Idle Session Timeout Settings Now Available Across Microsoft 365 Web Apps
Microsoft on Tuesday announced the "general availability" commercial release of idle session timeout settings for Microsoft 365 Web apps.
With this capability, organizations can specify when end users need to reenter their credentials to use Microsoft 365 Web apps after a period of inactivity. Microsoft already had such a capability for Outlook on the Web and SharePoint Web apps, but now it'll work with other Microsoft 365 Web apps, too.
Those supported Web apps include "Office.com, Word, Excel, PowerPoint for the web, Outlook on the web, OneDrive for the web, SharePoint, and Microsoft 365 admin center," the announcement indicated.
The idle session timeout settings can be used to deter possible data disclosures when remote workers forget to sign out of Web apps. IT departments can even set idle session timeout settings that will apply to unmanaged devices, which seems to be Microsoft's main use-case concept for this capability.
The ability to set idle session timeout settings for Microsoft 365 Web apps is said to be available worldwide, although Microsoft is gradually rolling it out to tenancies between June and August of this year. It's not yet available to government subscribers, but it'll be available to them "later this year," the announcement promised.
Nuances with regard to these idle session timeout settings for Microsoft 365 Web apps are described in this Microsoft document, although at press time the document still referred to a "preview." The policies get set using the Microsoft 365 Admin Center Portal, and will override any previously set policies made for the Outlook Web app or SharePoint Web app.
The idle session timeout settings will apply to an entire Microsoft 365 tenancy. While the settings can't be specified for specific users, it's possible to "use Azure AD Conditional Access policies for different users and groups to access SharePoint and Exchange Online," the document indicated.
The idle session timeout settings won't apply if users logged into a single sign-in session from a domain-joined account. The settings also won't apply if users "selected Stay signed in at the time of sign-in," the document added.
The settings also won't get triggered on managed devices with supported browsers, although the explanation provided by Microsoft's document on this point is very confusing.
Also, browsers need to be configured to accept third-party cookies to use the idle session timeout capability. "We recommend keeping tracking prevention setting to Balanced (Default) for Microsoft Edge, and third-party cookies enabled in your other browsers," the document indicated.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.