We are in the process of rolling out security enhancements that provide you with better flexibility in managing your user timeout session. These security enhancements also allow you to comply with your security and data privacy policy.
User session
- To force users to re-authenticate after a set period, system admins can set a session timeout for their individual Dynamics 365 instances. Users can only remain signed in to the application for the duration of the set period. The application signs out the user when the period expires. Users need to sign in with their credentials to return to Dynamics 365.
- To support HIPAA requirements, system admins can set a timeout period which signs out users after a period of inactivity. This inactivity timeout period can be set for each of your Dynamics 365 instances. This helps prevent unauthorized access to your data by malicious users from an unattended device.
Access management
- To enforce users to re-authenticate, users are required to sign in with their credentials after they signed out from the application.
- To prevent users from sharing credentials to access Dynamics 365, the user access token is validated to ensure that the user who was given access by the identity provider is the same user who is accessing Dynamics 365.
Please see Security enhancements: User session and access management to enable and configure these security system settings for your Dynamics 365 instance. These enhancements will be available for Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016 (online), Dynamics CRM 2016 (on-premises), and Dynamics CRM 2015 (on-premises). Please contact Microsoft Support for availability.
Watch this video to understand how you can force users to re-authenticate after a pre-determined period of time by setting a session timeout for their individual Dynamics 365 (online) instances.
– Paul Liew