Hello,

I have a disconnect with respect to  activity-based timeout policy  and its usefulness.
How come AAD be involved in the idle-time-out implementation of web-app session ?
Should not an Idle-Timeout  come from the application itself, and if a timeout is detected, the application can invalidate the existing token (although it’s lifetime may still be valid) and redirect the user back to AAD.

So if I have set activity-based timeout  for one web-app (for eg., portal.azure.com)  as 2 hours.
When AAD sends the SAML/ID-token to the app,  would  AAD sends out this activity-based timeout  information so that if application supports it , it can notify the user if user is staring the app-screen for 2 hours.   If user does not do any activity on the app, the  Java-script of the app will send out the sign-out request to AAD to sign the user out.

Am I correct in my understanding ?

Thanks.