https://support.office.com/en-gb/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40
Session timeouts for Office 365
<section class="ocpIntroduction">
Session lifetimes are an important part of browser-based authentication for Office 365 and are an important component in balancing security and the number of times users are prompted for their credentials.
</section><section class="ocpSection">
Session times for Office 365 services
When you authenticate to any of the Office 365 web apps, a session is established between your browser and the Office 365 web app you’re using. For the duration of the session, you won’t need to re-authenticate to the web app. Sessions can expire when you're
inactive, when you close the browser or tab, or when your authentication token expires for other reasons such as when a password has been reset. Each of the different web apps in Office 365 have different session timeouts. The default timeout value is in line
with how you normally use the app.
The following table lists the session lifetimes for Office 365 services:
|
Office 365 service
|
Session timeout
|
|
SharePoint Online
|
5 days of inactivity. Each time a user accesses SharePoint Online, the timeout value is reset to 5 days.
|
|
Outlook Web App
|
24 hours.
You can change this value by using the ActivityBasedAuthenticationTimeoutInterval parameter in the
Set-OrganizationConfig cmdlet.
|
|
Skype for Business Server 2015 (Desktop/modern client)
|
The default and minimum value is 8 hours. The maximum value is 24 hours.
|
|
Skype for Business Server 2015 (web)
|
The default value is 8 hours. The minimum value is 15 minutes. The maximum value is what the actual sign-in token (e.g. OAuth token) specifies, or 8 hours if it is not specified in the sign-in token (e.g. OrgID token).
|
|
Skype for Business Server 2015 (web, anonymous user)
|
The default value is 1 hour. The minimum value is 5 minutes. The maximum value is 1 hour.
|
|
Azure Active Directory
(Used by Office 2013 Windows clients with modern authentication enabled)
|
Modern authentication uses access tokens and refresh tokens to grant uses access to Office 365 resources using Azure Active Directory. An access token is a JSON Web Token provided after a successful authentication and is valid for 1 hour. A refresh token
with a longer lifetime is also provided. When access tokens expire, Office clients use a valid refresh token to obtain a new access token. This exchange succeeds if the user’s initial authentication is still valid.
Refresh tokens are valid for 14 days, and with continuous use, they can be valid up to 90 days. After 90 days, users will be asked to re-authenticate.
Refresh tokens can be invalidated by several events such as :
|
</section>
