Microsoft recently announced the general availability of tenant-wide idle session timeouts for Microsoft 365 web page apps. This is intended to protect confidential information on shared or non-company devices that may unintentionally be left unattended for long stretches of time.

When switched on, the session timeout capability ensures that sensitive information cannot easily be compromised during unauthorized access attempts. Such incidents might occur after an employee forgets to log out of an unmanaged machine (despite corporate policies and having received security training).

Microsoft 365 session timeouts

After IT admins or security professionals enable this new feature, users who have reached the configured period of inactivity (on all device web browsers) will receive a notification pertaining to automatic sign-out.

To avoid automatic system sign-out, users will have to prove that they are not ‘idle’. Users will need to continue typing, clicking or otherwise operating systems to indicate that they have not left the workstation.

Microsoft on the 365 timeouts

“Today, we are super pleased to announce the general availability of idle session timeout for Microsoft 365 web apps. IT admins can now configure a tenant-wide timeout policy to automatically sign out users after a period of inactivity on Microsoft 365 web apps,” stated Microsoft’s Principle Product Manager, Namit Gupta.

Functionality rollout information

Microsoft reports that the functionality will be rolled out in Microsoft 365 worldwide cloud environments from June to August of 2022. Environments will include Word, Excel, PowerPoint for the web, Outlook on the web, OneDrive for the web, SharePoint and Microsoft 365 admin center.

Initial design of 365 session timeouts

Microsoft started to develop the idle session timeout feature several years ago. It first became available to Outlook Web App (OWA), OneDrive and SharePoint Online (SPO) users in October of 2017. In 2018, the feature gained greater visibility and saw expanded use.

In October of 2019, Microsoft said that engineers had started work on a new tenant-wide idle session timeout feature. This was intended for Microsoft 365 web apps and was designed to prevent information exposure.

The full list of Microsoft 365 web apps for which the new feature applies includes:

  • Outlook Web App
  • OneDrive for Business
  • SharePoint Online (SPO)
  • com and other start pages
  • Office (Word, Excel, PowerPoint) on the web
  • Microsoft 365 Admin Center

In the Microsoft 365 admin center, IT or security admins can enable idle session timeout by toggling “Idle session timeout” in Org Settings -> Security & Privacy. Within a few minutes, the idle session policy will be activated across the entire organization.

Further information

The session timeout feature received renewed attention as businesses demanded stronger security for employees working from home. “Based on multiple customer conversations and feedback sessions, it became evident that our customers were looking for a more predictable and coherent solution covering the entirety of Microsoft 365 web apps,” stated Microsoft.

Idle session timeout functions as a control that lets organizations balance user productivity with security, enabling organizations to meet security objectives and requirements.

Microsoft anticipates that the security update will enhance the overall security posture of all organizations that leverage its platforms. In addition to improving overall security, Microsoft also expects that the session timeout feature will also help businesses remain compliant with data privacy laws and regulations.

For more on this story, visit Bleeping Computer. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.