We are currently using Dynamics 365 CRM 9.2 (on-premises) with Single Sign-On (SSO) enabled. As part of our internal risk assessment, we have identified a concern regarding concurrent login behavior. The application currently allows multiple simultaneous logins for the same user across different browsers. This was observed during testing in our UAT environment and may pose a security risk.
Concurrent Login Security Concern in Dynamics 365 CRM 9.2
Unfortunately, there’s no native Dynamics 365 on-prem setting to “disallow concurrent logins.”
But here are supported and practical mitigation options, ranked from easiest to most restrictive:
Option 1: Enforce Session Control via ADFS or IdP
If you use ADFS, Azure AD, or another SAML/OIDC provider, session concurrency is typically managed there.
In ADFS:
You can configure token lifetime and session revocation policies.
Example:
Set short token lifetimes (e.g., 10–15 minutes for ADFS SSO tokens).
Require re-authentication after inactivity or logout.
Optionally use custom ADFS claims rules or custom authentication policies to:
Restrict concurrent sessions.
Invalidate previous tokens upon a new login (requires customization or external session management plugin)
Was this reply helpful?YesNo
Under review
Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.
Share
Report
All responses (
Answers (
528
