We’ve been hosting Dynamics CRM/365 instances for our customers since CRM 4 days but lately they have been moving to Dynamics 365 Online in drones (awesome – now I can sleep at night!). Some have been hesitant because we were using geo-restrictions for their instances (implemented in a supported way). Digging into why it was done in a first place: majority of the customers just wanted to restrict access to their instances outside the workplace.
Good news is that this kind of restrictions can now be implemented for Dynamics 365 Online using trusted IP rules. It will cost you a bit extra, e.g. last time I checked, Azure AD Premium would set me back $7 per user per month in one of the top 2 countries in the world.
The most important caveat is that, unlike on-premises approach, IP restriction is only enforced during user authentication.
But for most of the customers, ease of configuration, ability to enforce MFA outside of work, federation with on-premises AD for even more control, and device-based conditional access policy easily outweigh the limitations.
For more security goodness, consider auditing user access that has been part of Dynamics 365 / CRM since version 2011.