Why Field Masking Is a Good Idea for Sensitive Data
When building solutions in Business Central, securing sensitive data by design should be a standard practice.
Business Central offers two ways to mask sensitive data on the UI level:
ExtendedDatatype = MaskedpropertyMaskType = Concealedproperty
Both types cannot be used at the same time.
ExtendedDataType
This property allows to display field value as dots instead of showing the actual content.
Dynamics 365 Business Central: ExtendedDataType
ExtendedDatatype = EMail;Propety MaskType
A new field property was introduced in Dynamics 365 Business Central 2025 Release Wave 2.
Dynamics 365 Business Central: MaskType
MaskType = Concealed;Property works similar to ExtendedDataType = Masked but it has couple differences:
-
Property is limited only to few types: Code, Text, Decimal, Integer, and BigInteger.
-
The UI field can be switched to “Show Value” mode by the user.
-
The field is not masked at the table level — masking applies only at the page (UI) level.
table 50401 "Masked Secret"{ Caption = 'Masked Secret';
fields { field(1; "Code"; Code[20]) { Caption = 'Code'; } field(2; "Table ExtendedDatatype Secret"; Text[250]) { Caption = 'Table ExtendedDatatype Secret'; ExtendedDatatype = Masked; } field(3; "Page ExtendedDatatype Secret"; Text[250]) { Caption = 'Page ExtendedDatatype Secret'; } field(4; "Table MaskType Secret"; Text[250]) { Caption = 'Table MaskType Secret'; MaskType = Concealed; } field(5; "Page MaskType Secret"; Text[250]) { Caption = 'Page MaskType Secret'; } } keys { key(PK; Code) { Clustered = true; } }}
page 50403 "Masked Secret"{ ApplicationArea = All; Caption = 'Masked Secrets'; UsageCategory = Administration; SourceTable = "Masked Secret";
layout { area(Content) { group("ExtendedDatatype Secrets") { field("Table ExtendedDatatype Secret"; Rec."Table ExtendedDatatype Secret") { ToolTip = 'Specifies the value of the Table ExtendedDatatype Secret field.'; } field("Page ExtendedDatatype Secret"; Rec."Page ExtendedDatatype Secret") { ExtendedDatatype = Masked; ToolTip = 'Specifies the value of the Page ExtendedDatatype Secret field.'; } } group("MaskType Secrets") { field("Table MaskType Secret"; Rec."Table MaskType Secret") { ToolTip = 'Specifies the value of the Table MaskType Secret field.'; } field("Page MaskType Secret"; Rec."Page MaskType Secret") { MaskType = Concealed; ToolTip = 'Specifies the value of the Page MaskType Secret field.'; } } } }
trigger OnOpenPage() begin if not Rec.Get() then begin Rec.Init(); Rec.Insert(); end; end;
}Is the Data Really Secured?
It is important to understand that field masking protects data only at the UI level. It does not encrypt the data and does not prevent access through other mechanisms.
Configuration packages
A user can easily expose sensitive data by exporting it to Excel using the Configuration Packages module.
AL Debugging
A developer debugging the application can also see the full field value.
SQL
And finally — good old SQL Server.
If someone has direct database access (in On-Prem scenarios), the data is stored in plain form unless additional protection mechanisms are used.
Conclusion
Field masking is a recommended design pattern for hiding sensitive user data in the UI. However, it should never be considered a security mechanism for protecting secrets such as:
- API tokens
- authentication keys
- passwords
- and other secrets
Field masking improves user experience and reduces exposure — but it does not provide real data security.