Many Microsoft 365 users are not aware of the session timeouts set for the different applications. Timeouts mean that once that session token has reached its limit, you will be prompted for your credentials again. Some people find it frustrating as they either do not understand why these limits are there, or it simply annoys them because they believe it is affecting their productivity to be forced to log in continually.
Microsoft 365 session timeouts: Default values
Your organization may have Microsoft 365 session timeouts values set differently than the defaults. Here is a list of services and in Microsoft 365, and a little lower we will look at their default timeouts:
- Outlook on the Web (also known as Outlook Web App, or OWA).
- SharePoint Online.
- Microsoft 365 admin center.
- Mobile apps for Android, Windows 10, and iOS.
Let’s briefly touch on each one of the above.
Outlook Web App
In Microsoft 365, if you use the web app for email, the default timeout is six hours. This means that after the token expires, the user will need to log in again. If you want to change this limit, you will need to use PowerShell and update the value called “ActivityBasedAuthenticationTimeoutInterval.” Some organizations have stricter timeout values set, so be sure to ask your IT admin if the value has changed or if they are using the default.
SharePoint online has a longer value for timeouts. It is set to five days, but only if the user chooses the option to stay signed in (“keep me signed in”).
Microsoft 365 admin center
The admin center will prompt you every eight hours for your credentials. I have noticed that it is quicker than that to re-prompt you if you have been idle for a specific time or if you close the browser. You may see the login box to choose your credentials if you log in multiple times. If you have 2FA set up, you will be asked to allow it, but this is organization-based.
Mobile apps for Android, iOS, and Windows 10
If you use of OneDrive or SharePoint on your mobile device, the default is one hour before you will be asked to log in again.
If you use Yammer, you will notice that with a Microsoft 365 login, the token is valid for however long the browser is open. If you close everything and shut down to go home, you will be prompted to sign in again.
Should you make policies stricter?
If your company wants stricter policies than what the defaults provide, you may want to look at automatically signing users out of SharePoint Online and Microsoft 365. To achieve this you can use the SharePoint Online admin center. Once you have entered your credentials for the sign-in page that comes up, you can expand admin centers and then click on SharePoint and go to the new SharePoint admin center. (There is a “try it now” button.)
Under “Policies,” click “Access Control,” and under that, you will have the option called “Idle session sign-out.” You have to enable it with a radio button (on vs. off), and then you can specify the time. You can also prompt users that the session will be timing out, and they will be logged out. Just to remind you, this if there are sessions that become inactive.
When you make these kinds of changes to SharePoint Online, you will need to wait while everything replicates — and this can take the whole day or a couple of minutes. This setting will apply to new sign-in sessions on SharePoint Online.
If you have users working from Public WiFi in coffee shops, the shorter timeout sessions are not a bad idea. But on the corporate network, it may make sense to set it a bit longer, such as 15 minutes. It all boils down to what the company policy is.
As mentioned in one of my previous articles, Outlook on the Web (OWA) timeout values are different — they are changed from six hours to a shorter period so that it complies with company requirements.
If we head over to Azure AD, you can adjust the session timeout values as well — from “Never” to a custom duration. Remember, setting timeout values for anything too short will only frustrate users because they keep having to sign in over and over.
Lastly, if we look at Microsoft Teams, you do not really have an option to set the timeout values. But from experience, after one day, Microsoft Teams will request that I have to reauthenticate on mobile and Windows, but this may not be the case for all organizations. So, there is a conditional access policy that is in place to enforce this. Again, it is what the business requires to be set.
Educate your users on the timeouts and why they are set. They might challenge you on this or ask for an adjustment, but at least they know that after a period of time, they will be prompted to authenticate again. This should hopefully help in logging fewer calls with the IT department. The stricter you become, the more user frustration you will have.
Featured image: Shutterstock