Forum Discussion
Idle session timeout Conditional access policy for unmanaged devices
What is the default time period for this policy in Conditional access policy for Idle Session timeout" policy as I was looking for way to create this policy for unmanaged devices in the tenant and when I checked it there is not filter or checkbox where we can enter or give time period for idle sessions on unmanaged devices?
Here is the link I was looking for to created the policy for unmanaged devices: https://learn.microsoft.com/en-us/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide#turn-on-idle-session-timeout:~:text=Idle%20session%20timeout%20on%20unmanaged%20devices
See below snap
To use that you need to set the idle timeout in the 365 admin center first. Go to Settings > Org settings > Security Privacy tab > Idle session timeout.
This is what will be used when you set the conditional access policy.
This is one of the CIS Microsoft 365 benchmarks if you want to see more about the configuration: https://www.cisecurity.org/benchmark/microsoft_365
I wanted to set this policy for unmanaged devices only and as per the link which I shared in the question about unmanaged devices only and what is the timeout for it and how we can change or customize it?
- The below configuration is taken from the CIS 365 Benchmark recommendation: "1.7 (L1) Ensure 'Idle session timeout' is set to '1 hour (or less)' for unmanaged devices". You can grab a free copy of the benchmarks with more details on this recommendation at: https://www.cisecurity.org/benchmark/microsoft_365.
Step 1 - configure Idle session timeout:
1. Navigate to the Microsoft 365 admin center https://admin.microsoft.com/.
2. Click to expand Settings Select Org settings.
3. Click Security & Privacy tab.
4. Select Idle session timeout.
5. Check the box Turn on to set the period of inactivity for users to be
signed off of Microsoft 365 web apps
6. Set a value of 1 hour.
7. Click save.
Step 2 - Ensure the Conditional Access policy is in place:
1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/
2. Expand Azure Active Directory > Protect & secure > Conditional Access
3. Click New policy and give the policy a name.
4. Select Users > All users.
5. Select Cloud apps or actions > Select apps and select Office 365
6. Select Conditions > Client apps > Yes check only Browser unchecking all other
boxes.
7. Select Sessions and check Use app enforced restrictions.
8. Set Enable policy to On and click Create.
NOTE: To ensure that idle timeouts affect only unmanaged devices, both steps must be
completed
Hope that helps,
Eric
Hello Vinod
im in agreement with PablovaLatam, that should work automatically, as we have already enabled in our environment (but I will double confirm as soon as I have time)But if you want to be extra cautious I think you can apply this policy to all users but idle session time out should sign out on unmanaged devices only, as you can use the “Filter For Device” option in CA policy to exclude Managed/Compliant devices so that will only apply to unmanaged devices.
May be I’m wrong, as I haven’t tried this with filter for device option, but this could be way to achieve with safety.
Thanks
Vicky Rajdev
