Idle session timeout in SPO and ODFB

Idle session timeout is a feature that kicks off after a period of inactivity, allowing O365 administrators to automatically signing out inactive sessions preventing the overexposure of information in case a user leaves a computer unattended. This is done, first by displaying a warning prompt and then signing the user out of SharePoint Online and OneDrive for Business.

This a useful feature in the scenarios where shared pc’s are used by multiple users. We have to take into account that this feature is activated for the entire tenant (is not possible to configure it to specific users) and only applies on web browser session 🙂

By default, this new feature is disabled, so in order to enable it we have to use SPO PowerShell module and execute the following commands:

Connect-SPOService -Url “https://yourtenant-admin.sharepoint.com”
Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 100) -SignOutAfter (New-TimeSpan -Seconds 120)
Disconnect-SPOService

Once the idle session timeout has been activated, is it necessary to know that shis setting only will take place fore the new sessions. So once the timespan is reached (in my case 100 seconds), the user will be notified like the following:

o365ts

If the timespan for log out is reached (in my example 120 seconds), the user will receive the following message

o365lo

And the user will need to log in again into O365

If by any chance, you need to deactivate the Idle Session time out into your tenant, will be necessary to execute the following command:

Set-SPOBrowserIdleSignOut -Enabled $false

Also, it is necessary to be aware that the following actions are counted as O365 actions and restrictions/limitations:

  1. Mouse movement or scrolling up and down is not included as activity. Activity is counted as requests sent to SharePoint Online.  Mouse clicks within the context of a site are considered activity.
  2. Idle-session timeout is limited to SharePoint Online browser sessions; however, will sign users out of all Office 365 workloads within that browser session.
  3. It will not sign out users who are on managed devices or select Keep Me Signed In during sign-in.
  4. Idle session timeout is currently limited to Classic sites.  A fix will be rolled out to support Modern sites soon.
  5. The WarnAfter and SignOutAfter values cannot be the same.
  6. The policy scope is Tenant-wide.

For more info:

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_shareon-mso_o365b/idle-session-timeout-in-sharepoint-and-onedrive/d128a00e-7c66-482b-abca-96b4e2b89436

https://techcommunity.microsoft.com/t5/SharePoint-Blog/Introducing-Idle-Session-Timeout-in-SharePoint-and-OneDrive/ba-p/119208

Advertisements

OneDrive for Business: File restore

Once again Microsoft has impressed me with rolling out this incredible feature. It allows end users to restore files from their OneDrive for Business from any point in time during the last 30 days.

I am sure that the inclusion of this feature will allow a lot of users to solve their day to day problems, for example I remember one customer having all his OneDrives files blocked by a Cryptlocker, and the only way to solve his problem was to ask to Microsoft to restore the entire Onedrive losing their recent changes. So, I hope that the files restore will solve this problem.

Furthermore, this tool is very graphic so will be very easily to select a file or a bunch of it and restore to a point in time. By the time writting this article, I’ve checked all my tenants and the tool hasn’t been rolled out yet.

You can learn more about it in the following post: https://techcommunity.microsoft.com/t5/OneDrive-Blog/Announcing-New-OneDrive-for-Business-feature-Files-Restore/ba-p/147436 

SPO and O4B Per Group Sharing Controls

This new feature – which hits first release tenants in June 2017 – will give extra control over who and how information can be shared with external/third party users in SharePoint Online and OneDrive for Business.

This control allows to limit the share with external users based on an specific AD security group, providing the ability to configure more than 1 security group to that control.

In order to configure this feature, we have to take into account that provides 2 options:

  • Users in selected security groups share with authenticated external users: Only users in the assigned security groups will be able to share with external users. If you are not included in these groups you cannot share with an external user who is not in your organization.

sharing1.png

  • Users in selected security groups share with authenticated external users and using anonymous links: Users will be able to share with external users and also create anonymous links.

sharing2.png

An important thing to note about this new sharing control is that the site collection policy will always take precedence. So, If the anonymous sharing is disabled at site colletion level (wether it is SPO or OneDrive personal site), users in the security group that will not be able to do so in that site collection.

Audit logs for OneDrive

Last week, a colleague asked me what possibilities of auditing that Onedrive has, but to be honest, no one likes being audited.

At the beginning, I was not sure about what to aswer, because I was sure that the Admin center has information about the tenant, but at the same time I was sure enough that the Admin center will not fulfil the requirements of the project.

I started digging into the O365, and I realize that exists and amazing feature called O365 audit log report inside the Compliance Center, it allows to seach the audit log to view user activity in the O365 organization, for example:

· User activity in SharePoint Online and OneDrive for Business

· User activity in Exchange Online (Exchange mailbox audit logging)

· Admin activity in SharePoint Online

· Admin activity in Azure Active Directory (the directory service for Office 365)

· Admin activity in Exchange Online (Exchange admin audit logging)

· User and admin activity in Sway

· User and admin activity in Power BI for Office 365

· User and admin activity in Yammer

If you want to know all the activities that you can select per category, visit: https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Protection-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US

Knowing how to audit your information, it is an important feature and skill. Therefore, I want to introduce you how to activate all this data:

Access to you O365 tenant, Inside the Admin, go to Security section:

od1

Then click on Office 365 audit report to access Audition and reports, take into account that before you are able to create new reports, you will need to activate the record. So, let’s begin:

od2.png

od3.png

And select “Turn On”

od4.png

Then, you will need to wait for some time… After this time, you will be able to create activity reports, with many other filters (like date range, folders, etc…)

od5.jpg

Currently, the audit history is retained for 90 days, I suppose that will be possible to tell MS to extend the audit log, but take into account that it is possible to export results to CSV.

Another wonderful feature, is to create activity alerts to automate process, imagine that you need to keep an eye on specific events, so you can execute a search, and then click on add an alert, you will need to specify a recipient for the alert

od6.jpg

Therefore, when the audit detects a match between the alert and an event, it will trigger an email to the recipient specified.

As you can imagine, there are other options to detect events from the compliance center, for example using the APIs of Office 365.

Hope it helps!!

Which version of OneDrive I am running?

As a user, probably one day you would ask this question to yourself, so I will explain how to know which version of OneDrive 4 Business you’re running.

First of all, you will need to go to “C:Program FilesMicrosoft OfficerootOffice16”

Take into account that the directory will change in case you are using the 32 bit version or if you have installed the SO in another language.

Try to locate the Groove.exe application, right click and select properties, navigate to details tab and you will see there the version you’re running:

groove.png

Also is it possible to do this by clicking Crtl+Shift+Esc, go to Details tab, click on Groove.exe, right click, Properties, details and you will see the same version as showed before. And then… compare if it the last version or if you need to update the client

Hope it helps!