On Day 8 of Cybersecurity awareness month, learn to avoid data leakages by configuring Idle Session Timeout. Stay tuned for more blogs in the Cybersecurity blog series.
As we have entered the hybrid work environment, accessing an organization’s resources from web apps on unmanaged devices or shared devices is on the rise. Unmanaged devices offer a huge opportunity for attackers to compromise those devices and lead to data breaches. To protect the company’s sensitive information, Microsoft introduced the idle session timeout settings as an additional layer of security.
Let’s see how idle session timeout balances user productivity and meets the organization’s security and compliance requirements.
“Security is not a product, but a process!”
What is Idle Session Timeout?
Idle session timeout is a feature that automatically signs out users from Microsoft 365 web apps if they are inactive. It prevents data disclosure when users forget to sign out of web applications. It is a tenant-wide feature and will apply to all users in the organization. Also, you should be aware that idle session timeout will not affect Microsoft 365 desktop or mobile apps. The below prompt will be shown while the user has been inactive in the M365 webapps for the timeout period configured.
Firstly, the idle session timeout settings were available only for Outlook web app and SharePoint Online. By analyzing its perks and customer requests, Microsoft later implemented an efficient solution for most of the Microsoft 365 web apps.
The Microsoft 365 web apps include,
- Outlook Web App
- OneDrive for Business
- SharePoint Online
- Word, Excel, PowerPoint on the web
- Microsoft 365 Admin Center
- Office.com, and other start pages
Who can enable Idle Session Timeout?
To enable idle session timeout, you must be assigned with any one of the following roles.
- Global admin
- Security admin
- Application admin
- Cloud Application admin
How to Enable Idle Session Timeout?
For All Devices:
- Open Microsoft 365 admin center.
- Navigate to Settings –> Org settings –> Security & privacy.
- Select Idle session timeout.
- Check in the box to set the period of inactivity for users to be signed off from Office web apps.
- Choose a Timeout Value from the dropdown menu.
- Select Save to configure the idle session timeout setting.
Note – If you pick custom (in minutes) as a time interval, it must be between 5 and 1440 minutes.
For Only Unmanaged Devices:
Instead of turning on idle session timeout on all devices, you can turn it only on unmanaged devices. To enable idle session timeout setting in an unmanaged device, adding a conditional access policy in the Azure AD admin center is necessary.
- Open Azure AD admin center.
- Navigate to Conditional Access –> Policies
- Select New Policy and give a name.
- Choose All Users under Users or workload identities.
- Go to Cloud apps or actions and choose Select apps. Specify Office 365, and then Select.
- Go to Conditions –> Client apps –> Configure to Yes, and then select Done.
- Click Session under Access controls, and pick Use app enforced restrictions, and then Select.
- Enable the policy to On and click Create.
Note – Idle session timeout only on unmanaged devices requires Azure AD Premium P1 and P2 subscription.
Other Things to Keep in Mind About Idle Session Timeout
- The idle session timeout setting configured in Microsoft 365 admin center overrides the existing Outlook web app and SharePoint Online policies.
- When third-party cookies are disabled in the browser, idle session timeout is not supported.
- Users will get signed out only if they are inactive in all Microsoft 365 web apps for the configured duration.
- Idle session timeout can’t be scoped to specific users, groups, or organization units.
- The idle session timeout setting is not yet available for Microsoft 365 operated by 21Vianet or Microsoft Germany.
I hope this blog has covered everything you want to know about the ‘Idle Session Timeout’ setting. If there are any queries, feel free to reach us through social media. We would be glad to assist you!