Applies to Dynamics 365 for Customer Engagement apps version 9.x
Applies to Common Data Service
The maximum user session timeout of 24 hours is being removed. This means that a user is not forced to sign in every 24 hours to use the Dynamics 365 for Customer Engagement apps and other Microsoft service apps, like Outlook, that were opened in the same browser session.
By default, the Dynamics 365 for Customer Engagement apps leverage the Azure Active Directory (Azure AD) session policy to manage the user session timeout. Dynamics 365 for Customer Engagement apps uses the Azure AD ID Token with Policy Check Interval (PCI) claims. Every hour a new Azure AD ID Token is fetched silently in the background and Azure AD enforces the Azure ID instant policy. For example, if an administrator disables or deletes a user account, Azure AD instant policy will force a user password reset and revoke the refresh token.
This Azure AD ID token refresh cycle continues in the background based on the Azure AD token lifetime policy configurations. Users continue to access the Dynamics 365 for Customer Engagement/Common Data Service data without needing to re-authenticate until the Azure AD token lifetime policy expires.
In an event that there are intermittent Azure AD outages, authenticated users can continue to access the Dynamics 365 for Customer Engagement/Common Data Service data if the PCI claims have not expired or the user has opted in the Stay signed in during authentication.
For environments that require different session timeout values, administrators can continue to set the session timeout and/or inactivity timeout in System Settings. These settings override the default Azure AD session policy and users will be directed to Azure AD for re-authentication when these settings expire.
For detailed information, see Security enhancements: User session and access management.
The post Release Notes for User Session Timeout Management appeared first on Microsoft Dynamics 365.