Security enhancements: User session and access management

Applies to Dynamics 365 (online), version 9.x

New for Customer Engagement in Dynamics 365 (online), version 9.0, you can use new security enhancements to better secure the Dynamics 365 (online) application.

Important

These security enhancements are also available for:

  • Microsoft Dynamics CRM 2016 (on-premises, version 8.2)
    The feature is available by contacting support.
  • Microsoft Dynamics CRM 2016 (on-premises, version 8.1)
    The feature is available by contacting support.
  • Microsoft Dynamics CRM 2015 (on-premises)
    The feature is available by contacting support.

For more information on these versions, see Security enhancements: User session and access management

Tip

Video symbol Check out the following video: Security Enhancements: User session management.

User session timeout

By default, Dynamics 365 (online) sets a user session timeout of 24 hours. A user is not required to log in with their credentials for up to 24 hours regardless of whether the user was active or inactive.

You can change this behavior.

  • To enforce users to re-authenticate after a pre-determined period of time, admins can set a session timeout for their individual Dynamics 365 (online) instances. Users can only remain signed in the application for the duration of session. The application signs out the user when the session expires. Users need to sign-in with their credentials to return to Dynamics 365 (online).

Configure session timeout

  1. In Dynamics 365 (online), choose Settings > Administration > System Settings > General tab.
  2. Under Set session timeout, set the values to apply to all your users.

Note

Default values are:

  • Maximum Session Length: 1440 minutes
  • Minimum Session Length: 60 minutes
  • How long before session expires before showing timeout warning: 20 minutes

Inactivity timeout

By default, Dynamics 365 (online) does not enforce an inactivity session timeout. A user can remain logged in the application until the session timeout expires. You can change this behavior.

  • To enforce users to automatically signed out after a pre-determined period of inactivity, admins can set an inactivity timeout period for each of their Dynamics 365 (online) instances. The application signs out the user when the inactivity session expires.

Note

Inactivity session timeout is not enforced in the following:

  1. Dynamics 365 for Outlook
  2. Dynamics 365 for phones and Dynamics 365 for tablets
  3. Unified Service Desk client using WPF browser (Internet Explorer is supported)
  4. Live Assist (Chat)

To enforce the inactivity session timeout for Web Resources, Web Resources need to include the ClientGlobalContext.js.aspx file in their solution.

The Dynamics 365 (online) portal has its own settings to manage its session timeout and inactivity session timeout independent of these system settings.

Configure inactivity timeout

  1. In Dynamics 365 (online), choose Settings > Administration > System Settings > General tab.
  2. Under Set inactivity timeout, set the values to apply to all your users.

Note

Default values are:

  • Minimum Duration of Inactivity: 5 minutes
  • Maximum Duration of Inactivity: less than Maximum Session length or 1440 minutes

Access management

Dynamics 365 (online) uses Azure Active Directory as the identity provider. To secure the user’s access to Dynamics 365 (online), the following were implemented:

  • To enforce users to re-authenticate, users are required to sign in with their credentials after they signed out within the application.
  • To prevent users from sharing credentials to access Dynamics 365 (online), the user access token is validated to ensure that the user who was given access by the identity provider is the same user who is accessing Dynamics 365 (online).