Microsoft Entra ID must initiate a session lock after a 15-minute period of inactivity.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-270200	SRG-APP-000003	ENTR-ID-000030	SV-270200r1085610_rule	2025-03-17	1

Description
Session locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Session locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the session lock (e.g., via a Bluetooth-enabled session or dongle). User-initiated session locking is behavior or policy-based and, as such, requires users to take physical action to initiate the session lock. Session locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays. Satisfies: SRG-APP-000295

Description

Session locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Session locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the session lock (e.g., via a Bluetooth-enabled session or dongle). User-initiated session locking is behavior or policy-based and, as such, requires users to take physical action to initiate the session lock. Session locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays. Satisfies: SRG-APP-000295

ℹ️ Check
To verify the inactivity timeout is configured for 15 minutes or less, follow the steps outlined below: 1. Sign in to entra.microsoft.us. 2. Navigate to the Gear icon (right) and select Settings >> Signing out + notifications. 3. Check that the "Enable directory level idle timeout" is selected. 4. Verify the Signing out value is 15 minutes or less. If the directory level idle timeout is not set to 15 minutes or less, this is a finding.

ℹ️ Check

To verify the inactivity timeout is configured for 15 minutes or less, follow the steps outlined below: 1. Sign in to entra.microsoft.us. 2. Navigate to the Gear icon (right) and select Settings >> Signing out + notifications. 3. Check that the "Enable directory level idle timeout" is selected. 4. Verify the Signing out value is 15 minutes or less. If the directory level idle timeout is not set to 15 minutes or less, this is a finding.

✔️ Fix
1. Sign into entra.microsoft.us. 2. Navigate to the Gear icon (right) and select Settings >> Signing out + notifications. 3. Check the "Enable directory level idle timeout" box. 4. Populate the "Hours" field to "0" and the "Minutes" field to "15". 5. Click "Apply".