Enabling Microsoft 365 Idle Session Timeout

Posted on by Lobsang Wangmo

October 24, 2025

Lobsang Wangmo

Microsoft 365 Announcements

Date: October 24, 2025
To: ACE-IT, EITU, InfoTech-L, Tri-campus Service Desk Heads, EASI Site
From: Enterprise Applications & Solutions Integration
Re: Enabling Microsoft 365 Idle Session Timeout 

 

Dear colleagues, 

As part of our ongoing efforts to enhance the security of our Microsoft 365 environment, we will be enabling the Idle Session Timeout feature across the tenant starting October 28, 2025. 

What’s changing 

Microsoft has announced the retirement of “Activity-Based Authentication Timeout” for Outlook on the web. This is being replaced by a more robust Idle Session Timeout for Microsoft 365, which offers broader protection across a wider range of Microsoft 365 web applications. 

What is Idle Session Timeout? 

Idle Session Timeout is a security feature that automatically signs users out of Microsoft 365 web apps after 9 hours of browser-based inactivity. This change is designed to reduce the risk of unauthorized access, particularly when devices are left unattended while still logged in. 

Key Points: 

    • The timeout policy applies to all web browsers except Microsoft Edge on Intune-managed desktops. It affects Microsoft 365 web applications such as Outlook Web App, SharePoint, OneDrive, Word, Excel, PowerPoint Online, Microsoft365.com, Admin Center, and others. 
    • Works on a per-browser session basis in all web browsers, except for Microsoft Edge on Intune Managed Devices which already have a 10-minute inactivity timeout set at the OS level. 
    • If your session remains inactive for 9 hours, you will receive a notification prompting you to stay signed in. If no action is taken, you will be automatically signed out and prompted to re-authenticate when you return. 
    • Actively using Microsoft 365 web apps will keep your session alive; only idle users will be affected. 

 

Implementing Idle Session Timeout helps protect university data and user accounts by ensuring that unattended browser sessions are not left open indefinitely. This is an important step in strengthening our overall information security posture. 

If you have any questions or concerns, please submit a ticket to the Enterprise Service Centre at (https://uoft.me/m365help). 

 

Kind regards,  

Enterprise Applications & Solutions Integration (EASI)  

Information Technology Services 

University of Toronto