Over the past two months, we have seen an incredible amount of digital transformation – in our lives, with our workplaces, and even with our families. I’m not even going to begin to quote Microsoft’s leadership – you can read about the digital transformation trends for yourself. In retrospect, I would argue that most companies have been rushing to utilize cloud services without ensuring that they are delivering on best practices surrounding security, so I’m putting together a series on what I consider to be some of the most overlooked Azure AD configuration settings.
My goal today is to introduce (or re-introduce) you to the Azure Directory-level inactivity timeout for the Azure portal, and recommend a few best practice settings to protect your Azure resources from unauthorized access.
What does the directory-level inactivity timeout do for me?
When users forget to lock their workstations and/or sign out from the Azure portal when finished, this globally established Azure AD directory-level setting automatically signs out the account when a maximum idle time has been reached. There are a number of preset values, or you can utilize a custom value to enforce (in both hours and minutes).
What do I need to do to configure this setting?
First, you need to have Global Administrator privileges on the intended Azure Active Directory tenant. Note that this is a per-tenant configuration, so if you manage multiple Azure AD directories, you must configure this setting for each directory/tenant.
- Sign into the Azure Portal with your Global Administrator credentials (hopefully you are required to use MFA and/or security key when signing in with this account).
- Click on the settings icon in the top header menu.
- On the blade that opens on the right side of the page, select the link that is named “Configure directory level timeout” to begin configuration.
- When this new blade opens, place a checkbox in front of “Enable directory level idle timeout for the Azure portal”.
- Set the desired timeout value in hours and minutes (15 or 30 minutes should suffice here).
- Remember to click the Apply button at the bottom of the blade to save your new changes.
- You will receive a notification confirming that a new inactivity timeout policy is now in effect, but will only take effect for new sessions from this point forward.
My portal Admins/Devs/Engineers/Users might hate this change – can they adjust the setting on their own?
Yes, they can change the setting, but…it must be a shorter time than the configured directory-level timeout setting set by the Global Administrator. I personally recommend a 15 or 30 minute timeout, but your mileage (and your Security team) will vary.
For most organizations using a DevOps approach to Azure resources, you may not believe this to be an important change for portal management. Please don’t overlook this, as this will affect ALL users utilizing the portal for the organization, not just assigned Administrators.
“An ounce of prevention”, right? I do hope that this and further Azure best practice tips help you on your digital transformation journey!