Configuring session timeouts for Outlook on the Web (OWA) in Exchange Online

In today’s browser first, cloud first world, many organizations look at reducing risk by imposing strict session timeout settings on their productivity tools and applications. The idea generally is that if a user is not actively using and application for 10 –15 mins, they have completed the task they were working on and have forgotten to logoff correctly. This can be especially dangerous when these applications are accessed on shared terminals or public computers. Given that email remains a vitally important business tool for many organizations, reducing the session timeout on Exchange Online (and Exchange 2016) is a fairly common request and it is really simple to do.

By default, session timeout is enabled for OWA (let’s just call it that, shall we?) and it set to 6 hours. You can confirm this configuration via PowerShell using the Get-OrganizationConfig cmdlet:

Get-OrganizationConfig | FL ActivityBasedAuthenticationTimeout*

There are two parameters in particular worth paying attention to:

  • ActivityBasedAuthenticationTimeoutEnabled
  • ActivityBasedAuthenticationTimeoutInterval

ActivityBasedAuthenticationTimeoutEnabled is pretty self-explanatory, you will want to keep it enabled if you intended to set the timeout interval. The ActivityBasedAuthenticationTimeoutInterval parameter controls the actual timeout interval in hh:mm:ss format where hh = hours, mm = minutes and ss = seconds. Note that this parameter has a range of 5 min – 8 hrs. Changes can be made using the Set-OrganizationConfig cmdlet, for example to set the timeout interval to 15 mins we’d issue the following cmd:

Set-OrganizationConfig -ActivityBasedAuthenticationTimeoutInterval 00:15:00

During my testing, it took a really long time (12+ hrs) for this to take effect so don’t be alarmed if it doesn’t work right away.

For more information on the Set-OrganizationConfig parameters, see TechNet.

Post navigation


Comments

  • Pavel Voronin

    Thank you!

  • Greg Damon

    Hey Chris. Great to see yet another great blog from you. Seems that SPO and OneDrive now have a preview session timeout. Just tested it successfully – https://techcommunity.microsoft.com/t5/SharePoint-Blog/Introducing-Idle-Session-Timeout-in-SharePoint-and-OneDrive/bc-p/119427.

  • Adrian Pascual

    Good Evening,

    is it possible to set the timeout to be based on if a browser, or browser tab is closed? like if i finished what i was doing, then go ahead and close the browser. will this (or what command) close the session automatically and keep it from staying logged in automatically?

    any help would be appreciated

    Thank you,

  • Chris

    Hi Adrian,

    I’m not aware of any way to do this – I believe this is something that would need to be done on the client-side.

    Cheers,

    Chris

  • Doug S

    Very nice article Chris. Are the settings mentioned above only for OWA (browser-based) or would this also apply to Outlook client sessions?

  • Doug Swanek

    Hi Chris,
    Thanks for the article. After setting this value in an E2016 environment (no O365) the setting still did not take affect. To make this work on E2016 I did the following that proved successful:

    1. Set the ActivityBasedAuthenticationTimeoutInterval 00:30:00 (30 minutes) as stated above in your article
    2. On each E2016 server ran this cmd then restarted IIS:
    Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA” -Name PrivateTimeout -Value 30 DWORD

  • Chris

    Thanks for the info Doug.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>