Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices
Why This Matters
Unattended devices left logged into Microsoft 365 web apps present a significant security risk, especially for unmanaged or public devices. Without an idle session timeout, unauthorized users can access sensitive company data if a session is left open. This setting automatically signs out inactive users, adding a critical layer of protection against physical or remote session hijacking.
What Aether365 Checks
This check verifies that the idle session timeout is configured to 3 hours or less for unmanaged devices, and that a corresponding Conditional Access policy is in place to enforce it only on non-compliant devices. You will see this check in the Aether365 dashboard under the Entra ID section.
How to Fix
To configure the idle session timeout and enforce it via Conditional Access, follow these steps: