There’s a new culture of work; one that is increasingly diverse, geographically distributed, and mobile. Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device - and for that experience to be seamless, among these trends includes the increasing use of shared systems, such as kiosks to access and work with corporate data.
SharePoint and OneDrive include a set of controls to help keep your data safe no matter where people are when they access or share data, what device they’re working on, and how secure their network connection is. These controls can help you customize the level of access granted to people while making sure the resulting constraints meet your organizational security requirements. They also allow you to balance security and user productivity and prevent overexposure, leakage, and oversharing of your sensitive data.
To help safeguard your information on these systems, we’re pleased to announce idle session timeout policies are now generally available.
Session lifetimes are an important part of authentication for Office 365 and are an important component in balancing security and the number of times users are prompted for their credentials.
Idle session timeout provides an Office 365 administrator to configure a threshold at which a user is warned and subsequently signed out of SharePoint or OneDrive after a period of inactivity.
In the demonstration above, the Tenant is configured with the idle-session timeout policy. A user is working with content on a sensitive site (Legal) configured with Unmanaged Device-Based Access Policies on a shared system and has left that session unattended. Following a period of 15 seconds a prompt indicates the session is about to be terminated and in the event a response is not received within 10 seconds, the session is subsequently closed preventing unintended overexposure of information.
Idle session timeout policies allow Office 365 administrators to automatically sign out inactive sessions preventing the overexposure of information in the event a user leaves a shared system unattended.
Idle-session timeout is configured using Windows PowerShell.
Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed, and you have connected to SharePoint Online.
Install the SharePoint Online Management Shell by downloading and running the SharePoint Online Management Shell. You only need to do this once for each computer from which you are running SharePoint Online PowerShell commands.
To open the SharePoint Online Management Shell command prompt, from the Start screen, type sharepoint, and then click SharePoint Online Management Shell.
To connect to SharePoint Online with a username and password run the following commands at the SharePoint Online Management Shell command prompt:
Connect-SPOService -Url https://<Tenant>-admin.sharepoint.com
To configure idle-session timeout run the following commands at the SharePoint Online Management Shell command prompt:
Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 2700) -SignOutAfter (New-TimeSpan -Seconds 3600)
-Enabled specifies whether idle session timeout is enabled or disabled using $true, $false respectively.
-WarnAfter specifies the amount of after which a user is notified that they will be signed out after a period of inactivity as a New-TimeSpan which can be configured in seconds, minutes, or hours.
-SignOutAfter specifies the amount of time after which is a user is signed out of Office 365 if they do not respond to the -WarnAfter prompt.
To view the idle browser sign-out settings, use the Get-SPOBrowserIdleSignOut cmdlet.
To learn more about security and compliance with SharePoint & OneDrive visit https://aka.ms/SharePoint-Security.
Is idle session timeout enabled by default, can I control the settings?
No. Idle session timeout is disabled by default. The warning and timeout timespans, as well as enabling idle session timeout are administrator controlled. Instructions will follow as we start to roll out this feature.
Does the policy effect existing signed in sessions?
No, only new sign-ins to new browsers
How long does it take to effect across a Tenant following enabling the policy with Windows PowerShell?
Approx. 15 minutes
What is considered a managed device?
A device is managed if Azure Active Directory indicates to SharePoint Online that the device state was evaluated, and the device is at least one of the following:
Device state claims are not passed in Google Chrome or when using inPrivate mode – device claims are only available on Internet Explorer or Microsoft Edge on Microsoft Windows; however, an absence of device claim does not block this policy from being enforced. To learn more about device state claims visit https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-technica....
Using conditional access requires a Azure AD to send device claims which needs a Premium license. To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.
Can I hide the Keep me signed in prompt?
Admins can choose to hide this new prompt for users by using the “Show option to remain signed in” setting in company branding.
Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox in your tenant, we won’t show the new prompt to users in your tenant.
This change won’t affect any token lifetime settings you have configured.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.