Description of the Activity-Based Authentication Timeout for OWA in Office 365

Applies to: Exchange Online via Office 365 P PlansExchange Online via Office 365 E Plans

Summary


This article describes considerations that apply for the Activity-Based Authentication Timeout for Microsoft Outlook Web App (OWA) in Microsoft Office 365. 

More Information


The Set-OrganizationConfig cmdlet is used to set the Activity-Based Authentication Timeout for OWA. For detailed syntax, see the TechNet article Set-OrganizationConfig.  

For OWA in Office 365, the following consideration apply to Activity-Based Authentication Timeouts:

  1. A timeout doesn't occur if a user selects the Keep me signed in option when they sign in to OWA.
  2. An Office 365 administrator can customize the Office 365 sign-in page for the organization's users to hide the option to remain signed in. For details, see Quickstart: Add company branding to your sign-in page in Azure AD.
  3. After a timeout occurs, the user is signed out and redirected to the sign-in page. For a pure Office 365 tenant, the user is redirected to the Azure Active Directory (Azure AD). For a federated hybrid tenant, the user is redirected to the corporate Security Token Service (STS). 
  4. When a user signs in after a timeout, they are not directed back to the page that was current in OWA when the timeout was detected.
  5. The timeout can slightly exceed the timeout interval that is configured in the Set-OrganizationConfig cmdlet parameter. This is due to the timeout-detection implementation in OWA.
  6. Because of the timeout detection implementation in OWA, Microsoft doesn't recommend that you specify a timeout interval of less than 5 minutes.
  7. The ActivityBasedAuthenticationTimeoutWithSingleSignOnEnabled parameter is not applied for OWA in Office 365.
  8. In a federated hybrid environment, after the user is signed out because of the timeout, they can be silently signed in again. This happens if the corporate Active Directory Federation Services (ADFS) uses NTLM or Kerberos authentication to authenticate users who are connecting from an internal network. If the activity-based timeout also has to be applied for users who access OWA in Office 365 from an internal network, the ADFS has to be configured to use Forms-based authentication for such users.
  9. In a hybrid environment, administrators can't set different timeout intervals for access from internal or external networks. For detailed information about distinguishing between access from internal and external networks, see the TechNet article Public attachment handling in Exchange Online.
  10. If users who access OWA in Office 365 from an internal network have to be prevented from the signing out because of the activity timeout, the corporate ADFS has to be configured to use NTLM or Kerberos authentication to authenticate such users.