With recent security enhancements in Customer engagement apps, the maximum user session timeout of 24 hours is removed.
Now it uses the Azure AD Session Policy to manage user session timeout, which by default has Azure AD refresh token expiration set as 90 days.
Refresh toke lifetime and expiration – https://docs.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens#refresh-token-lifetime
Use Configuring sign-in frequency in Conditional Access to define the periods before a user is required to sign-in again – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
Earlier the default session timeout used to be 24 hours with 20 minutes for warning the user – https://nishantrana.me/2017/11/17/configure-session-timeout-and-inactivity-timeout-dynamics-365/
However, we can still override the default Azure AD Session policy, by setting the session timeout and/or inactivity timeout for the individual environment.
To set the same navigate to –
Environments > [Environment] > Settings > Privacy + Security in Power Platform Admin Center.
Specify appropriate values and save the changes.
Get all the details here –
Hope it helps..
One thought on “Security Enhancements – 24 hours maximum user session timeout in Dynamics 365 / CRM”