Home
IT Hub
Session Timeouts with Conditional Access in Microsoft Entra

Session Timeouts with Conditional Access in Microsoft Entra

Microsoft
Reco Security Experts
Updated
November 11, 2024
November 11, 2024

Setting Session Timeouts with Conditional Access Policy in Microsoft Entra ID

In today's interconnected digital landscape, where remote work and cloud-based collaboration have become ubiquitous, ensuring robust cybersecurity measures is paramount. One crucial aspect of protecting organizational data and resources lies in effectively managing session timeouts through Conditional Access Policies (CAPs) in Microsoft Entra ID. This comprehensive guide explores the importance of session timeouts, the role of Conditional Access Policies, implementation strategies, best practices, and the impact on security and productivity.

Introduction to Session Timeouts and Conditional Access Policies in Microsoft Entra ID

Session timeouts refer to the automatic termination of a user's session after a period of inactivity, thereby mitigating the risk of unauthorized access to sensitive information. This proactive security measure prevents unauthorized access even if a user inadvertently leaves their session unattended.

Conditional Access Policies (CAPs), on the other hand, are configuration-based rules that allow organizations to enforce specific conditions for accessing corporate resources. These policies can be tailored to apply different security protocols based on factors such as user identity, location, device health, and application sensitivity.

Conditional access refers to the practice of imposing specific conditions or criteria that users must meet to gain access to a network, system, or application. Unlike traditional username-password authentication, which relies solely on what the user knows, conditional access adds an extra layer of security by considering factors such as device health, user location, time of access, and behavioral patterns.

Conditional Access policies in Microsoft Entra ID can use a wide variety of signals from different sources to determine which policy it should enforce. These signals include the following:

  • User, group membership, or role – (privileged roles)
  • Device state – Based on (non)compliant devices, device platform
  • Location – Trusted IP Ranges or based on countries/regions
  • Application – Filter policies on specific applications or browsers
  • User risk – Enforce policy based on user risk level
  • Sign-in risk – Based on real-time and calculated risk detection

These signals can be used in a policy to make a decision about if the user is granted access or if additional authentication is required. 

We have the following options when it comes to access control:

  • Block access
  • Grant access
    • Require MFA – This means that the user must complete an MFA request to access the resource. You can set the authentication strength (SMS, Passwordless MFA, or Phishing-resistant MFA)
    • Require the device to be compliant
    • Require the Microsoft Entra hybrid joined device
    • Require an app protection policy
    • Require password change – Use must change password. Works only in combination with MFA

This screenshot shows that it blocks access from all countries except the named locations, applying to all users while excluding admin accounts in the conditional access.

 

Named Locations

One of the components that you will need to use when creating a policy is the Named Locations. These are either Countries or IP Ranges that you can use as a condition in your policy.

A standard policy is to block access to your Microsoft 365 from all countries except the countries where your users work. To create this policy you can define the countries in your Named Locations.

Another option is to add the public IP Addresses from your offices to your Named Locations. This allows you to reduce the sign-in frequency, for example, from these locations:

You can add a Named Location in Microsoft Entra as follows:

  1. Open Microsoft Entra and go to Conditional Access under Protection
  2. Choose Named Locations
  3. Click on + Countries Location
  4. Give your locations a name
  5. Select the countries that you want to add to the list
  6. Click on Create

This screenshot shows the conditional access policy for a named location, identified by IP address, with the Netherlands as the specified country.

The Importance of Setting Session Timeouts

Session timeouts play a critical role in enhancing cybersecurity by:

  • Preventing Unauthorized Access: Closing sessions after inactivity reduces the window of opportunity for unauthorized users to exploit open sessions.
  • Compliance Requirements: Many regulatory frameworks mandate the implementation of session timeouts to protect user data and maintain compliance.
  • Protecting Against Insider Threats: Inadvertent or intentional data breaches by insiders can be mitigated through automated session closure.
  • Enhancing Productivity: While primarily a security measure, session timeouts also encourage good security practices among employees, prompting them to log out when not actively using resources.

Understanding Conditional Access Policies in Microsoft Entra ID

Conditional Access Policies extend the functionality of session timeouts by allowing organizations to customize access controls based on various parameters:

  • User Attributes: Conditional Access Policies can enforce different timeout periods based on user roles, privileges, or membership in specific groups.
  • Device Health: Ensuring that only secure and compliant devices can access sensitive resources.
  • Location Awareness: Enforcing stricter policies for access attempts from unfamiliar or high-risk locations.
  • Application Sensitivity: Adapting timeout settings based on the sensitivity of the application or data being accessed.

Implementing Session Timeouts with Conditional Access Policies in Microsoft Entra ID

Implementing effective session timeout policies requires a structured approach:

  1. Assessment and Planning:
    • Identify critical resources and determine appropriate timeout thresholds based on sensitivity and compliance requirements.
    • Analyze user behavior patterns and operational needs to strike a balance between security and usability.
  2. Configuring Conditional Access Policies:
    • Use the administrative interface of your chosen identity and access management (IAM) solution to create CAPs.
    • Define rules that trigger session timeouts based on user context, device status, and locations.
  3. Testing and Validation:
    • Conduct pilot tests to ensure that CAPs are appropriately configured without causing disruptions to productivity.
    • Gather feedback from users and IT administrators to fine-tune policies based on real-world scenarios.

Steps

  • Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  • Browse to Protection > Conditional Access, select + New policy, and then select Create new policy.

The above image shows how to create a new conditional access policy in the Microsoft Entra admin center.

  • Enter a name for the policy, such as MFA Pilot.
  • Under Assignments, select the current value under Users or workload identities.

The above screenshot displays the verification process for ensuring the correct users and groups are selected in the Conditional access policy.

The screenshot shows the selection of users and groups to create the conditional access policy for conditional access.

A screenshot showing the selection of the MFA test policy in the conditional access policy.

The screenshot shows how to check the MFA test policy being granted or blocked for users in the conditional access policy.

The screenshot shows that the MFA test policy is selected to require MFA authentication for conditional access.

The screenshot shows that you should click “on” to activate the policy in conditional access.

Best Practices for Effective Session Management

To optimize the effectiveness of session timeouts and Conditional Access Policies:

  • Regular Review and Updates: Periodically review and update timeout settings based on evolving security threats and organizational needs.
  • User Education: Educate employees on the importance of session management and the security implications of leaving sessions unattended.
  • Integration with Identity Providers: Leverage single sign-on (SSO) solutions that integrate with CAPs to streamline user access while enforcing security policies.

Impact on Security and Productivity

The implementation of session timeouts through CAPs significantly enhances both security and productivity within organizations:

  • Security Enhancement: Mitigates risks associated with unauthorized access and potential data breaches.
  • Compliance Adherence: Helps organizations meet regulatory requirements related to data protection and access control.
  • Operational Efficiency: Encourages responsible use of corporate resources by prompting timely logouts and reducing the likelihood of session hijacking.

Conclusion

In conclusion, setting session timeouts through Conditional Access Policies represents a fundamental aspect of modern cybersecurity strategies. By leveraging CAPs to enforce automated session closures based on contextual factors, organizations can effectively safeguard sensitive data, maintain compliance, and promote a culture of responsible resource usage among employees. As digital landscapes continue to evolve, prioritizing robust session management practices remains imperative for maintaining a secure and productive organizational environment.

Securing Your Salesforce API Integrations
you have been hired as a Salesforce Administrator at a new health company. Your job is to help them streamline their lead and case management systems. Hence, you must be able to integrate other systems with their Salesforce so that lead generation and case receipt can be better managed. How do you do this?
A Guide to GitHub Security APIs for Enhancing Repository Security
GitHub is one of the most widely used platforms for collaborative software development, with millions of developers contributing to open-source projects. With this immense growth, the potential risks associated with code vulnerabilities also increase, making security management an indispensable part of the development process.
Troubleshooting "550 Permanent Failure for One or More Recipients" Error in Google Workspace
Google Workspace, like all other email service providers, uses a Simple Mail Transfer Protocol (SMTP) to exchange messages with other servers. SMTP uses a standardized set of reply codes described in RFC 5321, where error code 550 means “Requested action not taken: mailbox unavailable.” 
Get the Latest SaaS Security Insights
Subscribe to receive weekly updates, the latest attacks, and new trends in SaaS Security
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Explore More
Securing Your Salesforce API Integrations
you have been hired as a Salesforce Administrator at a new health company. Your job is to help them streamline their lead and case management systems. Hence, you must be able to integrate other systems with their Salesforce so that lead generation and case receipt can be better managed. How do you do this?
A Guide to GitHub Security APIs for Enhancing Repository Security
GitHub is one of the most widely used platforms for collaborative software development, with millions of developers contributing to open-source projects. With this immense growth, the potential risks associated with code vulnerabilities also increase, making security management an indispensable part of the development process.
Troubleshooting "550 Permanent Failure for One or More Recipients" Error in Google Workspace
Google Workspace, like all other email service providers, uses a Simple Mail Transfer Protocol (SMTP) to exchange messages with other servers. SMTP uses a standardized set of reply codes described in RFC 5321, where error code 550 means “Requested action not taken: mailbox unavailable.” 
See more articles from our Hub

Start Securing Your Entire SaaS Lifecycle

Request a demo