Idle-Session Timeout Policy in SharePoint Online & OneDrive is now Generally Available

Published Jul 02 2018 09:00 AM 47.5K Views

There’s a new culture of work; one that is increasingly diverse, geographically distributed, and mobile.  Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device - and for that experience to be seamless, among these trends includes the increasing use of shared systems, such as kiosks to access and work with corporate data. 


SharePoint and OneDrive include a set of controls to help keep your data safe no matter where people are when they access or share data, what device they’re working on, and how secure their network connection is.  These controls can help you customize the level of access granted to people while making sure the resulting constraints meet your organizational security requirements. They also allow you to balance security and user productivity and prevent overexposure, leakage, and oversharing of your sensitive data.


To help safeguard your information on these systems, we’re pleased to announce idle session timeout policies are now generally available.


Session lifetimes are an important part of authentication for Office 365 and are an important component in balancing security and the number of times users are prompted for their credentials.


Idle session timeout provides an Office 365 administrator to configure a threshold at which a user is warned and subsequently signed out of SharePoint or OneDrive after a period of inactivity.





In the demonstration above, the Tenant is configured with the idle-session timeout policy.   A user is working with content on a sensitive site (Legal) configured with Unmanaged Device-Based Access Policies on a shared system and has left that session unattended.  Following a period of 15 seconds a prompt indicates the session is about to be terminated and in the event a response is not received within 10 seconds, the session is subsequently closed preventing unintended overexposure of information.


Idle session timeout policies allow Office 365 administrators to automatically sign out inactive sessions preventing the overexposure of information in the event a user leaves a shared system unattended.


Configuring Idle Session Timeout


Idle-session timeout is configured using Windows PowerShell.


Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed, and you have connected to SharePoint Online.


Install the SharePoint Online Management Shell by downloading and running the SharePoint Online Management Shell. You only need to do this once for each computer from which you are running SharePoint Online PowerShell commands.


To open the SharePoint Online Management Shell command prompt, from the Start screen, type sharepoint, and then click SharePoint Online Management Shell.


To connect to SharePoint Online with a username and password run the following commands at the SharePoint Online Management Shell command prompt:


Connect-SPOService -Url https://<Tenant>


To configure idle-session timeout run the following commands at the SharePoint Online Management Shell command prompt:


Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 2700) -SignOutAfter (New-TimeSpan -Seconds 3600)



-Enabled specifies whether idle session timeout is enabled or disabled using $true, $false respectively.

-WarnAfter specifies the amount of after which a user is notified that they will be signed out after a period of inactivity as a New-TimeSpan which can be configured in seconds, minutes, or hours.

-SignOutAfter specifies the amount of time after which is a user is signed out of Office 365 if they do not respond to the -WarnAfter prompt.


To view the idle browser sign-out settings, use the Get-SPOBrowserIdleSignOut cmdlet.



  1. Mouse movement or scrolling up and down is not included as activity. Activity is counted as requests sent to SharePoint Online.  Mouse clicks within the context of a site are considered activity.
  2. Idle-session timeout is limited to SharePoint Online and OneDrive for Business browser sessions; however, will sign users out of all Office 365 workloads within that browser session.
  3. It will not sign out users who are on managed devices or select Keep Me Signed In during sign-in.
  4. The WarnAfter and SignOutAfter values cannot be the same.
  5. The policy is applicable to entire tenant and cannot be scoped to user/users or SharePoint sites.


To learn more about security and compliance with SharePoint & OneDrive visit


Frequently Asked Questions

Is idle session timeout enabled by default, can I control the settings?

No.  Idle session timeout is disabled by default.  The warning and timeout timespans, as well as enabling idle session timeout are administrator controlled.  Instructions will follow as we start to roll out this feature.


Does the policy effect existing signed in sessions?

No, only new sign-ins to new browsers


How long does it take to effect across a Tenant following enabling the policy with Windows PowerShell?

Approx. 15 minutes


What is considered a managed device?

A device is managed if Azure Active Directory indicates to SharePoint Online that the device state was evaluated, and the device is at least one of the following:

  • Domain joined
  • Compliant


Device state claims are not passed in Google Chrome or when using inPrivate mode – device claims are only available on Internet Explorer or Microsoft Edge on Microsoft Windows; however, an absence of device claim does not block this policy from being enforced.  To learn more about device state claims visit



Using conditional access requires a Azure AD to send device claims which needs a Premium license. To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.


Can I hide the Keep me signed in prompt?

Admins can choose to hide this new prompt for users by using the “Show option to remain signed in” setting in company branding.



Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox in your tenant, we won’t show the new prompt to users in your tenant.

This change won’t affect any token lifetime settings you have configured.


Awesome, but what took you so long? I mean the feature was pretty much working flawlessly back when we first saw it at Ignite last year, apart with some glitches with the sign-out dialog in IE :)


Any plans to provide scoping in the future? It's easily the number one question I've seen around this functionality.


Can this only be set via PS or using SharePoint Admin center as well?

New Contributor

The ability to scope this to a subset of users for Pilot purposes would be very useful. That said, good job on this one. 

Would it be possible to force sign-out even if users use managed devices or select Keep Me Signed-in option?


@Michael Hunsberger Thanks for the feedback, we'll keep that in mind.


@Rishi Gupta The current plan is to support configuration via Windows PowerShell only.


@Hirofumi OTA Users won't be signed out if they selected to stay signed in when they signed in. For info about hiding this option, see  


Users won't be signed out on a managed device (one that is compliant or joined to a domain), unless they're using inPrivate mode or a browser other than Edge or Internet Explorer. If they use Google Chrome, you need to use an extension to pass the device state claim. For more info about device state claims, see 

Occasional Contributor

@Bill Baer I don't think this covers my use case, so keen to understand if it can be done.

  • We have firstline workers accessing a SharePoint Online site
  • Devices could be a shared back-office Windows 10 PC (using Chrome) or a shared Android Enterprise tablet (using Edge)
  • Authentication is done via ADFS
  • We want the firstline workers to be signed out after 15 mins of inactivity


I'm thinking I need to hide the "keep me signed in" box on ADFS (not Azure AD) and apply the timeout discussed here but I only want it to affect those specific firstline workers, ideally just for that one particular SharePoint site.


Is it possible/on the roadmap?

Respected Contributor

@Bill Baeryour link to more info about device state claims points to a Microsoft sales site.

New Contributor



Is it possible to check the current settings on the SharePoint online site?

There're some weird problems on our SharePoint site that it might be caused by this feature.

Thank you,



New Contributor

What happens to a checked out document?  Is there a way to automatically check a document after a period of inactivity?

Version history
Last update:
‎Jul 02 2018 09:18 AM
Updated by: