Microsoft 365 now prevents data breaches with session timeouts

The timeout feature for inactive sessions, which Microsoft announced in March for its Microsoft 365 web apps, is now generally available to customers. The new capability allows IT administrators to configure a policy to automatically sign out inactive employees from Microsoft 365 web apps.

Previously, the idle session timeout setting was only available for the web version of Outlook and SharePoint Web apps (per app). Microsoft has now extended this feature to support all Microsoft 365 Web apps. However, the setting does not affect desktop and mobile users.

Microsoft emphasizes that configuring a tenant-wide policy should make it easier to prevent unauthorized access that could lead to information exposure on unmanaged or shared devices. It can also help ensure compliance and a consistent user experience for session timeouts across all Microsoft 365 web apps.

The timeout feature for inactive sessions is currently supported in certain Microsoft 365 web apps. These include Office.com, the web version of Outlook, PowerPoint for the web, Excel, Word, OneDrive for the web, SharePoint and the Microsoft 365 management center.

If you are working on another web app with the same account, the activity in that web app is not applied to the timeout for inactive sessions.

“Based on multiple customer conversations and feedback sessions, it became clear that our customers were looking for a more predictable and coherent solution for the entirety of Microsoft 365 web apps. Timeout for inactive sessions is one of the many controls you can use with Microsoft 365 to balance user productivity and security to meet your organization’s security requirements.” explains Microsoft.

Enable timeout for inactive sessions for Microsoft 365 web apps

To enable the inactive session timeout setting, IT administrators should follow the steps below:

1. Go to the Microsoft 365 administration center, click Organization Settings >> Security and Privacy tab, and then enable the inactive session timeout button.
2. It is possible to select the default or set a custom time for session timeouts. However, IT administrators may have to wait a few minutes before the policy is enabled in their tenant.

Once the policy is enabled, employees will see a prompt after a certain period of inactivity in Microsoft 365 web apps. It will notify them that their session is about to expire and the user must continue to click the Logged In button to prevent automatic logout.

Microsoft noted in a support document that users must enable third-party cookies in their Web browser to use the timeout feature for inactive sessions. The company recommends that Microsoft Edge users set the tracking prevention option to Balanced (default).

Although the timeout feature for inactive sessions has dropped its preview tag, it will be rolled out gradually to all commercial Microsoft 365 customers from June to August. Microsoft plans to bring this capability to government subscribers later this year.

Source: Petri