![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 73%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EME%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 65%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Hello Machado, Eduardo
Thanks for reaching out to Microsoft Q&A.
When you connect Entra External ID (formerly Azure AD External Identities) to Power Pages, session and idle timeout settings are handled in two places:
Entra External ID – Controls how long authentication tokens last.
Power Pages – Controls how long the site keeps a user logged in before kicking them out for being idle.
Right now, Entra External ID has some restrictions:
- You can’t customize session timeouts or token expiry for External ID users the same way you can for normal Azure AD users.
- Token policies for refresh tokens were retired in 2021. - https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes
- Conditional Access Session policies don’t work with External ID tenants.
- If you use Email OTP (one-time passcode) login, the refresh token always lasts 12 hours — you can’t change that.
- Access tokens typically last around 60–90 minutes.
Document Reference: https://learn.microsoft.com/en-us/entra/external-id/customers/concept-supported-features-customers
Set the Timeout : You’ll mostly control session timeout from the Power Pages settings, because Entra External ID doesn’t give much flexibility for external guest accounts.
To Configure Timeout in Power Pages
- Open Power Platform Admin Center → Go to your Power Pages environment.
- Open the Portal Management App.
- Go to Website > Site Settings. Add the following:
- Idle Timeout
text
Name: Authentication/ApplicationCookie/ExpireTimeSpan
Value: 00:10:00 → means 10 minutes of inactivity
- After Timeout Redirect Page
text
Name: Authentication/ApplicationCookie/LoginPath
Value: /SignIn → page where users will be sent after timeout
- Match Entra Token Lifetime (Optional)
Name: Authentication/OpenIdConnect/[provider]/UseTokenLifetime Value: true (to sync with Entra token lifetime)
Settings on Entra Side (Limited Impact)
- In Entra Admin Center → Go to Settings → Signing out + notifications → turn on directory-level idle timeout.
- But note: This mainly affects the Entra portal, not the external Power Pages login.
Reference Documentation:
- https://learn.microsoft.com/en-us/power-pages/admin/cookies
- https://learn.microsoft.com/en-us/entra/architecture/deployment-external-operations
Areas for Optimization
- If using Email OTP: Remember the refresh token will always expire after 12 hours.
- If you want more control, switch to username/password login in Entra External ID.
- Add client-side timeout warnings (e.g., a pop-up saying “Your session will expire soon”).
- Balance security and user experience by choosing reasonable timeouts (5–10 mins is strict, 15–30 mins is relaxed).
Suggested Process:
- Set the timeout in Power Pages (main control point).
- Test by logging in and leaving the session idle.
- Check if users are redirected to the login page after the set time.
- Monitor user and token logs in Entra.
Please Note:
- Power Pages controls your site session timeout.
- Entra External ID controls token expiry, but has strict limits for Email OTP.
Kindly let us know if the above helps or you need further assistance on this issue.