Security enhancements: User session and access management
Updated: October 3, 2017
You can use new security enhancements to better secure the Dynamics 365 application.
This topic applies to customers with the following versions of Dynamics 365:
July 2017 update for Dynamics 365 (online)
Microsoft Dynamics CRM 2016 (on-premises, version 8.1 or later)
Microsoft Dynamics CRM 2015 (on-premises)
By default, Dynamics 365 sets a user session timeout of 24 hours. A user is not required to log in with their credentials for up to 24 hours regardless of whether the user was active or inactive.
By default, Microsoft Dynamics 365 Government sets a user session timeout of 8 hours. A user is not required to log in with their credentials for up to 8 hours regardless of whether the user was active or inactive.
You can change this behavior.
To enforce users to re-authenticate after a pre-determined period of time, admins can set a session timeout for their individual Dynamics 365 instances. Users can only remain signed in the application for the duration of session. The application signs out the user when the session expires. Users need to sign-in with their credentials to return to Dynamics 365.
In Dynamics 365, choose Settings > Administration > System Settings > General tab.
Under Set session timeout, set the values to apply to all your users.
 Note |
|---|
Default values are:
|
By default, Dynamics 365 does not enforce an inactivity session timeout. A user can remain logged in the application until the session timeout expires. You can change this behavior.
To enforce users to automatically signed out after a pre-determined period of inactivity, admins can set an inactivity timeout period for each of their Dynamics 365 instances. The application signs out the user when the inactivity session expires.
| Note |
|---|
Inactivity session timeout is not enforced in the following:
|
To enforce the inactivity session timeout for Web Resources, Web Resources need to include the ClientGlobalContext.js.aspx file in their solution.
The Dynamics 365 portal has its own settings to manage its session timeout and inactivity session timeout independent of these system settings.
In Dynamics 365, choose Settings > Administration > System Settings > General tab.
Under Set inactivity timeout, set the values to apply to all your users.
| Note |
|---|
Default values are:
|
Dynamics 365 (online) uses Azure Active Directory as the identity provider. To secure the user’s access to Dynamics 365 (online), the following were implemented:
To enforce users to re-authenticate, users are required to sign in with their credentials after they signed out within the application.
To prevent users from sharing credentials to access Dynamics 365 (online), the user access token is validated to ensure that the user who was given access by the identity provider is the same user who is accessing Dynamics 365 (online).
These security enhancements are shipped disabled by default. Administrators can enable these enhancements when installing the latest Dynamics 365 (on-premises) build.
| Note |
|---|
This applies to customers with the following version of Dynamics 365:
Requirement These security enhancement features require claims-based authentication for user authentication. You can configure claims-based authentication in one of two ways:
|
Setup:
Access your Dynamics 365 server using your administrator account.
Open a browser session and download the Dynamics 365 Software Development Kit (SDK).
Select and run MicrosoftDynamics365SDK.exe. This will extract the download and create an SDK folder on your Dynamics 365 server.
Open a PowerShell command prompt.
Navigate to the downloaded SDK folder.
Open the SampleCode\PS folder.
System admins can now force users to re-authenticate after a set period. You can set an active session timeout for each of your Dynamics 365 instances. Users can only remain signed in to the application for the duration of the session. Once the session expires, they’ll need to sign in again with their credentials. System admins can also require sign in for users after a period of inactivity. You can set an inactivity timeout for each of your instances. The helps prevent unauthorized access by a malicious user from an unattended device.
Enable user session timeout
Enable session timeout:
Run SetAdvancedSettings.ps1 -ConfigurationEntityName ServerSettings -SettingName AllowCustomSessionDuration -SettingValue true
Enable inactivity timeout:
Run SetAdvancedSettings.ps1 -ConfigurationEntityName ServerSettings -SettingName AllowCustomInactivityDuration -SettingValue true
See the sections above, Configure session timeout and Inactivity timeout, before proceeding to the next section.
To better protect user access and data privacy in Dynamics 365, when a user signs out in the web client and needs to return to the application, they will need to enter their credentials again in all open browser sessions. Dynamics 365 ensures that the sign-in token was originally generated for the current browser and computer.
Enable access token management
To enable for all organizations by default, copy and run this command in PowerShell : SetAdvancedSettings.ps1 -ConfigurationEntityName ServerSettings -SettingName WSFedNonceCookieEnabled -SettingValue true
Sample:
--OR--
To enable for a single organization, copy and run this command in PowerShell: SetAdvancedSettings.ps1 -ConfigurationEntityName Organization -SettingName WSFedNonceCookieEnabled -SettingValue true -Id <Your organization ID GUID>
To get <Your organization ID GUID>, open PowerShell, and run the following:
Add-PSSnapin Microsoft.Crm.PowerShell Get-CrmOrganization
Sample:
For more information, see Get-CrmOrganization
© 2017 Microsoft. All rights reserved. Copyright
