Policy in office 365 to block users after a period of inactivity

%3CLINGO-SUB%20id%3D%22lingo-sub-214897%22%20slang%3D%22en-US%22%3EPolicy%20in%20office%20365%20to%20block%20users%20after%20a%20period%20of%20inactivity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214897%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20apply%20a%20policy%20that%20automatically%20blocks%20a%20user%20from%20sign%20in%20after%20a%20period%20of%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20I%20can%20see%20inactive%20user%20reports%3C%2FP%3E%3CP%3EI%20know%20how%20to%20manually%20block%20users%3C%2FP%3E%3CP%3EI%20know%20I%20can%20run%20a%20power%20shell%20script%20to%20find%20inactive%20users%20and%20block%20them%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20looking%20for%20a%20way%20to%20automatically%20block%20these%20users%20with%20out%20IT%20having%20to%20do%20something.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-214897%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-214987%22%20slang%3D%22en-US%22%3ERe%3A%20Policy%20in%20office%20365%20to%20block%20users%20after%20a%20period%20of%20inactivity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214987%22%20slang%3D%22en-US%22%3EThat%20only%20expires%20the%20session%20though%2C%20not%20block%2Fdisable%20the%20user.%20I%20believe%20Stefanie%20was%20asking%20about%20blocking%20accounts.%20Could%20do%20configurable%20tokens%20in%20AAD%20(soon%20to%20be%20part%20of%2Freplaced%20by%20Conditional%20Access)%20if%20we're%20just%20talking%20about%20session%20timeouts.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-214976%22%20slang%3D%22en-US%22%3ERe%3A%20Policy%20in%20office%20365%20to%20block%20users%20after%20a%20period%20of%20inactivity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214976%22%20slang%3D%22en-US%22%3E%3CP%3EThanks.%20It%20is%20for%20compliance.%20I%20don't%20let%20any%20users%20sit%20out%20there%20that%20long%20that%20are%20inactive%20or%20should%20be%20disabled.%20This%20requirement%20is%20to%20%22check%20the%20box%22%20that%20compliance%20is%20met.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-214972%22%20slang%3D%22en-US%22%3ERe%3A%20Policy%20in%20office%20365%20to%20block%20users%20after%20a%20period%20of%20inactivity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214972%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20we%20have%20a%20similar%20feature%20in%20SPO%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-SharePoint-Blog%2FIntroducing-Idle-Session-Timeout-in-SharePoint-and-OneDrive%2Fba-p%2F119208%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-SharePoint-Blog%2FIntroducing-Idle-Session-Timeout-in-SharePoint-and-OneDrive%2Fba-p%2F119208%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20that%20will%20only%20trigger%20when%20the%20user%20is%20idling%20on%20a%20SPO%20site%2C%20not%20for%20any%20other%20O365%20app.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-214903%22%20slang%3D%22en-US%22%3ERe%3A%20Policy%20in%20office%20365%20to%20block%20users%20after%20a%20period%20of%20inactivity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214903%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20no%20policy%20built%20in%20to%20Office%20365%20that%20matches%20what%20you're%20describing%20(automatically%20block%20users%20from%20signing%20in%20after%20a%20specific%20period%20of%20inactivity).%20You%20could%20however%20create%20an%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fservices%2Ffunctions%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20function%3C%2FA%3E%20or%20a%20scheduled%20task%20on%20a%20server%20to%20run%20a%20PowerShell%20script%20to%20find%20inactive%20users%20and%20block%20them%20on%20a%20regular%20basis.%20That%20would%20be%20my%20best%20approach%20to%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20be%20curious%20to%20hear%20more%20about%20the%20use%20case%20for%20this%20though.%20Is%20this%20a%20security%20measure%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1727047%22%20slang%3D%22en-US%22%3ERe%3A%20Policy%20in%20office%20365%20to%20block%20users%20after%20a%20period%20of%20inactivity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1727047%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F154924%22%20target%3D%22_blank%22%3E%40Stefanie%20Cortese%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELook%20into%20the%20below%20link%2C%20that%20might%20be%20helpful%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fhowto-manage-inactive-user-accounts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fhowto-manage-inactive-user-accounts%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I want to apply a policy that automatically blocks a user from sign in after a period of time.

 

I know I can see inactive user reports

I know how to manually block users

I know I can run a power shell script to find inactive users and block them

 

I am looking for a way to automatically block these users with out IT having to do something. 

5 Replies
Highlighted

There is no policy built in to Office 365 that matches what you're describing (automatically block users from signing in after a specific period of inactivity). You could however create an Azure function or a scheduled task on a server to run a PowerShell script to find inactive users and block them on a regular basis. That would be my best approach to this.

 

I'd be curious to hear more about the use case for this though. Is this a security measure?

Highlighted

Well we have a similar feature in SPO: https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Introducing-Idle-Session-Timeout-in...

 

But that will only trigger when the user is idling on a SPO site, not for any other O365 app.

Highlighted

Thanks. It is for compliance. I don't let any users sit out there that long that are inactive or should be disabled. This requirement is to "check the box" that compliance is met. 

Highlighted
That only expires the session though, not block/disable the user. I believe Stefanie was asking about blocking accounts. Could do configurable tokens in AAD (soon to be part of/replaced by Conditional Access) if we're just talking about session timeouts.