The current session logoff functionality introduced via the Work User Access Policy in D365 SCM does not fully support the "User and password" authentication method on mobile devices. This creates a security loophole and usability challenge, especially for industries like Pharma where strict access control is mandated by regulations such as 21 CFR Part 11.

There are two authentication methods for mobile devices:

1. Device Code Authentication – One-time login with a device account, followed by warehouse worker login.
2. User and Password Authentication – Requires login with a Dynamics user account, followed by a second login with a warehouse worker account (often automated via Default User).

The session logoff currently only affects the second login (warehouse worker), not the primary user login. This leads to:

• Security Risk: After session timeout, users can cancel the warehouse login and reconnect, automatically regaining access via the still-active primary login.
• Compliance Gap: This violates regulatory requirements for access control and auditability for companies like Pharma Companies
• Usability Issue: Users are forced to re-enter warehouse credentials they may not know, while the actual user session remains active.

Proposal:

• Extend session logoff to also terminate the main user session when using User & Password authentication.
• Ensure that after timeout, users must re-authenticate with their Dynamics credentials.
• Prevent automatic re-login if the session has expired.

This change would close a security loophole, support compliance, and make the preferred authentication method more practical for real-world use.