impact, supports HIPAA and CCPA, and maintains data utility.

Frequently asked questions

  • Why use column-level encryption when storage is already encrypted?
    Storage encryption protects files and disks. Column-level encryption protects specific fields inside tables so only approved users or jobs can decrypt them. It lowers the blast radius if a table is exposed. Microsoft and Databricks document how to combine both layers.
  • What makes Fernet suitable for PII/PHI?
    Fernet provides authenticated, non-deterministic encryption. Identical inputs produce different outputs, which reduces linking and re-identification. It is simple to wrap in UDFs for Spark jobs.
  • How does Medallion Architecture help with compliance?
    It splits the pipeline into Bronze, Silver, and Gold so you can apply encryption, masking, and access at the right point. It also improves reproducibility, which audits require.
  • How do Unity Catalog masks and filters work in practice?
    You define a mask or filter once and attach it to a column or table. Every query sees the rule. This centralizes enforcement and keeps your SQL simple.
  • What is required for GDPR/CCPA RTBF in a lakehouse?
    You need a request log, deadlines, repeatable deletes, and a normalized design so you erase PII without breaking facts. Microsoft and Databricks outline timelines and patterns to execute RTBF.
  • Are these controls enough to stop breaches?
    Nothing stops every breach, but encryption, masking, governance, and RTBF reduce impact and speed recovery. The recent record breach shows why layered controls matter.