Bize Ulaşın / Contact Us

Idle Session sign-out policy for SharePoint and OneDrive for Business

16 / 07 / 2018 by Office, Office365 Yorum yok / No Comments

Session lifetimes are an important part of authentication for Office 365 and are an important component in balancing security and the number of times users are prompted for their credentials.

Idle session sign-out lets you specify a time at which users are warned and subsequently signed out of Office 365 after a period of browser inactivity in SharePoint and OneDrive.

Idle session sign-out is one of a number of policies you can use with SharePoint and OneDrive to balance security and user productivity and help keep your data safe regardless where users access the data, what device they’re working on, and how secure their network connection is. For more ways to control access in SharePoint and OneDrive, see How SharePoint Online and OneDrive safeguard your data in the cloud.

When Idle Session Signout is configured for your organization, users will be prompted to sign out of unattended sessions in SharePoint Online and in OneDrive for Business on unmanaged or non-compliance devices.

In order to give you control over how you decide to deploy Idle Session Sign-out, we’ve included an organisational-level on/off switch. Idle Session Sign-out will be released off-by-default to give you a chance to explore the new capabilities.

Configure the idle session sign-out policy
This policy is configured using Microsoft PowerShell.

  1. Download the latest SharePoint Online Management Shell.
  2. Connect to SharePoint Online as a global admin or SharePoint admin in Office 365. To learn how, see Getting started with SharePoint Online Management Shell.
  3. Run the following command at the SharePoint Online Management Shell command prompt:

    Where:
    -Enabled specifies whether idle session sign-out is enabled or disabled by using $true or $false.
    -WarnAfter specifies the amount of after which a user is notified that they will be signed out after a period of inactivity as a New-TimeSpan which can be configured in seconds, minutes, or hours.
    -SignOutAfter specifies the amount of time after which is a user is signed out of Office 365 if they do not respond to the -WarnAfter prompt.

Notes:

  • Idle session sign-out applies to the entire organization and can’t be set for specific sites or users.
  • If a user is active in another Office 365 service (such as Outlook), but inactive in SharePoint and OneDrive, they’ll be signed out across Office 365. If a user has multiple tabs to OneDrive and SharePoint sites open at the same time, they won’t be signed out unless they are inactive on all the sites.
  • Users won’t be signed out if they selected to stay signed in when they signed in. For info about hiding this option, see Add company branding to your sign-in page in Azure AD.
  • Users won’t be signed out on a managed device (one that is compliant or joined to a domain), unless they’re using inPrivate mode or a browser other than Edge or Internet Explorer. If they use Google Chrome, you need to use an extension to pass the device state claim. For more info about device state claims, see Azure AD conditional access settings.
  • You must specify values for both WarnAfter and SignOutAfter. The SignOutAfter must be greater than the WarnAfter value.
  • It takes about 15 minutes for the policy to take effect across your organization. The policy doesn’t affect existing sessions.
  • To view the idle session sign-out values you’ve set, use the Get-SPOBrowserIdleSignOut cmdlet.

 

Session times for Office 365 services
When users authenticate in any of the Office 365 web apps or mobile apps, a session is established. For the duration of the session, users won’t need to re-authenticate. Sessions can expire when users are inactive, when they close the browser or tab, or when their authentication token expires for other reasons such as when their password has been reset. The Office 365 services have different session timeouts to correspond with the typical use of each service.

The following table lists the session lifetimes for Office 365 services:

Office 365 service Session timeout
Office 365 Admin center You are asked to provide credentials for the admin center every 8 hours.
SharePoint Online 5 days of inactivity as long as the users chooses Keep me signed in. If the user accesses SharePoint Online again after 24 or more hours have passed from the previous sign-in, the timeout value is reset to 5 days.
Outlook Web App 6 hours.

You can change this value by using the ActivityBasedAuthenticationTimeoutInterval parameter in the Set-OrganizationConfig cmdlet.

Azure Active Directory

Modern authentication uses access tokens and refresh tokens to grant user access to Office 365 resources using Azure Active Directory. An access token is a JSON Web Token provided after a successful authentication and is valid for 1 hour. A refresh token with a longer lifetime is also provided. When access tokens expire, Office clients use a valid refresh token to obtain a new access token. This exchange succeeds if the user’s initial authentication is still valid.

Refresh tokens are valid for 90 days, and with continuous use, they can be valid until revoked.

Refresh tokens can be invalidated by several events such as :

  • User’s password has changed since the refresh token was issued.
  • An administrator can apply conditional access policies which restrict access to the resource the user is trying to access.
SharePoint and OneDrive mobile apps for Android, iOS, and Windows 10 The default lifetime for the access token is 1 hour. The default max inactive time of the refresh token is 90 days.

Learn more about tokens and how to configure token lifetimes

To revoke the refresh token, you can reset the user’s Office 365 password

Yammer with Office 365 Sign-In

Lifetime of the browser. If users close the browser and access Yammer in a new browser, Yammer will re-authenticate them with Office 365. If users use third-party browsers that cache cookies, they may not need to re-authenticate when they reopen the browser.

Note: This is valid only for networks using Office 365 Sign-In for Yammer.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Kontrol / Control * Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.