As I noted on March 7, Microsoft 365 has many web apps, including applications like Planner and Forms whose only available user access is via a browser (unless you consider access via Teams apps). In any case, Microsoft 365 spans a bunch of web apps and Microsoft is now implementing a session timeout to increase app security by protecting “sensitive company data from unauthorized access while providing peace of mind for end users while working on unmanaged and/or shared devices.” Implementing forced sign-outs for browser sessions (together with warnings that a session is about to expire) is a good way of reminding people that they shouldn’t leave apps open if they’re not working in those apps.
According to message center notification MC343441 (March 16 – Microsoft 365 roadmap item 55183), administrators can configure a tenant-wide timeout policy to sign users out automatically when they’re inactive in Microsoft 365 apps. The move to apply consistency in session timeouts across Microsoft 365 web apps is a good idea as different apps use different values today.
Some of the high-profile apps like OWA and SharePoint Online implement their own idle session timeout mechanisms. OWA’s implementation won’t work if people opt for the Azure AD keep me signed in (KMSI) feature while SharePoint’s relies on conditional access policies and Azure AD premium licenses.
Microsoft says that the tenant-wide timeout will eventually take over from these implementations. In fact, if a tenant implements an idle session timeout policy, it takes precedence over the existing OWA and SharePoint Online mechanisms.
Idle session timeout is a preview feature which is rolling out and should be available worldwide by late March. The current schedule is for the feature to reach general availability in late June, subject to a successful preview. The policy applies to:
OWA.
OneDrive for Business.
SharePoint Online.
Office.com
Office web apps.
Microsoft 365 admin center.
The list is the same as for the new account switcher. The policy currently doesn’t control other web apps like Planner, Yammer, To-Do, and the Teams browser client or other admin centers like the Exchange Online admin center, Teams admin center, and Azure AD admin center. No doubt Microsoft will bring more clients within the scope of the policy over time.
Enabling Idle Session Timeout
By default, the idle session timeout policy is disabled. To implement the policy, go to the Org setting section of the Microsoft 365 admin center, access the Security & privacy tab, and select Idle session timeout. You can then opt to enable the policy and choose a timeout period ranging from one hour to 24 hours, or a custom value from 12 to 1440 minutes (Figure 1).
Figure 1: Defining a Microsoft 365 idle session timeout policy
Interestingly, when the idle session timeout policy is in force, Microsoft says: “users who access Microsoft 365 web apps from an unmanaged device and do not select ‘Stay signed in?’ option at the time of sign-in might start seeing more sign-in prompts.” After testing using both Chrome and Edge, it seemed like it didn’t matter if I selected the stay signed in (keep me signed in) option as all sessions expired. Incognito sessions with the Brave browser saw the imminent expiration warning but never proceeded to expiration. Maybe these experiences are the result of preview glitches that Microsoft will resolve before general availability, but it’s a pointer that if you plan on using idle session timeouts, you might then consider removing the keep me signed in option through company branding.
The Idle Session Timeout Policy in Action
Users affected by the policy will see a notification that their session is about to expire about a minute before the period ends (Figure 2).
Figure 2: The idle session timeout period is close to elapsing
If they don’t respond, Microsoft 365 signs them out from all apps controlled by the policy in that browser (Figure 3). Microsoft 365 web apps in other browsers remain unaffected.
Figure 3: The Idle session timeout policy signs out a user
Activity means taking client-site actions (like opening a document or listing the contents of a folder) in any of the covered web apps in a tab in a browser. For example, you could have OWA and the Microsoft 365 admin center open and be working in OWA while inactive in the admin center. The activity in OWA is enough for the idle session timeout policy to be invoked.
Idle session timeout is not enforced when users sign into a managed device (defined as one deemed compliant by the organization) using a supported browser (Edge or Chrome with the Windows account extension). However, this scenario depends on using a conditional access policy to detect the managed state of the device.
Configure and Deploy
It makes sense to at least consider configuring an idle session timeout policy. The policy will replace current restrictions and become more powerful as Microsoft adds more web apps to its control. Over time, we’ll gain insight into the best way to use the policy alongside other settings; in the interim there doesn’t seem to be a downside in deploying it now.
Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.
What does protecting “sensitive company data from unauthorized access while providing peace of mind for end users while working on unmanaged and/or shared devices.” mean if this policy is overruled by users who use their unmanaged/shared devices with their private MS Word/OnDrive account to Add a Place to our SharePoint Online service? These users retain their access after the initial login to our SharePoint Online service, even after months of inactivity, without having to re-identify. This means that the central policy of our corporate service is overruled by the policy of the user’s private account.
I don’t think the timeout policy is designed to cover every situation. If people use unmanaged devices, an organization doesn’t control those devices. End of discussion.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
What does protecting “sensitive company data from unauthorized access while providing peace of mind for end users while working on unmanaged and/or shared devices.” mean if this policy is overruled by users who use their unmanaged/shared devices with their private MS Word/OnDrive account to Add a Place to our SharePoint Online service? These users retain their access after the initial login to our SharePoint Online service, even after months of inactivity, without having to re-identify. This means that the central policy of our corporate service is overruled by the policy of the user’s private account.
I don’t think the timeout policy is designed to cover every situation. If people use unmanaged devices, an organization doesn’t control those devices. End of discussion.