Detections
Analytics

1.3.2 (L2) Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices

Information

Idle session timeout allows the configuration of a setting which will timeout inactive users after a pre-determined amount of time. When a user reaches the set idle timeout session, they'll get a notification that they're about to be signed out. They must choose to stay signed in or they'll be automatically signed out of all Microsoft 365 web apps. Combined with a Conditional Access rule this will only impact unmanaged devices.

A managed device is considered a device managed by Intune MDM or joined to a domain (Entra ID or Hybrid joined).

The following Microsoft 365 web apps are supported.

 - Outlook Web App
 - OneDrive
 - SharePoint
 - Microsoft Fabric
 - Microsoft365.com and other start pages
 - Microsoft 365 web apps (Word, Excel, PowerPoint)
 - Microsoft 365 Admin Center
 - M365 Defender Portal
 - Microsoft Purview Compliance Portal

The recommended setting is 3 hours (or less) for unmanaged devices.

Note: Idle session timeout doesn't affect Microsoft 365 desktop and mobile apps.

Ending idle sessions through an automatic process can help protect sensitive company data and will add another layer of security for end users who work on unmanaged devices that can potentially be accessed by the public. Unauthorized individuals onsite or remotely can take advantage of systems left unattended over time. Automatic timing out of sessions makes this more difficult.

Solution

Step 1 - Configure Idle session timeout:

 - Navigate to the Microsoft 365 admin center

https://admin.microsoft.com/

.
 - Click to expand Settings Select Org settings
 - Click Security & Privacy tab.
 - Select Idle session timeout
 - Check the box Turn on to set the period of inactivity for users to be signed off of Microsoft 365 web apps
 - Set a maximum value of 3 hours
 - Click save.

Step 2 - Ensure the Conditional Access policy is in place:

 - Navigate to Microsoft Entra admin center

https://entra.microsoft.com/

 - Expand Protect > Conditional Access
 - Click New policy and give the policy a name.
 - Select Users > All users
 - Select Cloud apps or actions > Select apps and select Office 365
 - Select Conditions > Client apps > Yes check only Browser unchecking all other boxes.
 - Select Sessions and check Use app enforced restrictions

 - Set Enable policy to On and click Create

Note: To ensure that idle timeouts affect only unmanaged devices, both steps 1 and 2 must be completed. Otherwise managed devices will also be impacted by the timeout policy.

Impact:

If step 2 in the Audit/Remediation procedure is left out, then there is no issue with this from a security standpoint. However, it will require users on trusted devices to sign in more frequently which could result in credential prompt fatigue.

Users don't get signed out in these cases:

 - If they get single sign-on (SSO) into the web app from the device joined account.
 - If they selected Stay signed in at the time of sign-in. For more info on hiding this option for your organization, see Add branding to your organization's sign-in page.
 - If they're on a managed device, that is compliant or joined to a domain and using a supported browser, like Microsoft Edge, or Google Chrome with the Microsoft Single Sign On extension.

Note: Idle session timeout also affects the Azure Portal idle timeout if this is not explicitly set to a different timeout. The Azure Portal idle timeout applies to all kind of devices, not just unmanaged. See :

change the directory timeout setting admin

See Also

https://workbench.cisecurity.org/benchmarks/20006

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(5), 800-53|AC-11, 800-53|AC-11(1), 800-53|AC-12

Plugin: microsoft_azure

Control ID: 6b27104dc7548f8910156aa760792d0961a565025aaa9821127bf1b4bba6a101