Set ADFS Timeout for CRM/D365 On Premises using IFD

If you run CRM/D365 on premises you may notice that out of the box the security tokens only last for an hour and then you have to log in again. This is because the default lifetime of the security token for claims-based authentication in Active Directory Federation Services (ADFS) is 60 minutes. When I normally set up an on premises installation, I set the token lifetime to be at least 8 hours (480 minutes) so that users will be able to log in when they arrive in the morning and then use CRM uninterrupted until they leave at the end of the day. The next day when they go to CRM, they have to log in again.

Before proceeding, the usual caveats apply - you take full responsibility for any changes you make to your system. If you mess it up, it is your issue to deal with (not mine!).

To set the ADFS timeout, you need to RDP into your ADFS server, run the ADFS Management Console and make a note of your Relying Party Trust display name - you'll need it in a moment when executing some PowerShell commands:

Now open an Administrative PowerShell. If you are running ADFS 2.0 (ie: Windows 2008 Server), then you need to load the PSSnapin (for ADFS 3.0 and Windows 2012 or later, you can skip this step):

Add-PSSnapin Microsoft.Adfs.Powershell

Now, using the Relying Party Trust display name from above, run the following command to see what the timeout is set to currently:

Get-ADFSRelyingPartyTrust -Name "D365 External"

In the lines of output that you get, find the line TokenLifetime - it will likely be set to 60:

Finally, execute this command to set the TokenLifetime to whatever you'd like (in this case, 480 minutes):

Set-ADFSRelyingPartyTrust -Targetname "D365 External" -TokenLifetime 480

You can re-run the Get-ADFS... command to verify that the Token Lifetime is now set correctly, and you should notice that you don't need to log into CRM as frequently.