Important: In January 2024, Microsoft started retiring activity-based authentication timeout for Outlook on the web. It will be unavailable in the future. For a similar experience, you can turn on idle session timeout.
The Activity-Based Authentication Timeout setting for Outlook on the web is configured by using the Set-OrganizationConfig cmdlet.
The following considerations apply to activity-based authentication timeouts:
-
A timeout doesn't occur if a user selects the Keep me signed in option when they sign in to Outlook on the web.
-
An Office 365 administrator can customize the Office 365 sign-in page for the organization's users to hide the option to remain signed in. For details, see Quickstart: Add company branding to your sign-in page in Azure AD.
-
After a timeout occurs, the user is signed out and redirected to the sign-in page. For a pure Office 365 tenant, the user is redirected to the Azure Active Directory (Azure AD). For a federated hybrid tenant, the user is redirected to the corporate Security Token Service (STS).
-
When a user signs in after a timeout, they are not directed back to the page that was current in Outlook on the web when the timeout was detected.
-
The timeout can slightly exceed the timeout interval that is configured in the Set-OrganizationConfig cmdlet parameter. This is due to the timeout-detection implementation in Outlook on the web.
-
Because of the timeout detection implementation in Outlook on the web, Microsoft doesn't recommend that you specify a timeout interval of less than 5 minutes.
-
In a federated hybrid environment, after the user is signed out because of the timeout, they can be silently signed in again. This happens if the corporate Active Directory Federation Services (ADFS) uses NTLM or Kerberos authentication to authenticate users who are connecting from an internal network. If the activity-based timeout also has to be applied for users who access Outlook on the web in Office 365 from an internal network, the ADFS has to be configured to use Forms-based authentication for such users.
-
In a hybrid environment, administrators can't set different timeout intervals for access from internal or external networks. For detailed information about distinguishing between access from internal and external networks, see the TechNet article Public attachment handling in Exchange Online.
-
If users who access Outlook on the web in Office 365 from an internal network have to be prevented from the signing out because of the activity timeout, the corporate ADFS has to be configured to use NTLM or Kerberos authentication to authenticate such users.