Skip to content

Control 2.22: Inactivity Timeout Enforcement

Control ID: 2.22 Pillar: Management Regulatory Reference: GLBA 501(b), SOX 302, FINRA 4511, NIST 800-53 AC-11/AC-12 Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03

Objective

Enforce policy-driven inactivity timeout settings across Power Platform environments to support session security requirements for financial services organizations. This control automates the validation of user inactivity timeout configurations against zone-based maximum duration policies, with detection, compliance tracking, and remediation capabilities.

Why This Matters for FSI

  • GLBA 501(b): Information security safeguards — automatic session termination after inactivity supports protection of customer financial data by reducing exposure from unattended sessions
  • SOX 302: Management responsibility — inactivity timeout enforcement aids in maintaining internal controls over systems used for financial reporting
  • FINRA 4511: Record-keeping and supervision — session timeout configuration contributes to supervisory controls that help protect record integrity in broker-dealer communication systems
  • NIST 800-53 AC-11 (Session Lock): Supports automatic session lock after a defined period of inactivity, reducing the risk of unauthorized access to unattended workstations
  • NIST 800-53 AC-12 (Session Termination): Supports automatic termination of user sessions after inactivity, limiting the window for session hijacking or unauthorized use

Control Description

This control governs Power Platform environment-level inactivity timeout settings through a policy-driven approach. Each environment's timeout configuration is validated against zone-specific maximum duration requirements stored in a Dataverse policy table, with automated detection, compliance record persistence, and PowerShell-based remediation.

System Configuration Control

This control governs an actual Power Platform environment setting (Privacy + Security → Inactivity Timeout). Unlike process-based controls, this setting is configurable through the BAP Admin API and the Power Platform Admin Center, enabling automated validation and remediation.

Agent-Level Session Timeout Configuration

In addition to environment-level timeout settings, Copilot Studio agents have agent-specific conversation session timeout configurations that control when individual agent conversations expire. These agent-level settings complement environment-level controls and support session security requirements at the conversation layer.

Configuration Layer Scope Timeout Behavior Configuration Location
Environment-Level All apps and agents in the environment User session termination after inactivity PPAC → Environment → Privacy + Security
Agent-Level Individual agent conversation sessions Conversation context expiration Copilot Studio → Agent Settings → Advanced

Agent Conversation Session Timeout: Copilot Studio agents maintain conversation context (variables, user inputs, topic state) for a configurable duration. When the session expires, users must restart the conversation, and any in-progress conversation state is cleared. This timeout setting helps protect conversation data from extended exposure in abandoned sessions.

Key Differences: - Environment-level timeout terminates the user's entire Power Platform session - Agent-level timeout expires only the specific agent conversation session - Both timeout mechanisms operate independently and should be configured to support defense-in-depth session security - Agent-level timeout settings are per-agent and can vary based on agent risk classification

Organizations implementing Control 2.22 should establish agent-specific session timeout policies aligned with zone requirements and agent data sensitivity classifications. Agent-level timeout settings should be tracked in the organization's agent inventory (Control 3.1) and reviewed alongside per-agent governance controls (Controls 1.26 and 1.27) during periodic configuration reviews.

Capability Description Implementation
Policy Management Zone-based maximum timeout duration requirements Dataverse fsi_environmentpolicy table with per-environment zone classification and required maximum duration
Compliance Detection Automated per-environment timeout evaluation against policy Cloud Flow with BAP Admin API privacy settings retrieval and policy comparison
Remediation PowerShell script for BAP Admin API PATCH Set-InactivityTimeout.ps1 with -EnvironmentName, -TimeoutDuration, and -WhatIf support
Audit Trail Immutable compliance records per scan Dataverse fsi_inactivitytimeoutcompliance table — one record per environment per scan, never updated in place
Error Logging API and policy errors tracked per environment Dataverse fsi_inactivitytimeouterrorlog table with error type classification

The control uses the BAP Admin API privacy settings endpoint to retrieve each environment's current inactivity timeout configuration:

GET https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments/{EnvironmentName}/settings/privacy?api-version=2021-04-01

Policy-Driven Compliance Evaluation

Each environment is evaluated against its assigned zone policy from the fsi_environmentpolicy table. The compliance determination follows this logic:

  1. No policy record exists → Compliance status: Unknown; error log entry: MissingPolicy
  2. BAP Admin API call fails → Compliance status: Unknown; error log entry with HTTP status code
  3. Inactivity timeout is disabled → Compliance status: Non-Compliant
  4. Timeout duration exceeds zone maximum → Compliance status: Non-Compliant
  5. All checks pass → Compliance status: Compliant

Relationship to Session Security Configurator (Control 1.23)

Control 1.23 governs Conditional Access policies and session authentication controls (sign-in frequency, persistent browser sessions) managed through Entra ID and the Graph API. Control 2.22 governs Power Platform environment-level inactivity timeout duration — a separate setting managed through the BAP Admin API privacy endpoint. These controls are complementary: 1.23 addresses authentication session lifecycle, while 2.22 addresses application-level idle timeout.

Key Configuration Points

PPAC Environment Settings

  • Enable inactivity timeout for each environment in Power Platform Admin Center → Environment → Settings → Privacy + Security
  • Set timeout duration value (minutes) per environment according to zone requirements
  • Configure warning duration before session timeout (user receives a prompt before timeout)

Agent-Level Session Timeout Settings

  • Configure conversation session timeout in Copilot Studio → Select Agent → Settings → Advanced → Session timeout
  • Set timeout duration (minutes) aligned with zone requirements and agent data sensitivity classification
  • Document agent-level timeout settings in the organization's agent inventory (Control 3.1) for audit trail purposes
  • Zone 3 agents: recommended maximum 60 minutes for high-sensitivity agents (customer data, PII, PHI)
  • Zone 2 agents: recommended maximum 120 minutes for team collaboration agents
  • Zone 1 agents: agent-level timeout optional; recommended if agent processes any sensitive organizational data
  • Verify agent-level timeout settings during quarterly agent configuration reviews (coordinated with Control 1.27 review cadence)

Policy Configuration (Dataverse)

  • Define per-environment zone classification in fsi_environmentpolicy table using the canonical EnvironmentName (Power Platform Environment Name, not display name)
  • Set fsi_requiredmaxduration (in minutes) for each environment per zone requirements
  • Zone 2 environments: maximum 120 minutes
  • Zone 3 environments: maximum 60 minutes
  • Environments without a policy record receive Unknown compliance status — no silent defaults

Automated Compliance Scanning

  • Deploy the Detect-InactivityTimeout-NonCompliance flow for daily scheduled scanning (06:00 UTC)
  • Configure concurrency limit for parallel environment evaluation (default 5)
  • Set notification recipients for non-compliant environment alerts
  • Service principal authentication with scope https://api.bap.microsoft.com/.default

Zone-Specific Requirements

Zone Requirement Rationale
Zone 1 (Personal) Inactivity timeout optional; recommended ≤120 minutes if enabled Personal productivity agents have lower risk exposure; timeout enhances baseline security posture when enabled
Zone 2 (Team) Inactivity timeout required; maximum 120 minutes Team collaboration environments process shared organizational data requiring session timeout controls to limit unattended access
Zone 3 (Enterprise) Inactivity timeout required; maximum 60 minutes Customer-facing and enterprise agents process sensitive financial data requiring stricter session controls per NIST AC-11/AC-12

Roles & Responsibilities

Role Responsibility
Power Platform Admin Configure inactivity timeout settings in PPAC; execute remediation scripts; manage service principal permissions
Environment Admin Manage environment-level timeout configuration; review environment-specific compliance results
AI Governance Lead Define zone policy requirements in fsi_environmentpolicy table; review compliance scan results; approve policy changes; establish agent-level session timeout policies aligned with agent data sensitivity classifications
Compliance Officer Review compliance reports; provide audit attestation; validate zone assignments align with risk classification; verify agent-level timeout settings during audit reviews
Agent Owner Configure agent-level session timeout settings per governance policy; document timeout configuration in agent inventory; review agent timeout settings during quarterly agent configuration reviews
Control Relationship
1.23 - Step-Up Authentication Governs session authentication (CA policies via Graph API); 2.22 governs inactivity timeout duration (BAP Admin API) — complementary session controls
1.26 - Agent File Upload Restrictions Per-agent governance controls complement timeout settings as part of agent-level configuration governance
1.27 - Content Moderation Enforcement Agent-level moderation settings should be reviewed alongside timeout configuration during quarterly reviews
2.1 - Managed Environments Environment governance scope; timeout policy applies within managed environment framework
3.1 - Agent Inventory Agent-level timeout settings should be documented in the organization's agent inventory for audit trail purposes
3.7 - PPAC Security Posture 3.7 includes inactivity timeout verification in the PPAC configuration drift monitoring checks; 2.22 provides dedicated governance, automation, and remediation
3.8 - Copilot Hub and Governance Dashboard Compliance scan results can feed into governance dashboard for consolidated visibility

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting.

Recommended implementation order:

  1. Prerequisites: Deploy the CAA Dataverse schema first if the fsi_acv_zone global option set does not yet exist in your environment (it is created by create_dataverse_schema.py from the Conditional Access Automation solution and is required by the ITE policy table).
  2. Import: Import the ITE solution from FSI-AgentGov-Solutions.
  3. Schema: Run the 4 Python schema scripts in order — see Portal Walkthrough § Schema Deployment for the sequence and Python environment prerequisites.
  4. Post-Import Configuration: Authenticate connection references and set environment variable current values in Power Apps → Solutions → ITE solution.
  5. Policy Data: Populate the fsi_environmentpolicy table with zone assignments and required maximum durations for all governed environments.
  6. Portal Walkthrough — Configure PPAC Privacy + Security settings per environment.
  7. Enable Flow — Enable and schedule the Detect-InactivityTimeout-NonCompliance flow.
  8. PowerShell Setup — Configure Set-InactivityTimeout.ps1 for remediation.
  9. Verification & Testing — Validate compliance scan results and collect evidence.

  10. Troubleshooting (as needed).

  11. Portal Walkthrough — Step-by-step PPAC Privacy + Security configuration

  12. PowerShell Setup — Set-InactivityTimeout.ps1 usage and remediation
  13. Verification & Testing — Compliance scan validation and evidence collection
  14. Troubleshooting — MissingPolicy, API errors, and connectivity issues

Automated Validation

The Detect-InactivityTimeout-NonCompliance flow and Set-InactivityTimeout.ps1 remediation script enable automated compliance enforcement. The flow runs daily to detect non-compliant environments, and the script supports targeted remediation with -WhatIf preview capability.

Verification Criteria

Confirm control effectiveness by verifying:

  1. Inactivity timeout is enabled for all Zone 2 and Zone 3 environments
  2. Timeout duration does not exceed zone-specific maximum (≤120 minutes for Zone 2, ≤60 minutes for Zone 3)
  3. fsi_environmentpolicy table contains policy records for all governed environments with correct zone assignments
  4. Detect-InactivityTimeout-NonCompliance flow runs daily and produces immutable compliance records in Dataverse
  5. No environments show Unknown compliance status for extended periods (all governed environments have assigned zone policies)
  6. Remediation actions are documented with before/after values in compliance records
  7. Agent-level session timeout settings are documented in the organization's agent inventory (Control 3.1) for all Zone 2 and Zone 3 agents
  8. Agent-level timeout configuration evidence is collected and reviewed during quarterly agent configuration reviews (coordinated with Control 1.27 review cadence)
  9. High-sensitivity Zone 3 agents (processing customer data, PII, PHI) have conversation session timeout ≤60 minutes
  10. Agent owners can produce configuration screenshots or API responses showing agent-level session timeout settings when requested during audit reviews

Additional Resources

Updated: February 2026 | Version: v1.3 | UI Verification Status: Current