Detections
Analytics

1.3.2 (L1) Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices

Information

Idle session timeout allows the configuration of a setting which will timeout inactive users after a pre-determined amount of time. When a user reaches the set idle timeout session, they'll get a notification that they're about to be signed out. They have to select to stay signed in or they'll be automatically signed out of all Microsoft 365 web apps. Combined with a Conditional Access rule this will only impact unmanaged devices. A managed device is considered a device managed that is compliant or joined to a domain and using a supported browser like Microsoft Edge or Google Chrome (with the Microsoft Single Sign On) extension.

The following Microsoft 365 web apps are supported.

 - Outlook Web App
 - OneDrive
 - SharePoint
 - Microsoft Fabric
 - Microsoft365.com and other start pages
 - Microsoft 365 web apps (Word, Excel, PowerPoint)
 - Microsoft 365 Admin Center
 - M365 Defender Portal
 - Microsoft Purview Compliance Portal

The recommended setting is 3 hours (or less) for unmanaged devices.

Note: Idle session timeout doesn't affect Microsoft 365 desktop and mobile apps.

Ending idle sessions through an automatic process can help protect sensitive company data and will add another layer of security for end users who work on unmanaged devices that can potentially be accessed by the public. Unauthorized individuals onsite or remotely can take advantage of systems left unattended over time. Automatic timing out of sessions makes this more difficult.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Step 1 - Configure Idle session timeout:

 - Navigate to the Microsoft 365 admin center

https://admin.microsoft.com/

.
 - Click to expand Settings Select Org settings
 - Click Security & Privacy tab.
 - Select Idle session timeout
 - Check the box Turn on to set the period of inactivity for users to be signed off of Microsoft 365 web apps
 - Set a maximum value of 3 hours
 - Click save.

Step 2 - Ensure the Conditional Access policy is in place:

 - Navigate to Microsoft Entra admin center

https://entra.microsoft.com/

 - Expand Protect > Conditional Access
 - Click New policy and give the policy a name.
 - Select Users > All users
 - Select Cloud apps or actions > Select apps and select Office 365
 - Select Conditions > Client apps > Yes check only Browser unchecking all other boxes.
 - Select Sessions and check Use app enforced restrictions

 - Set Enable policy to On and click Create

Note: To ensure that idle timeouts affect only unmanaged devices, both steps must be completed.

Impact:

If step 2 in the Audit/Remediation procedure is left out, then there is no issue with this from a security standpoint. However, it will require users on trusted devices to sign in more frequently which could result in credential prompt fatigue.

Note: Idle session timeout also affects the Azure Portal idle timeout if this is not explicitly set to a different timeout. The Azure Portal idle timeout applies to all kind of devices, not just unmanaged. See :

change the directory timeout setting admin

See Also

https://workbench.cisecurity.org/benchmarks/17682

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(5), 800-53|AC-11, 800-53|AC-11(1), 800-53|AC-12

Plugin: microsoft_azure

Control ID: 918e02ca87c8c1ece57516caab366cbd263f7f56d70280f4c5a8383721ac93b5