There’s a new culture of work; one that is increasingly diverse, geographically distributed, and mobile.  Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device - and for that experience to be seamless, among these trends includes the increasing use of shared systems, such as kiosks to access and work with corporate data.  In order to help safeguard your information on these systems, we’re introducing new idle session timeout policies rolling out as preview on November 6, 2017 and changes to the “Keep me signed in” experience with Office 365.

Idle session timeout provides an Office 365 administrator to configure a threshold at which a user is warned and subsequently signed out of SharePoint or OneDrive after a period of inactivity as illustrated below.

Demo

The demonstration below illustrates the idle session timeout policy enacted on a site that is also configured with site-scoped limited access policies.

Idle session timeout policies allow Office 365 administrators to automatically sign out inactive sessions preventing the overexposure of information in the event a user leaves a shared system unattended.

NOTE

Idle session timeout takes a dependency on the Keep me signed in signal.  In scenarios where Keep me signed in is selected at authentication, the client will not honor the idle session timeout. 

In addition to the new idle session timeout policy we’re rolling out in preview, in late September we updated the keep me signed in experience, replacing the “Keep me signed in” checkbox that appears on the sign-in flow with a prompt that shows after the user successfully signs in.  Idle session timeout interprets this signal and where selected does not affect the client where "Keep me signed in" has been selected, on devices where "Keep me signed in" is not selected, the policy applies.

In addition to those recent changes, we’re also adding a layer of protection to intelligently hide this prompt if we detect a shared device, or a high-risk sign-in. Our goal is to decrease the number of times users are prompted to authenticate. Although the new screen adds a small amount of friction up front, users get a better long-term experience as they get less sign-in prompts when they use our services.

This prompt asks the user if they would like to remain signed in. Responding “Yes” to this drops a persistent refresh token, the same behavior as when the user checks the old “Keep me signed in” checkbox.

For federated tenants, this prompt will show after the user successfully authenticates with the federated identity service. Some things to consider: - During the Public Preview period of the new sign-in experience, this new “Keep me signed in” prompt will only show when users opt-in to the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt. - You can choose to hide this new prompt for your users by using the “Show option to remain signed in” setting in company branding. Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox on your tenant, we won’t show the new prompt to your users. - This change will not affect any token lifetime settings you have configured.

Frequently Asked Questions

When will idle session timeout start rolling out as preview?

November 6, 2017

Is idle session timeout enabled by default, can I control the settings?

No.  Idle session timeout is disabled by default.  The warning and timeout timespans, as well as enabling idle session timeout are administrator controlled.  Instructions will follow as we start to roll out this feature.

Does the policy effect existing signed in sessions?

No, only new sign-ins to new browsers

How long does it take to effect?

Approx. 15 minutes

What is considered a managed device?

A device is managed if Azure Active Directory indicates to SharePoint Online that the device state was evaluated and the device is at least one of the following:

• Domain joined
• Compliant

Device state claims are not passed in Google Chrome or when using inPrivate mode – device claims are only available on Internet Explorer or Microsoft Edge on Microsoft Windows.

Can I hide the Keep me signed in prompt?

During the public preview period of the new sign-in experience, the updated “Keep me signed in” prompt will only show when users opt into the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt.

Admins can choose to hide this new prompt for users by using the “Show option to remain signed in” setting in company branding.

NOTE 

Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox in your tenant, we won’t show the new prompt to users in your tenant.

This change won’t affect any token lifetime settings you have configured.

When will idle-session timeout be generally available?

Late CY2017