- For info about Office 365 session lengths (regardless of activity), see Session timeouts for Office 365.
Session lifetimes are an important part of authentication for Office 365 and are an important component in balancing security and the number of times users are prompted for their credentials.
Idle session sign-out lets you specify a time at which users are warned and subsequently signed out of Office 365 after a period of browser inactivity in SharePoint and OneDrive.
Idle session sign-out is one of a number of policies you can use with SharePoint and OneDrive to balance security and user productivity and help keep your data safe regardless where users access the data, what device they’re working on, and how secure their network connection is. For more ways to control access in SharePoint and OneDrive, see How SharePoint Online and OneDrive safeguard your data in the cloud.
When Idle Session Signout is configured for your organization, users will be prompted to sign out of unattended sessions in SharePoint Online and in OneDrive for Business on unmanaged or non-compliance devices.
In order to give you control over how you decide to deploy Idle Session Sign-out, we’ve included an organisational-level on/off switch. Idle Session Sign-out will be released off-by-default to give you a chance to explore the new capabilities.
Configure the idle session sign-out policy
This policy is configured using Microsoft PowerShell.
Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 2700) -SignOutAfter (New-TimeSpan -Seconds 3600)
Session times for Office 365 services
When users authenticate in any of the Office 365 web apps or mobile apps, a session is established. For the duration of the session, users won’t need to re-authenticate. Sessions can expire when users are inactive, when they close the browser or tab, or when their authentication token expires for other reasons such as when their password has been reset. The Office 365 services have different session timeouts to correspond with the typical use of each service.
The following table lists the session lifetimes for Office 365 services:
|Office 365 service||Session timeout|
|Office 365 Admin center||You are asked to provide credentials for the admin center every 8 hours.|
|SharePoint Online||5 days of inactivity as long as the users chooses Keep me signed in. If the user accesses SharePoint Online again after 24 or more hours have passed from the previous sign-in, the timeout value is reset to 5 days.|
|Outlook Web App||6 hours.
You can change this value by using the ActivityBasedAuthenticationTimeoutInterval parameter in the Set-OrganizationConfig cmdlet.
|Azure Active Directory||
Modern authentication uses access tokens and refresh tokens to grant user access to Office 365 resources using Azure Active Directory. An access token is a JSON Web Token provided after a successful authentication and is valid for 1 hour. A refresh token with a longer lifetime is also provided. When access tokens expire, Office clients use a valid refresh token to obtain a new access token. This exchange succeeds if the user’s initial authentication is still valid.
Refresh tokens are valid for 90 days, and with continuous use, they can be valid until revoked.
Refresh tokens can be invalidated by several events such as :
|SharePoint and OneDrive mobile apps for Android, iOS, and Windows 10||The default lifetime for the access token is 1 hour. The default max inactive time of the refresh token is 90 days.
To revoke the refresh token, you can reset the user’s Office 365 password
|Yammer with Office 365 Sign-In||
Lifetime of the browser. If users close the browser and access Yammer in a new browser, Yammer will re-authenticate them with Office 365. If users use third-party browsers that cache cookies, they may not need to re-authenticate when they reopen the browser.
Note: This is valid only for networks using Office 365 Sign-In for Yammer.