Protecting User Data from Unauthorized Access
As I noted on March 7, Microsoft 365 has many web apps, including applications like Planner and Forms whose only available user access is via a browser (unless you consider access via Teams apps). In any case, Microsoft 365 spans a bunch of web apps and Microsoft is now implementing a session timeout to increase app security by protecting “sensitive company data from unauthorized access while providing peace of mind for end users while working on unmanaged and/or shared devices.” Implementing forced sign-outs for browser sessions (together with warnings that a session is about to expire) is a good way of reminding people that they shouldn’t leave apps open if they’re not working in those apps.
According to message center notification MC343441 (March 16 – Microsoft 365 roadmap item 55183), administrators can configure a tenant-wide timeout policy to sign users out automatically when they’re inactive in Microsoft 365 apps. The move to apply consistency in session timeouts across Microsoft 365 web apps is a good idea as different apps use different values today.
Some of the high-profile apps like OWA and SharePoint Online implement their own idle session timeout mechanisms. OWA’s implementation won’t work if people opt for the Azure AD keep me signed in (KMSI) feature while SharePoint’s relies on conditional access policies and Azure AD premium licenses.
Microsoft says that the tenant-wide timeout will eventually take over from these implementations. In fact, if a tenant implements an idle session timeout policy, it takes precedence over the existing OWA and SharePoint Online mechanisms.
The policy complements existing features aimed at making browser access more secure such as continual access evaluation for critical events.
Idle session timeout is a preview feature which is rolling out and should be available worldwide by late March. The current schedule is for the feature to reach general availability in late June, subject to a successful preview. The policy applies to:
- OneDrive for Business.
- SharePoint Online.
- Office web apps.
- Microsoft 365 admin center.
The list is the same as for the new account switcher. The policy currently doesn’t control other web apps like Planner, Yammer, To-Do, and the Teams browser client or other admin centers like the Exchange Online admin center, Teams admin center, and Azure AD admin center. No doubt Microsoft will bring more clients within the scope of the policy over time.
Enabling Idle Session Timeout
By default, the idle session timeout policy is disabled. To implement the policy, go to the Org setting section of the Microsoft 365 admin center, access the Security & privacy tab, and select Idle session timeout. You can then opt to enable the policy and choose a timeout period ranging from one hour to 24 hours, or a custom value from 12 to 1440 minutes (Figure 1).
Interestingly, when the idle session timeout policy is in force, Microsoft says: “users who access Microsoft 365 web apps from an unmanaged device and do not select ‘Stay signed in?’ option at the time of sign-in might start seeing more sign-in prompts.” After testing using both Chrome and Edge, it seemed like it didn’t matter if I selected the stay signed in (keep me signed in) option as all sessions expired. Incognito sessions with the Brave browser saw the imminent expiration warning but never proceeded to expiration. Maybe these experiences are the result of preview glitches that Microsoft will resolve before general availability, but it’s a pointer that if you plan on using idle session timeouts, you might then consider removing the keep me signed in option through company branding.
The Idle Session Timeout Policy in Action
Users affected by the policy will see a notification that their session is about to expire about a minute before the period ends (Figure 2).
If they don’t respond, Microsoft 365 signs them out from all apps controlled by the policy in that browser (Figure 3). Microsoft 365 web apps in other browsers remain unaffected.
Activity means taking client-site actions (like opening a document or listing the contents of a folder) in any of the covered web apps in a tab in a browser. For example, you could have OWA and the Microsoft 365 admin center open and be working in OWA while inactive in the admin center. The activity in OWA is enough for the idle session timeout policy to be invoked.
Idle session timeout is not enforced when users sign into a managed device (defined as one deemed compliant by the organization) using a supported browser (Edge or Chrome with the Windows account extension). However, this scenario depends on using a conditional access policy to detect the managed state of the device.
Configure and Deploy
It makes sense to at least consider configuring an idle session timeout policy. The policy will replace current restrictions and become more powerful as Microsoft adds more web apps to its control. Over time, we’ll gain insight into the best way to use the policy alongside other settings; in the interim there doesn’t seem to be a downside in deploying it now.
Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.