Configuring session timeouts for Outlook on the Web (OWA) in Exchange Online

In today’s browser first, cloud first world, many organizations look at reducing risk by imposing strict session timeout settings on their productivity tools and applications. The idea generally is that if a user is not actively using and application for 10 –15 mins, they have completed the task they were working on and have forgotten to logoff correctly. This can be especially dangerous when these applications are accessed on shared terminals or public computers. Given that email remains a vitally important business tool for many organizations, reducing the session timeout on Exchange Online (and Exchange 2016) is a fairly common request and it is really simple to do.

By default, session timeout is enabled for OWA (let’s just call it that, shall we?) and it set to 6 hours. You can confirm this configuration via PowerShell using the Get-OrganizationConfig cmdlet:

  Get-OrganizationConfig | FL ActivityBasedAuthenticationTimeout*

There are two parameters in particular worth paying attention to:

  • ActivityBasedAuthenticationTimeoutEnabled
  • ActivityBasedAuthenticationTimeoutInterval

ActivityBasedAuthenticationTimeoutEnabled is pretty self-explanatory, you will want to keep it enabled if you intended to set the timeout interval. The ActivityBasedAuthenticationTimeoutInterval parameter controls the actual timeout interval in hh:mm:ss format where hh = hours, mm = minutes and ss = seconds. Note that this parameter has a range of 5 min - 8 hrs. Changes can be made using the Set-OrganizationConfig cmdlet, for example to set the timeout interval to 15 mins we'd issue the following cmd:

  Set-OrganizationConfig -ActivityBasedAuthenticationTimeoutInterval 00:15:00

During my testing, it took a really long time (12+ hrs) for this to take effect so don't be alarmed if it doesn't work right away.

For more information on the Set-OrganizationConfig parameters, see TechNet.