Forum Discussion

VinodS2020's avatar
VinodS2020
Brass Contributor
Dec 08, 2023

Idle session timeout Conditional access policy for unmanaged devices

What is the default time period for this policy in Conditional access policy for Idle Session timeout" policy as I was looking for way to create this policy for unmanaged devices in the tenant and wh...
Azure Active Directory (AAD)
Identity Management
microsoft 365
VinodS2020's avatar
VinodS2020
Brass Contributor
Dec 11, 2023

ericsawatzky 

 

I wanted to set this policy for unmanaged devices only and as per the link which I shared in the question about unmanaged devices only and what is the timeout for it and how we can change or customize it? 

ericsawatzky's avatar
ericsawatzky
Copper Contributor
Dec 11, 2023
The below configuration is taken from the CIS 365 Benchmark recommendation: "1.7 (L1) Ensure 'Idle session timeout' is set to '1 hour (or less)' for unmanaged devices". You can grab a free copy of the benchmarks with more details on this recommendation at: https://www.cisecurity.org/benchmark/microsoft_365.


Step 1 - configure Idle session timeout:
1. Navigate to the Microsoft 365 admin center https://admin.microsoft.com/.
2. Click to expand Settings Select Org settings.
3. Click Security & Privacy tab.
4. Select Idle session timeout.
5. Check the box Turn on to set the period of inactivity for users to be
signed off of Microsoft 365 web apps
6. Set a value of 1 hour.
7. Click save.

Step 2 - Ensure the Conditional Access policy is in place:
1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/
2. Expand Azure Active Directory > Protect & secure > Conditional Access
3. Click New policy and give the policy a name.
4. Select Users > All users.
5. Select Cloud apps or actions > Select apps and select Office 365
6. Select Conditions > Client apps > Yes check only Browser unchecking all other
boxes.
7. Select Sessions and check Use app enforced restrictions.
8. Set Enable policy to On and click Create.

NOTE: To ensure that idle timeouts affect only unmanaged devices, both steps must be
completed

Hope that helps,
Eric
  • JosvanderVaart's avatar
    JosvanderVaart
    Iron Contributor
    Jan 18, 2024
    I am very curious if anyone can provide clarification here. As far as I can see now, this CA rule ensures that on unmanaged workstations the session time out works. However, this setting will also always affect the session time out on managed workstations. I suspect the Microsoft documentation is incorrect here.
    • M_C_Laning's avatar
      M_C_Laning
      Copper Contributor
      Jan 25, 2024
      I am also curious how this would work. There is no setting in CA according to documentation for only unmanaged devices, so it would be odd if the global setting only applies to unmanaged devices when the CA rule exists, not scoped to any form of clients. This is different from app enforced restrictions for download/print when clients are managed/joined, because this global setting only takes effect when a CA rule exists, not otherwise.
      • pablovalLatam's avatar
        pablovalLatam
        Copper Contributor
        Feb 01, 2024

        M_C_Laning 

         

        The documentation states we need to enable the CA policy and check "app enforce restrictions" inside "session" blade...  according to the documentation by doing this, the "magic" happens under the hood... (I am testing this as well, will share results soon)

        "When selected, the cloud app uses the device information to provide users with a limited or full experience. Limited when the device isn't managed or compliant and full when the device is managed and compliant"

        https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session#application-enforced-restrictions 

        Application enforced restrictions

        Organizations can use this control to require Microsoft Entra ID to pass device information to the selected cloud apps. The device information allows cloud apps to know if a connection is from a compliant or domain-joined device and update the session experience. When selected, the cloud app uses the device information to provide users with a limited or full experience. Limited when the device isn't managed or compliant and full when the device is managed and compliant.

         

        Pablo Valentini (Valenta)

        Nebulan Latam

  • VinodS2020's avatar
    VinodS2020
    Brass Contributor
    Jan 09, 2024

    ericsawatzky 

     

    Hi,

     

    I can see this in below given link about Idle session timeout but it seems its for non-company or shared devices but it does not clear whether its going to target unmanaged devices as well or what and seems confusing here. 

     

    See below snap

     

     

     

    https://learn.microsoft.com/en-US/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide&WT.mc_id=365AdminCSH_inproduct

     

     

     

  • VinodS2020's avatar
    VinodS2020
    Brass Contributor
    Dec 13, 2023

    ericsawatzky 

     

    How we are going to target unmanaged devices in this created conditional access policy by creating filter under platform or what because if we apply this policy to all the users then how its going to determine which device is this policy for? As we did not add any filter or targeted such unmanaged devices?  

     

    Also if we wanted to increase the idle session timeout for managed devices lets say 3 hours and unmanaged devices 1 hour then how we are going to do this with both policies in M365 admin and Conditional access policy? 

Resources