Sign out inactive users

This article is for global and SharePoint admins in Office 365 who want to control user access to SharePoint and OneDrive data on unmanaged devices. Idle session sign-out lets you specify a time at which users are warned and subsequently signed out of Office 365 after a period of browser inactivity in SharePoint and OneDrive.

Note

Idle session sign-out applies to the entire organization and can't be set for specific sites or users.

Idle session sign-out is one of a number of policies you can use with SharePoint and OneDrive to balance security and user productivity and help keep your data safe regardless where users access the data, what device they're working on, and how secure their network connection is. For more ways to control access in SharePoint and OneDrive, see How SharePoint Online and OneDrive safeguard your data in the cloud.

The idle session sign-out experience

When a user is inactive in SharePoint and OneDrive for a period of time you specify, they'll see this message:

Inactive Office 365 sign out warning message

Note

Activity is counted as requests sent to SharePoint Online, such as clicks.  Moving the mouse and scrolling are not counted as activity.

If they don't click Continue, they'll be automatically signed out and will see this screen:

Office 365 signed out due to inactivity message

Note

If a user is active in another Office 365 service (such as Outlook), but inactive in SharePoint and OneDrive, they'll be signed out across Office 365. If a user has multiple tabs to OneDrive and SharePoint sites open at the same time, they won't be signed out unless they are inactive on all the sites. > Users won't be signed out if they selected to stay signed in when they signed in. For info about hiding this option, see Add company branding to your sign-in page in Azure AD. Users won't be signed out on a managed device (one that is compliant or joined to a domain), unless they're using inPrivate mode or a browser other than Edge or Internet Explorer. If they use Google Chrome, you need to use an extension to pass the device state claim. For more info about device state claims, see Azure AD conditional access settings.

Specify idle session sign-out settings in the new SharePoint admin center

  1. Sign in to Office 365 as a global admin or SharePoint admin.

  2. Select the app launcher icon The app launcher icon in Office 365 in the upper-left and choose Admin to open the Microsoft 365 admin center. (If you don't see the Admin tile, you don't have Office 365 administrator permissions in your organization.)

  3. In the left pane, choose Admin centers > SharePoint to open the classic SharePoint admin center.

  4. In the upper right, click Try it now to open the new SharePoint admin center.

  5. In the left pane, under Policies, click Access control.

  6. Click Idle session sign-out.

  7. Turn on Sign out inactive users automatically, and then select when you want to sign out users and how much notice you want to give them before signing them out.

  8. Click Save.

Specify idle session sign-out settings using PowerShell

  1. Download the latest SharePoint Online Management Shell.

  2. Connect to SharePoint Online as a global admin or SharePoint admin in Office 365. To learn how, see Getting started with SharePoint Online Management Shell.

  3. Run the following command at the SharePoint Online Management Shell command prompt:

Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 2700) -SignOutAfter (New-TimeSpan -Seconds 3600) 

Where:

  • -Enabled specifies whether idle session sign-out is enabled or disabled by using $true or $false.

  • -WarnAfter specifies the amount of after which a user is notified that they will be signed out after a period of inactivity as a New-TimeSpan which can be configured in seconds, minutes, or hours.

  • -SignOutAfter specifies the amount of time after which is a user is signed out of Office 365 if they do not respond to the -WarnAfter prompt.

Note

You must specify values for both WarnAfter and SignOutAfter. The SignOutAfter must be greater than the WarnAfter value.
It takes about 15 minutes for the policy to take effect across your organization. The policy doesn't affect existing sessions. To view the idle session sign-out values you've set, use the Get-SPOBrowserIdleSignOut cmdlet.
For info about Office 365 session lengths (regardless of activity), see Session timeouts for Office 365.