Enhancing Security with Idle Session Timeout in Microsoft 365

Idle sessions can pose a significant security risk, especially on unmanaged devices. Configuring idle session timeouts helps mitigate this risk by automatically signing out users after a specified period of inactivity. This blog post will guide you through the process of setting up an idle session timeout for Microsoft 365 web apps to ensure inactive users are signed out after three hours (or less). This setting is essential for E3 Level 1 profiles, primarily focusing on unmanaged devices.

Why Configure Idle Session Timeout?

Idle session timeout ensures that users are signed out of Microsoft 365 web apps after a period of inactivity. This helps protect sensitive company data from unauthorized access, especially on devices that are not managed by Intune MDM. The recommended setting is 3 hours or less by CIS. Supported web apps include:

• Outlook Web App
• OneDrive for Business
• SharePoint Online (SPO)
• Office.com and other start pages
• Office (Word, Excel, PowerPoint) on the web
• Microsoft 365 Admin Center

Rationale

Automatically signing out inactive users adds a layer of security, reducing the risk of unauthorized access to sensitive information. This is particularly crucial for unmanaged devices that may be left unattended. Ensuring idle sessions are terminated can prevent unauthorized individuals from accessing corporate data.

Configuring Idle Session Timeout

Step 1: Configuring Idle Session Timeout

1. Navigate to Microsoft 365 Admin Center
   • Go to Microsoft 365 admin center.
2. Access Org Settings
   • Click on Settings.
   • Select Org settings.

1. Set Idle Session Timeout
   • Click on the Security & Privacy tab.

• • Select Idle session timeout.
  • Enable the setting by checking Turn on.
  • Set the period of inactivity to 3 hours or less.

Step 2: Setting Up Conditional Access Policy

To ensure that the idle timeout affects only unmanaged devices, you need to configure a Conditional Access policy.

1. Navigate to Microsoft Entra Admin Center
   • Go to Microsoft Entra admin center.
2. Access Conditional Access Policies
   • Expand Protect.
   • Click on Conditional Access.
3. Create or Modify Conditional Access Policy
   • Ensure the policy meets the following conditions:
     • Users: Set to All users.
     • Cloud apps or actions: Select Office 365.
     • Conditions > Client apps: Set to Browser only.
     • Session: Set to Use app enforced restrictions.
     • Enable Policy: Set to On.

Impact

Setting an idle session timeout might require users on trusted devices to sign in more frequently, potentially leading to credential prompt fatigue. However, this is a necessary trade-off for the added security it provides on unmanaged devices.

Audit and Verification

1. Verify Idle Session Timeout Configuration
   • Ensure the idle session timeout is set as described in Step 1.
2. Verify Conditional Access Policy
   • Inspect the Conditional Access policies to ensure they match the criteria specified in Step 2.

By following these steps, you can enhance the security of your Microsoft 365 environment, ensuring that inactive sessions on unmanaged devices are automatically signed out after a set period, reducing the risk of unauthorized access.

Implementing idle session timeout is a straightforward yet effective security measure to protect your organization’s data. Regular audits and adjustments to your Conditional Access policies will ensure that your security posture remains robust.

For more detailed guides and tips on Microsoft 365 security, visit our blog at ThatLazy Admin.

Author: Shaun Hardneck

Stay secure, stay productive!

Sharing is caring!