Title

Microsoft Entra ID must initiate a session lock after a 15-minute period of inactivity. (Cat II impact)

Discussion

Session locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Session locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the session lock (e.g., via a Bluetooth-enabled session or dongle). User-initiated session locking is behavior or policy-based and, as such, requires users to take physical action to initiate the session lock. Session locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays. Satisfies: SRG-APP-000295

Check Content

To verify the inactivity timeout is configured for 15 minutes or less, follow the steps outlined below: 1. Sign in to entra.microsoft.us. 2. Navigate to the Gear icon (right) and select Settings >> Signing out + notifications. 3. Check that the "Enable directory level idle timeout" is selected. 4. Verify the Signing out value is 15 minutes or less. If the directory level idle timeout is not set to 15 minutes or less, this is a finding.

Fix Text

1. Sign into entra.microsoft.us. 2. Navigate to the Gear icon (right) and select Settings >> Signing out + notifications. 3. Check the "Enable directory level idle timeout" box. 4. Populate the "Hours" field to "0" and the "Minutes" field to "15". 5. Click "Apply".

Additional Identifiers

Rule ID: SV-270200r1085610_rule

Vulnerability ID: V-270200

Group Title: SRG-APP-000003

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.