Home
Microsoft

Idle-Session Timeout Policy in SharePoint Online & OneDrive is now Generally Available

There’s a new culture of work; one that is increasingly diverse, geographically distributed, and mobile.  Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device - and for that experience to be seamless, among these trends includes the increasing use of shared systems, such as kiosks to access and work with corporate data. 

 

SharePoint and OneDrive include a set of controls to help keep your data safe no matter where people are when they access or share data, what device they’re working on, and how secure their network connection is.  These controls can help you customize the level of access granted to people while making sure the resulting constraints meet your organizational security requirements. They also allow you to balance security and user productivity and prevent overexposure, leakage, and oversharing of your sensitive data.

 

To help safeguard your information on these systems, we’re pleased to announce idle session timeout policies are now generally available.

 

Session lifetimes are an important part of authentication for Office 365 and are an important component in balancing security and the number of times users are prompted for their credentials.

 

Idle session timeout provides an Office 365 administrator to configure a threshold at which a user is warned and subsequently signed out of SharePoint or OneDrive after a period of inactivity.

 

 

[https://youtu.be/z7xvhoJCg4E]

 

In the demonstration above, the Tenant is configured with the idle-session timeout policy.   A user is working with content on a sensitive site (Legal) configured with Unmanaged Device-Based Access Policies on a shared system and has left that session unattended.  Following a period of 15 seconds a prompt indicates the session is about to be terminated and in the event a response is not received within 10 seconds, the session is subsequently closed preventing unintended overexposure of information.

 

Idle session timeout policies allow Office 365 administrators to automatically sign out inactive sessions preventing the overexposure of information in the event a user leaves a shared system unattended.

 

Configuring Idle Session Timeout

 

Idle-session timeout is configured using Windows PowerShell.

 

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed, and you have connected to SharePoint Online.

 

Install the SharePoint Online Management Shell by downloading and running the SharePoint Online Management Shell. You only need to do this once for each computer from which you are running SharePoint Online PowerShell commands.

 

To open the SharePoint Online Management Shell command prompt, from the Start screen, type sharepoint, and then click SharePoint Online Management Shell.

 

To connect to SharePoint Online with a username and password run the following commands at the SharePoint Online Management Shell command prompt:

 

Connect-SPOService -Url https://<Tenant>-admin.sharepoint.com

 

To configure idle-session timeout run the following commands at the SharePoint Online Management Shell command prompt:

 

Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 2700) -SignOutAfter (New-TimeSpan -Seconds 3600)

 

Where:

-Enabled specifies whether idle session timeout is enabled or disabled using $true, $false respectively.

-WarnAfter specifies the amount of after which a user is notified that they will be signed out after a period of inactivity as a New-TimeSpan which can be configured in seconds, minutes, or hours.

-SignOutAfter specifies the amount of time after which is a user is signed out of Office 365 if they do not respond to the -WarnAfter prompt.

 

To view the idle browser sign-out settings, use the Get-SPOBrowserIdleSignOut cmdlet.

 

NOTE

  1. Mouse movement or scrolling up and down is not included as activity. Activity is counted as requests sent to SharePoint Online.  Mouse clicks within the context of a site are considered activity.
  2. Idle-session timeout is limited to SharePoint Online and OneDrive for Business browser sessions; however, will sign users out of all Office 365 workloads within that browser session.
  3. It will not sign out users who are on managed devices or select Keep Me Signed In during sign-in.
  4. The WarnAfter and SignOutAfter values cannot be the same.
  5. The policy is applicable to entire tenant and cannot be scoped to user/users or SharePoint sites.

Resources

To learn more about security and compliance with SharePoint & OneDrive visit https://aka.ms/SharePoint-Security.

 

Frequently Asked Questions

Is idle session timeout enabled by default, can I control the settings?

No.  Idle session timeout is disabled by default.  The warning and timeout timespans, as well as enabling idle session timeout are administrator controlled.  Instructions will follow as we start to roll out this feature.

 

Does the policy effect existing signed in sessions?

No, only new sign-ins to new browsers

 

How long does it take to effect across a Tenant following enabling the policy with Windows PowerShell?

Approx. 15 minutes

 

What is considered a managed device?

A device is managed if Azure Active Directory indicates to SharePoint Online that the device state was evaluated, and the device is at least one of the following:

  • Domain joined
  • Compliant

 

Device state claims are not passed in Google Chrome or when using inPrivate mode – device claims are only available on Internet Explorer or Microsoft Edge on Microsoft Windows; however, an absence of device claim does not block this policy from being enforced.  To learn more about device state claims visit https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-technica....

 

NOTE

Using conditional access requires a Azure AD to send device claims which needs a Premium license. To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

 

Can I hide the Keep me signed in prompt?

Admins can choose to hide this new prompt for users by using the “Show option to remain signed in” setting in company branding.

 

NOTE 

Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox in your tenant, we won’t show the new prompt to users in your tenant.

This change won’t affect any token lifetime settings you have configured.

7 Comments

Awesome, but what took you so long? I mean the feature was pretty much working flawlessly back when we first saw it at Ignite last year, apart with some glitches with the sign-out dialog in IE :)

 

Any plans to provide scoping in the future? It's easily the number one question I've seen around this functionality.

New Contributor

Can this only be set via PS or using SharePoint Admin center as well?

New Contributor

The ability to scope this to a subset of users for Pilot purposes would be very useful. That said, good job on this one. 

Would it be possible to force sign-out even if users use managed devices or select Keep Me Signed-in option?

Microsoft

@Michael Hunsberger Thanks for the feedback, we'll keep that in mind.

Microsoft

@Rishi Gupta The current plan is to support configuration via Windows PowerShell only.

Microsoft

@Hirofumi OTA Users won't be signed out if they selected to stay signed in when they signed in. For info about hiding this option, see https://go.microsoft.com/fwlink/?linkid=2003520.  

 

Users won't be signed out on a managed device (one that is compliant or joined to a domain), unless they're using inPrivate mode or a browser other than Edge or Internet Explorer. If they use Google Chrome, you need to use an extension to pass the device state claim. For more info about device state claims, see https://go.microsoft.com/fwlink/?linkid=2003424.