SharePoint Online E1 has security issue "by design"?

JanSp 136 Reputation points

For our document management service with SharePoint Online, we use a Microsoft Office 365 E1 subscription for users with any device from anywhere.
It is very important for an online business service that there is sufficient certainty about the identity of the user when he logs in for the first time and after he has been inactive for a certain period of time (eg 30 - 60 minutes). Office 365 E1 is intended for this use case and provides the MFA and Idle Session Sign Out features.
It has been found that the idle session sign out policy only applies to browser users, the sign out policy of the private Office/OneDrive account takes precedence over the sign out policy of the corporate account for our SharePoint Online service. To be clear: this user has two accounts, a private account for his PC with Office and OneDrive and a second account for our business service SharePoint Online.
There is no way to prevent desktop app users from retaining their access after the initial login to our SharePoint Online service, even after months of inactivity, without having to re-identify. This means that the central policy of our corporate service is overruled by the policy of the user's private account.

After many sessions and escalation with various Microsoft support groups, the SharePoint Online support group considers this issue to be "by design".
It is recommended by the support group to report the shortcoming to the feedback portal and use additional Azure AD Premium P1 licenses to close the gap.
So Microsoft support admits that it cannot provide Office E1 with sufficient protection for its intended use. As a result, the Microsoft "Security by default" policy does not apply to this product.
We are disappointed with the outcome of the support request.
On this forum it was advised to submit a support request, see add-a-place-in-word-and-security.html
It is agreed that I will inform the support group of any feedback on the Microsoft forum regarding the support request.

Your feedback is welcome.

A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
6,062 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marshaljs 26,816 Reputation points


    Have you considered configuring idle timeout value - idle-session-timeout-policy
    and this one idle-session-timeout-web-apps

    Hope this helps.

    Please Accept the answer if the information helped you. This will help us and others in the community as well.