There’s a new culture of work; one that is increasingly diverse, geographically distributed, and mobile. Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device - and for that experience to be seamless, among these trends includes the increasing use of shared systems, such as kiosks to access and work with corporate data. In order to help safeguard your information on these systems, we’re introducing new idle session timeout policies rolling out as preview on November 6, 2017 and changes to the “Keep me signed in” experience with Office 365.
Idle session timeout provides an Office 365 administrator to configure a threshold at which a user is warned and subsequently signed out of SharePoint or OneDrive after a period of inactivity as illustrated below.
The demonstration below illustrates the idle session timeout policy enacted on a site that is also configured with site-scoped limited access policies.
Idle session timeout policies allow Office 365 administrators to automatically sign out inactive sessions preventing the overexposure of information in the event a user leaves a shared system unattended.
Idle session timeout takes a dependency on the Keep me signed in signal. In scenarios where Keep me signed in is selected at authentication, the client will not honor the idle session timeout.
In addition to the new idle session timeout policy we’re rolling out in preview, in late September we updated the keep me signed in experience, replacing the “Keep me signed in” checkbox that appears on the sign-in flow with a prompt that shows after the user successfully signs in. Idle session timeout interprets this signal and where selected does not affect the client where "Keep me signed in" has been selected, on devices where "Keep me signed in" is not selected, the policy applies.
In addition to those recent changes, we’re also adding a layer of protection to intelligently hide this prompt if we detect a shared device, or a high-risk sign-in. Our goal is to decrease the number of times users are prompted to authenticate. Although the new screen adds a small amount of friction up front, users get a better long-term experience as they get less sign-in prompts when they use our services.
This prompt asks the user if they would like to remain signed in. Responding “Yes” to this drops a persistent refresh token, the same behavior as when the user checks the old “Keep me signed in” checkbox.
For federated tenants, this prompt will show after the user successfully authenticates with the federated identity service. Some things to consider: - During the Public Preview period of the new sign-in experience, this new “Keep me signed in” prompt will only show when users opt-in to the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt. - You can choose to hide this new prompt for your users by using the “Show option to remain signed in” setting in company branding. Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox on your tenant, we won’t show the new prompt to your users. - This change will not affect any token lifetime settings you have configured.
Configuring Idle Session Timeout
Idle-session timeout is configured using Windows PowerShell.
Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed and you have connected to SharePoint Online.
Install the SharePoint Online Management Shell by downloading and running the SharePoint Online Management Shell. You only need to do this once for each computer from which you are running SharePoint Online PowerShell commands.
To open the SharePoint Online Management Shell command prompt, from the Start screen, type sharepoint, and then click SharePoint Online Management Shell.
To connect to SharePoint Online with a username and password run the following commands at the SharePoint Online Management Shell command prompt:
Connect-SPOService -Url https://<Tenant>-admin.sharepoint.com
To configure idle-session timeout run the following commands at the SharePoint Online Management Shell command prompt:
Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 1200) -SignOutAfter (New-TimeSpan -Seconds 1500)
-Enabled specifies whether idle session timeout is enabled or disabled using $true, $false respectively.
-WarnAfter specifies the amount of after which a user is notified that they will be signed out after a period of inactivity as a New-TimeSpan which can be configured in seconds, minutes, or hours.
-SignOutAfter specifies the amount of time after which is a user is signed out of Office 365 if they do not respond to the -WarnAfter prompt.
To view the idle browser sign-out settings, use the Get-SPOBrowserIdleSignOut cmdlet.
- Mouse movement or scrolling up and down is not included as activity. Activity is counted as requests sent to SharePoint Online. Mouse clicks within the context of a site are considered activity.
- Idle-session timeout is limited to SharePoint Online browser sessions; however, will sign users out of all Office 365 workloads within that browser session.
- It will not sign out users who are on managed devices or select Keep Me Signed In during sign-in.
- Idle session timeout is currently limited to Classic sites. A fix will be rolled out to support Modern sites soon.
- The WarnAfter and SignOutAfter values cannot be the same.
- The policy scope is Tenant-wide.
Frequently Asked Questions
When will idle session timeout start rolling out as preview?
November 6, 2017
Is idle session timeout enabled by default, can I control the settings?
No. Idle session timeout is disabled by default. The warning and timeout timespans, as well as enabling idle session timeout are administrator controlled. Instructions will follow as we start to roll out this feature.
Does the policy effect existing signed in sessions?
No, only new sign-ins to new browsers
How long does it take to effect?
Approx. 15 minutes
What is considered a managed device?
A device is managed if Azure Active Directory indicates to SharePoint Online that the device state was evaluated and the device is at least one of the following:
- Domain joined
Device state claims are not passed in Google Chrome or when using inPrivate mode – device claims are only available on Internet Explorer or Microsoft Edge on Microsoft Windows.
Can I hide the Keep me signed in prompt?
During the public preview period of the new sign-in experience, the updated “Keep me signed in” prompt will only show when users opt into the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt.
Admins can choose to hide this new prompt for users by using the “Show option to remain signed in” setting in company branding.
Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox in your tenant, we won’t show the new prompt to users in your tenant.
This change won’t affect any token lifetime settings you have configured.
When will idle-session timeout be generally available?