Idle session timeout provides administrators to configure a limit period of inactivity then a user is warned and signed out of SharePoint or OneDrive. It helps to prevent the overexposure of information.
Mouse movement or scrolling up and down is not included as activity.
The new idle session timeout policy updating replaced the ‘keep me signed in’ checkbox – now it appears on the signin flow after the user successfully signs in. If the user doesn’t select the ‘keep me signed in’ – Idle session timeout policy applies.
A layer of protection allows to intelligently hide this prompt if a shared device or a high-risk sign-in are detected.
For federated tenants, this prompt will show after the user successfully authenticates with the federated identity service. It’s important to remember that new “Keep me signed in” prompt appears only in case of new signin experience.
Administrators can use the “Show option to remain signed in” setting for hiding this new prompt for users. If administrators hide the “Keep me signed in” checkbox on tenant, it won’t be shown to users. However this change will not affect any token lifetime settings which were configured.
Configuring Idle Session Timeout
Idle-session timeout is configured using Windows PowerShell.
- Install the SharePoint Online Management Shell by downloading and running the SharePoint Online Management Shell. From the Start screen type SharePoint, and click SharePoint Online Management Shell.
- Connect to SharePoint Online with a username and password, using the following commands at the SharePoint Online Management Shell command prompt:
- Connect-SPOService -Url https://<Tenant>-admin.sharepoint.com
- To configure idle-session timeout: Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 1200) -SignOutAfter (New-TimeSpan -Seconds 1500)
- Enabled specifies whether idle session timeout is enabled or disabled using $true, $false respectively.
- WarnAfter specifies the amount of after which a user is notified that they will be signed out after a period of inactivity as a New-TimeSpan which can be configured in seconds, minutes, or hours.
- SignOutAfter specifies the amount of time after which is a user is signed out of Office 365 if they do not respond to the -WarnAfter prompt. The WarnAfter and SignOutAfter values cannot be the same.
To view the idle browser sign-out settings, use the Get-SPOBrowserIdleSignOut cmdlet.