Portal Walkthrough: Control 2.22 - Inactivity Timeout Enforcement
Parent Control: 2.22 - Inactivity Timeout Enforcement
Last Updated: February 2026 Portal: Power Platform Admin Center (PPAC) Estimated Time: 30-45 minutes per environment
Prerequisites
- CAA Dataverse schema deployed (provides the
fsi_acv_zoneglobal option set required by the ITE policy table). If not already deployed, runpython scripts/create_dataverse_schema.pyfrom the Conditional Access Automation solution first. - ITE solution imported into the target Dataverse environment (see Solutions Index for components and deployment scripts)
- ITE Dataverse schema deployed via Python scripts (see Schema Deployment below)
- Connection references authenticated and environment variable current values set (see Post-Import Configuration below)
- Power Platform Admin or Environment Admin role assigned
- Access to Power Platform Admin Center (admin.powerplatform.microsoft.com)
- Environment governance zone assignments documented (Zone 1/2/3) — see Zones and Tiers for classification guidance
- Approved timeout duration values per zone policy
-
fsi_environmentpolicytable populated with zone assignments and required maximum durations for all governed environments
Schema Deployment
Before configuring environment settings, deploy the ITE Dataverse schema. This creates the tables, option sets, environment variables, and connection references the compliance flow and remediation script require.
Python Environment Setup
The schema scripts require Python 3.8+ and the caa_client module (shared with other FSI-AgentGov-Solutions schema scripts).
# Install Python dependencies
pip install msal requests
# The caa_client module must be on the Python path.
# It is located in scripts/caa_client.py in the FSI-AgentGov repository.
# Run scripts from the repository root, or add the scripts directory to PYTHONPATH.
Set authentication environment variables (or pass via CLI arguments):
| Variable | Description |
|---|---|
CAA_TENANT_ID |
Entra ID tenant GUID |
CAA_ENVIRONMENT_URL |
Dataverse environment URL (e.g., https://org12345.crm.dynamics.com) |
CAA_CLIENT_ID |
App registration client ID with Dataverse permissions |
CAA_CLIENT_SECRET |
App registration client secret |
Script Execution Order
Run the scripts in this order from the repository root:
# 1. Create policy and compliance tables (+ 2 solution option sets)
python scripts/create_timeout_dataverse_schema.py
# 2. Create error log table
python scripts/create_timeout_errorlog_schema.py
# 3. Create 3 environment variables (concurrency, notifications, scan frequency)
python scripts/create_timeout_environment_variables.py
# 4. Create 2 connection references (Dataverse + Power Platform Admin)
python scripts/create_timeout_connection_references.py
All scripts are idempotent — safe to re-run if needed. Use --dry-run to preview changes without making API calls. Alternatively, use --interactive to authenticate via browser sign-in (delegated auth) instead of the service principal credentials above.
Schema Deployment Validation
After running all 4 scripts, verify the schema was deployed successfully:
- Navigate to Power Apps → select the governance environment → Tables
- Confirm these tables exist:
fsi_environmentpolicy,fsi_inactivitytimeoutcompliance,fsi_inactivitytimeouterrorlog - Open Solutions → ITE solution → verify Environment Variables and Connection References are present
CAA Schema Prerequisite
The first script (create_timeout_dataverse_schema.py) requires the fsi_acv_zone global option set, which is created by the CAA (Conditional Access Automation) schema script. If you see an error referencing fsi_acv_zone, deploy the CAA schema first: python scripts/create_dataverse_schema.py.
Post-Import Configuration
After importing the ITE solution and deploying the schema, complete these configuration steps before running the compliance flow.
Authenticate Connection References
- Navigate to Power Apps → select the governance environment
- Open Solutions → select the ITE solution
- Open Connection References
- For each connection reference (
fsi_cr_dataverse_inactivitytimeoutandfsi_cr_powerplatformforadmins_inactivitytimeout): - Click the connection reference → select or create an active connection
- Authenticate with a service account that has the required permissions:
- Dataverse connector (
fsi_cr_dataverse_inactivitytimeout): Requires a Dataverse security role with Create/Read permissions onfsi_environmentpolicy,fsi_inactivitytimeoutcompliance, andfsi_inactivitytimeouterrorlogtables - Power Platform for Admins connector (
fsi_cr_powerplatformforadmins_inactivitytimeout): Requires Power Platform Admin role or an Entra app registration withhttps://api.bap.microsoft.com/.defaultAPI permission and admin consent
- Dataverse connector (
Set Environment Variable Current Values
- In the same ITE solution, open Environment Variables
- Set the Current Value for each variable (Current Value overrides the Default Value for your tenant):
| Variable | Default | Action Required |
|---|---|---|
fsi_ITE_ConcurrencyLimit |
5 | Adjust if your tenant has many environments (reduce for rate-limit avoidance) |
fsi_ITE_NotificationRecipients |
(empty) | Must set — enter semicolon-separated email addresses (e.g., admin@contoso.com;compliance@contoso.com) |
fsi_ITE_ScanFrequencyHours |
24 | Adjust scan interval if needed |
Notification Recipients Required
The fsi_ITE_NotificationRecipients variable has no default value. Notifications will not be sent until you set a current value with valid email addresses. Use semicolons to separate multiple addresses.
Populate Policy Table
- Navigate to Power Apps → select the governance environment
- Open Tables → search for
fsi_environmentpolicy - Create a record for each governed environment:
| Column | Description | Example |
|---|---|---|
fsi_name |
Descriptive name (required primary name) | "Production" |
fsi_environmentid |
Canonical EnvironmentName GUID from PPAC | "d1234567-abcd-ef01-2345-6789abcdef01" |
fsi_environmentdisplayname |
Human-readable name (optional) | "Production" |
fsi_zone |
Zone classification | Zone 2 or Zone 3 |
fsi_requiredmaxduration |
Maximum allowed timeout in minutes | 120 (Zone 2) or 60 (Zone 3) |
Finding the EnvironmentName GUID
Open PPAC → Environments → select the environment → the EnvironmentName GUID is visible in the browser URL bar. Do NOT use the display name.
Step 1: Navigate to Environment Settings
- Sign in to Power Platform Admin Center
- Select Environments from the left navigation
- Select the target environment from the list
- Click Settings in the command bar
Step 2: Open Privacy + Security Settings
- Under Product, expand the settings categories
- Select Privacy + Security
- The Privacy + Security settings page opens with session timeout options
Environment Admin Access
Environment Admins can access these settings for their assigned environments. Power Platform Admins have access across all environments.
Step 3: Enable Inactivity Timeout
- Locate the Session Expiration section
- Set Set inactivity timeout to On
- This enables the timeout duration and warning duration fields
Step 4: Configure Timeout Duration
- Set the Duration of inactivity before timeout value according to the environment's zone policy:
| Zone | Maximum Duration | Recommended Setting |
|---|---|---|
| Zone 1 (Personal) | Optional; ≤120 min if enabled | 120 minutes |
| Zone 2 (Team) | ≤120 minutes (required) | 90 minutes |
| Zone 3 (Enterprise) | ≤60 minutes (required) | 30 minutes |
- Set the Warning duration before timeout to provide users advance notice (typically 5-10 minutes before timeout)
Zone Maximum Enforcement
The timeout duration value must not exceed the zone-specific maximum defined in your organization's fsi_environmentpolicy table. Exceeding the maximum results in a Non-Compliant status during automated scanning.
Step 5: Save Configuration
- Click Save to apply the settings
- Verify the confirmation message appears
- The setting takes effect for new sessions; existing sessions are governed by their original timeout at creation
Step 5a: Configure Session Expiration (Maximum Session Lifetime)
In addition to inactivity timeout, configure session expiration to enforce an absolute maximum session duration regardless of user activity. This setting is in the same Privacy + Security page.
- In the Session Expiration section, set Set custom session timeout to On
- Set the Maximum Session Length value according to the environment's zone policy:
| Zone | Maximum Session Lifetime | Recommended Setting |
|---|---|---|
| Zone 1 (Personal) | Optional; ≤1440 min if enabled | 1440 minutes (24 hours) |
| Zone 2 (Team) | ≤1440 minutes (required) | 1440 minutes (24 hours) |
| Zone 3 (Enterprise) | ≤720 minutes (required) | 720 minutes (12 hours) |
- Click Save to apply the session expiration setting
Relationship to Control 3.7
Control 3.7 (PPAC Security Posture Assessment) documents session expiration as part of the PPAC security hardening baseline. The recommended values above align with the Control 3.7 baseline. Refer to the Control 3.7 hardening checklist for the complete set of PPAC security settings.
Step 6: Verify Configuration Applied
- Return to Settings → Privacy + Security
- Confirm the inactivity timeout toggle shows On
- Confirm the duration value matches the intended setting
- Document the environment name, timeout duration, and timestamp for audit evidence
Step 7: Repeat for All Governed Environments
- Return to the Environments list
- Select the next environment requiring timeout configuration
- Repeat Steps 2-6 for each environment
- Use the governance settings tracker below to record progress
Governance Settings Tracker
| Environment Name | Zone | Required Max (min) | Configured Duration (min) | Warning (min) | Date Configured | Configured By |
|---|---|---|---|---|---|---|
| env-prod-01 | Zone 3 | 60 | 30 | 5 | YYYY-MM-DD | Admin Name |
| env-team-collab | Zone 2 | 120 | 90 | 10 | YYYY-MM-DD | Admin Name |
| env-personal-dev | Zone 1 | ≤120 (if enabled) | 120 | 10 | YYYY-MM-DD | Admin Name |
Step 8: Configure Agent-Level Session Timeout
In addition to environment-level timeout settings, individual Copilot Studio agents have conversation session timeout configurations that control when agent conversation context expires. Configuring agent-level timeouts supports defense-in-depth session security across both platform and agent layers.
- Navigate to Copilot Studio and sign in with your Power Platform Admin or Copilot Studio maker credentials
- Select the target agent from the agent list
- Go to Settings → Advanced → Session timeout
Copilot Studio UI Changes
The navigation path to session timeout settings may vary depending on your Copilot Studio version. If you cannot locate it at Settings → Advanced → Session timeout, search for "session timeout" in the agent settings or check under Settings → Generative AI → Session management.
- Set the conversation session timeout duration aligned with the agent's zone classification:
| Zone | Agent-Level Maximum | Recommended Setting | Rationale |
|---|---|---|---|
| Zone 3 (Enterprise) | ≤60 minutes (required) | 30 minutes | Helps protect high-sensitivity conversation data (customer data, PII, PHI) from extended exposure in abandoned sessions |
| Zone 2 (Team) | ≤120 minutes (required) | 90 minutes | Supports session security for team collaboration agents processing organizational data |
| Zone 1 (Personal) | Optional; ≤120 min if enabled | 120 minutes | Recommended if the agent processes any sensitive organizational data |
- Click Save to apply the agent-level timeout setting
- Document the agent name, configured timeout duration, and zone classification in your organization's agent inventory (Control 3.1) for audit trail purposes. If you have not yet implemented Control 3.1, record this information in a spreadsheet for later migration to the inventory system.
- Repeat for each governed agent in the environment
Quarterly Review Coordination
Agent-level timeout settings should be reviewed during quarterly agent configuration reviews, coordinated with the Control 1.27 review cadence. This periodic review aids in maintaining alignment between agent timeout policies and evolving zone requirements.
Post-Configuration Validation
After configuring all environments:
- Verify the
fsi_environmentpolicyDataverse table reflects current zone assignments and required maximum durations for all configured environments
Required Before Running Compliance Flow
The fsi_environmentpolicy table must be populated before running the compliance flow. Environments without policy records will receive MissingPolicy errors (see Troubleshooting Issue 1).
- Run the Detect-InactivityTimeout-NonCompliance flow manually to validate initial compliance state:
- Navigate to Power Automate → select the governance environment
- Open Solutions → ITE solution → Cloud flows
- Select Detect-InactivityTimeout-NonCompliance → click Run
- Review compliance records in the
fsi_inactivitytimeoutcompliancetable (Power Apps → Tables → search forfsi_inactivitytimeoutcompliance→ open the table data view) to confirm all environments show Compliant status - Address any Non-Compliant or Unknown results before enabling the daily schedule
- Enable the daily schedule trigger on the compliance flow (default: 06:00 UTC)
Next Steps
- PowerShell Setup — Automated remediation with Set-InactivityTimeout.ps1
- Verification & Testing — Compliance validation and evidence collection
- Troubleshooting — Common issues and resolutions
Updated: February 2026 | Version: v1.3