Activating and Testing the Idle Session Timeout for SharePoint Online and OneDrive for Business

Idle session timeout is a feature that kicks off after a period of inactivity, first displaying a warning prompt and then signing the user out of SharePoint Online and OneDrive for Business.

This feature was announced at Ignite 2017 and is in preview tenants at the time of this post and scheduled to be rolled out in production later in December 2017.

This feature is mainly useful for shared pc’s or kiosks that may be used by multiple users. It could be a way to address these scenarios with an out of the box feature.

At this point there is no user interface to activate and configure this feature. It is configured using PowerShell and the cmdlets in the SharePoint Online Management Shell. Also you would need an account with either tenant administrator or SharePoint administrator permissions to follow these procedures. If you’re not an administrator feel free to continue reading this post for the walkthrough of this new feature and analysis.

Also, be aware that you are turning this feature on at the tenant level. It’s all or nothing and can’t be turned on for just specific users or sites. And if users click the ‘keep me signed in’ option, then the idle session timeout will not kick off for those users. The Microsoft announcement indicates the keep me signed in prompt will be hidden if it detects a shared pc or high risk sign-ins. That would make the idle session timeout feature more useful. Most normal desktop users would click the keep me signed in option, so that would make this feature a little smarter in terms of how it is applied.

You’ll find a link at the bottom of the post for the Microsoft announcement that provides some additional detail.

Prerequisites: As indicated above, in order to turn this feature on or off you will need someone with SharePoint administrator or tenant administrator permissions. You will also need the SharePoint Online Management Shell installed (you should install the most recent version) and some familiarity with running PowerShell scripts.

There are two settings you can configure how long before the user will see the warning prompt (in seconds) and how long before the user will be signed out (in seconds). For my example I will set a short time period in order to make testing easier. Be sure to update the first line of the script with your own tenant name.

After you activate the idle session timeout, you will need to wait about 15 minutes for it to go into effect. You will also need to start a new browser session to test the feature.

After the 15 minute wait, open a new browser and log into to your tenant. Be sure to answer ‘No’ to the keep me signed in prompt.

Now with your page loaded we’ll wait the 100 seconds to get the warning prompt.

After that we’ll wait another 20 seconds and we should see the sign out.

If you’re done testing the feature and would like to turn it off, you can do so with the following script. Be sure to update the first line of the script with your own tenant name.

I do like this feature, I think it is a good addition to SharePoint Online and OneDrive for Business.

SharePoint governance is challenging and I can see this feature being one of the tools I will utilize with SharePoint online in the future. It’s nice to be able to address this session issue without having to do custom coding or look to third party tools.

I think the fact that it needs to be managed through PowerShell may put this feature out of the reach of some small and mid-sized business, which is unfortunate.

In the future it would be nice if this session timeout feature had a GUI that make it easier to manage. Also the ability to have it targeted to higher risk individuals or site collections that contained sensitive information would also be a nice addition.

Introducing Idle Session Timeout in SharePoint and OneDrive