Introducing Idle Session Timeout in SharePoint and OneDrive (Preview)
Published Oct 23 2017 01:36 PM 61K Views
Microsoft

There’s a new culture of work; one that is increasingly diverse, geographically distributed, and mobile.  Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device - and for that experience to be seamless, among these trends includes the increasing use of shared systems, such as kiosks to access and work with corporate data.  In order to help safeguard your information on these systems, we’re introducing new idle session timeout policies rolling out as preview starting on November 6, 2017 and changes to the “Keep me signed in” experience with Office 365.

 

Idle session timeout provides an Office 365 administrator to configure a threshold at which a user is warned and subsequently signed out of SharePoint or OneDrive after a period of inactivity as illustrated below.

 

 

 

Idle session timeout policies allow Office 365 administrators to automatically sign out inactive sessions preventing the overexposure of information in the event a user leaves a shared system unattended.

 

NOTE

Idle session timeout takes a dependency on the Keep me signed in signal.  In scenarios where Keep me signed in is selected at authentication, the client will not honor the idle session timeout. 

 

In addition to the new idle session timeout policy we’re rolling out in preview, in late September we updated the keep me signed in experience, replacing the “Keep me signed in” checkbox that appears on the sign-in flow with a prompt that shows after the user successfully signs in. Idle session timeout interprets this signal and where selected does not affect the client where "Keep me signed in" has been selected, on devices where "Keep me signed in" is not selected, the policy applies.

 

In addition to those recent changes, we’re also adding a layer of protection to intelligently hide this prompt if we detect a shared device, or a high-risk sign-in. Our goal is to decrease the number of times users are prompted to authenticate. Although the new screen adds a small amount of friction up front, users get a better long-term experience as they get less sign-in prompts when they use our services.

 

This prompt asks the user if they would like to remain signed in. Responding “Yes” to this drops a persistent refresh token, the same behavior as when the user checks the old “Keep me signed in” checkbox.

 

For federated tenants, this prompt will show after the user successfully authenticates with the federated identity service. Some things to consider: - During the Public Preview period of the new sign-in experience, this new “Keep me signed in” prompt will only show when users opt-in to the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt. - You can choose to hide this new prompt for your users by using the “Show option to remain signed in” setting in company branding. Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox on your tenant, we won’t show the new prompt to your users. - This change will not affect any token lifetime settings you have configured.

 

Configuring Idle Session Timeout

Idle-session timeout is configured using Windows PowerShell.

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed and you have connected to SharePoint Online.

Install the SharePoint Online Management Shell by downloading and running the SharePoint Online Management Shell. You only need to do this once for each computer from which you are running SharePoint Online PowerShell commands.

To open the SharePoint Online Management Shell command prompt, from the Start screen, type sharepoint, and then click SharePoint Online Management Shell.

To connect to SharePoint Online with a username and password run the following commands at the SharePoint Online Management Shell command prompt:

Connect-SPOService -Url https://<Tenant>-admin.sharepoint.com

To configure idle-session timeout run the following commands at the SharePoint Online Management Shell command prompt:

Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 1200) -SignOutAfter (New-TimeSpan -Seconds 1500)

Where:

-Enabled specifies whether idle session timeout is enabled or disabled using $true, $false respectively.

-WarnAfter specifies the amount of after which a user is notified that they will be signed out after a period of inactivity as a New-TimeSpan which can be configured in seconds, minutes, or hours.

-SignOutAfter specifies the amount of time after which is a user is signed out of Office 365 if they do not respond to the -WarnAfter prompt.

To view the idle browser sign-out settings, use the Get-SPOBrowserIdleSignOut cmdlet.

NOTE

  1. Mouse movement or scrolling up and down is not included as activity. Activity is counted as requests sent to SharePoint Online.  Mouse clicks within the context of a site are considered activity.
  2. Idle-session timeout is limited to SharePoint Online browser sessions; however, will sign users out of all Office 365 workloads within that browser session.
  3. It will not sign out users who are on managed devices or select Keep Me Signed In during sign-in.
  4. Idle session timeout is currently limited to Classic sites.  A fix will be rolled out to support Modern sites soon.
  5. The WarnAfter and SignOutAfter values cannot be the same.
  6. The policy scope is Tenant-wide.

Frequently Asked Questions

When will idle session timeout start rolling out as preview?

November 6, 2017

 

Is idle session timeout enabled by default, can I control the settings?

No.  Idle session timeout is disabled by default.  The warning and timeout timespans, as well as enabling idle session timeout are administrator controlled.  Instructions will follow as we start to roll out this feature.

 

Does the policy effect existing signed in sessions?

No, only new sign-ins to new browsers

 

How long does it take to effect?

Approx. 15 minutes

 

What is considered a managed device?

A device is managed if Azure Active Directory indicates to SharePoint Online that the device state was evaluated and the device is at least one of the following:

  • Domain joined
  • Compliant

Device state claims are not passed in Google Chrome or when using inPrivate mode – device claims are only available on Internet Explorer or Microsoft Edge on Microsoft Windows.

 

Can I hide the Keep me signed in prompt?

During the public preview period of the new sign-in experience, the updated “Keep me signed in” prompt will only show when users opt into the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt.

 

Admins can choose to hide this new prompt for users by using the “Show option to remain signed in” setting in company branding.

 

NOTE 

Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox in your tenant, we won’t show the new prompt to users in your tenant.

 

This change won’t affect any token lifetime settings you have configured.

 

When will idle-session timeout be generally available?

April 2018

18 Comments
Brass Contributor

despite the clear idea of getting better long-term experience for o365 users, i still can't catch the real essence of these changes. Is there a crucial problem in the number of sign-in prompts?

@Bill Baer can you please make sure to work together with the Azure AD team with respect to the KMSI dependence? Especially in federated scenarios where we might be using a smart link to pass the LoginOptions value - I still haven't received a confirmation that this will work with the new sign-in experience they just announced.

 

And btw, the popup looks terrible on IE, with both horizontal and vertical scrollbar visible, please fix that :)

Iron Contributor

Yes, what about the Azure AD Timeouts. So when a user logs into "Portal.office.com", and it has cached the login, if they click on "mail" or "outlook", it will pass authentication right through. We need a way to make the Azure AD session timeout better

 

I see this has to do with the "keep me signed in" policy,, so will this also make session timeouts on OWA/O365 portal too?

Iron Contributor

Bill, thanks for the update.

 

I think that this is another tool that architects and admins can take back to the security team that ensures a better delivery of the policies that we are asked to put in place.  I guess this ensures an improved acceptance of Office 365 and the protection that can be implemented.

 

What might be useful is a decision tree that incorporates all the various sign-in options as they are becoming increasingly difficult to interpret the outcomes of changing the settings and their combinations around Office 365 and Azure sign-in.  I see a risk of innocently enabling a setting to achieve one objective without understanding you have committed everyone to login in again every 3 minutes!!

 

Not the best way to become popular.

 

Steve

Bronze Contributor

did the device state claim functionality in Google Chrome change in the past couple of months?

I'm pretty sure I was able to stay signed in over night previously, but not in the last couple of weeks. Currently when I come back to my device the day after I'm thrown to the "new sign experience" and have the click my email address and from there I'm signed in automatically through ADFS (SSO).

Brass Contributor

Is there information available regarding session timeout for Planner ? I have noticed that Planner times out quite often in comparison to other O365 services.

Copper Contributor

Menerapkan hasil penerapan asuransi dunia.

Copper Contributor

Could this cause companies that use a proxy to drop authentication?  I just started getting errors from OneDrive that I need to re-authenticate 

Microsoft

@David Snodgrass Not that I'm aware of, could you send the question to issofeedback@microsoft.com so we can review and respond.

 

Thanks!

 

Bill

Copper Contributor

Dan saya belum menyadari sebelum aku menemukan apa yang saya terapkan.

Copper Contributor

Now I am suddenly seeing session timeouts in Excel online and there seems to be no powershell command or admin screen toggle to turn these timeouts off.   They are really getting to be a problem popping up every 5 minutes.  Especially when people need to have multiple excel files open at once but can't babysit them constantly.

 

session.jpg

Steel Contributor

Interesting read. I assume this will be disabled by default when it goes out of the 'preview' stage? I like the KMSI feature a lot, and haven't seen a warning yet that says I'm about to be signed out (similar to a bank). What happens when you have multiple tabs open in Edge or other browser and it wants to log you out due to timeout? For example, if I've got tabs for office.com, docs.com, sharepoint admin center, and developing PowerBI solutions in another tab? If I leave and that popup shows up and I don't respond, it will log me out of that window, but what about the others? I would expect to come back and see warnings on all the tabs. Respond when you can @Bill Baer or anyone.

Copper Contributor

 I can see idle timeout warning prompt in Modern UI. Is limitation on modern UI fixed?

Steel Contributor

Hey @Haresh zolapara - which limitation are you eluding to? The fact it only works with modern UI and not with SharePoint 2016 on prem, or ? Please explain. 

Copper Contributor

I am connected via SPO Management shell, and I can run Get-SpoSite to get a list of sites, but when I try to run Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 1200) -SignOutAfter (New-TimeSpan -Seconds 1500) I get ugly Red Text. [The term 'Get-SPOBrowserIdleSignOut' is not recognized as the name of a cmdlet, function, script file, or operable program.]  Any Ideas? Thank You in advance!

Iron Contributor

@Dale Robertson - What version of the SharePoint Online Management PowerShell Module do you have installed?


Copper Contributor

Hello David,

 

You are 100% on the right track, as it WAS the version.

Installed latest version, and I am good to go!

Thanks for replying.

Copper Contributor

Can you please confirm if/when the Modern UI limitation has been resolved?

Version history
Last update:
‎Apr 28 2018 11:49 AM
Updated by: