Microsoft 365 now prevents data leaks with new session timeouts

Microsoft announced today the general availability of tenant-wide idle session timeout for Microsoft 365 web apps to protect confidential data on shared or non-company devices left unattended.

When toggled on, it prevents data leaks by ensuring that sensitive information will no longer be exposed to unauthorized access after employees forget to log out of unmanaged machines despite corporate policy and security training.

After an IT admin such as a Microsoft 365 or Office 365 global admin enables this new feature, users who have reached the configured period of inactivity (on all web browsers running on the device) will be notified that they're going to be automatically signed out.

To avoid being signed out of all Microsoft 365 web apps on that system, the users will have to prove they're not idle and still in front of the device by selecting to stay signed in.

"Today, we are super pleased to announce the general availability of idle session timeout for Microsoft 365 web apps. IT admins can now configure a tenant-wide timeout policy to automatically sign out users after a period of inactivity on Microsoft 365 web apps," said Namit Gupta, Principal Product Manager at Microsoft

"From June to August 2022, this functionality will be rolled out in Microsoft 365 worldwide cloud environments of Office.com, Word, Excel, PowerPoint for the web, Outlook on the web, OneDrive for the web, SharePoint, and Microsoft 365 admin center."

The idle session timeout feature was first made available as a preview (on a per-app basis) for Outlook Web App (OWA), OneDrive, and SharePoint Online (SPO) users in October 2017. It became generally available a year later, in July 2018.

In October 2019, Microsoft announced that its engineers are working on a new tenant-wide idle session timeout feature for Microsoft 365 web apps to prevent information exposure.

The complete list of Microsoft 365 web apps for which this new feature applies includes: 

• Outlook Web App
• OneDrive for Business
• SharePoint Online (SPO)
• Office.com and other start pages
• Office (Word, Excel, PowerPoint) on the web
• Microsoft 365 Admin Center

Global admins can enable idle session timeout functionality in the Microsoft 365 admin center by toggling "Idle session timeout" in Org Settings -> Security & privacy.

After setting up an inactivity timeout (or choosing the default one), the idle session policy will be turned on across the organization within a few minutes.

Microsoft also provides further information on configuring this feature in your organization and updating and deleting the policy in this Microsoft Docs article.