Detections
Analytics

1.3.2 Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices

Information

Idle session timeout allows the configuration of a setting which will timeout inactive users after a pre-determined amount of time. When a user reaches the set idle timeout session, they'll get a notification that they're about to be signed out. They have to select to stay signed in or they'll be automatically signed out of all Microsoft 365 web apps. Combined with a Conditional Access rule this will only impact unmanaged devices. A managed device is considered a device managed by Intune MDM.

The following Microsoft 365 web apps are supported.

Outlook Web App

OneDrive for Business

SharePoint Online (SPO)

Office.com and other start pages

Office (Word, Excel, PowerPoint) on the web

Microsoft 365 Admin Center

NOTE: Idle session timeout doesn't affect Microsoft 365 desktop and mobile apps.

The recommended setting is 3 hours (or less) for unmanaged devices.

Rationale:

Ending idle sessions through an automatic process can help protect sensitive company data and will add another layer of security for end users who work on unmanaged devices that can potentially be accessed by the public. Unauthorized individuals onsite or remotely can take advantage of systems left unattended over time. Automatic timing out of sessions makes this more difficult.

Impact:

If step 2 in the Audit/Remediation procedure is left out then there is no issue with this from a security standpoint. However, it will require users on trusted devices to sign in more frequently which could result in credential prompt fatigue.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To configure Idle session timeout:

Navigate to the Microsoft 365 admin center https://admin.microsoft.com/.

Click to expand Settings Select Org settings.

Click Security & Privacy tab.

Select Idle session timeout.

Check the box Turn on to set the period of inactivity for users to be signed off of Microsoft 365 web apps

Set a maximum value of 3 hours.

Click save.

Step 2 - Ensure the Conditional Access policy is in place:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/

Expand Azure Active Directory > Protect & secure > Conditional Access

Click New policy and give the policy a name.

Select Users > All users.

Select Cloud apps or actions > Select apps and select Office 365

Select Conditions > Client apps > Yes check only Browser unchecking all other boxes.

Select Sessions and check Use app enforced restrictions.

Set Enable policy to On and click Create.

NOTE: To ensure that idle timeouts affect only unmanaged devices, both steps must be completed.

Default Value:

Not configured. (Idle sessions will not timeout.)

See Also

https://workbench.cisecurity.org/benchmarks/12934

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(5), 800-53|AC-11, 800-53|AC-11(1), 800-53|AC-12

Plugin: microsoft_azure

Control ID: 71380260a344c4d4b7e3893d2f74f9eea1134b8c09b9ce46396044864e3940c0