check before: 2026-01-01
Product:
Exchange, Microsoft 365 Apps, Microsoft 365 for the web, Outlook
Platform:
Online, US Instances, Web, World tenant
Status:
Change type:
User impact, Admin impact, Retirement
Links:
Details:
Summary:
Outlook on the web's activity-based timeout (ABT) will retire by January 2026 (February for GCC/DoD). Admins must enable Microsoft 365 idle session timeout for consistent session control across apps. Users won't auto-sign out without it. Prepare by reviewing ABT use, enabling the new timeout, and updating documentation.
Details:
Outlook on the web activity-based timeout is retiring
To simplify session timeout management and improve consistency across Microsoft 365 apps, we're retiring the activity-based authentication timeout (ABT) setting for Outlook on the web. Admins should transition to the Microsoft 365 idle session timeout, which provides a unified experience across supported Microsoft 365 web applications.
When this will happen:
The retirement will roll out in phases based on cloud environment:
Worldwide: Early January 2026 to late January 2026
GCC, GCCHigh, and DoD: Early February 2026 to late February 2026
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-10-02
updated:
2025-10-02
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Session Management
Without enabling the Microsoft 365 idle session timeout, users will remain signed in indefinitely, increasing the risk of unauthorized access to sensitive information if devices are left unattended.
- roles: End Users, IT Security Team
- references: https://learn.microsoft.com/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide&WT.mc_id=365AdminCSH_inproduct#details-about-idle-session-timeout" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide&WT.mc_id=365AdminCSH_inproduct#details-about-idle-session-timeout, https://learn.microsoft.com/microsoft-365/admin/security-and-compliance/idle-session-timeout?view=o365-worldwide
User Experience
Users may experience confusion or frustration due to unexpected session persistence, leading to potential security concerns and lack of clarity on session management policies.
- roles: End Users, Helpdesk Support
- references: https://support.microsoft.com/topic/activity-based-authentication-timeout-for-outlook-on-the-web-in-office-365-0c101e1b-020e-69c1-a0b0-26532d60c0a4
Compliance Risks
Failure to implement the new timeout settings may lead to non-compliance with internal security policies, exposing the organization to potential data breaches.
- roles: Compliance Officers, IT Security Team
- references: https://learn.microsoft.com/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide&WT.mc_id=365AdminCSH_inproduct#details-about-idle-session-timeout" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide&WT.mc_id=365AdminCSH_inproduct#details-about-idle-session-timeout
Documentation Gaps
If internal documentation is not updated to reflect the new timeout policy, users and support teams may lack guidance on managing session timeouts effectively.
- roles: IT Documentation Team, Helpdesk Support
- references: https://learn.microsoft.com/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide&WT.mc_id=365AdminCSH_inproduct#details-about-idle-session-timeout" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide&WT.mc_id=365AdminCSH_inproduct#details-about-idle-session-timeout
Increased Support Tickets
The lack of automatic sign-out may lead to an increase in support tickets related to session management and security concerns from users.
- roles: Helpdesk Support, IT Support Team
- references: https://learn.microsoft.com/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide&WT.mc_id=365AdminCSH_inproduct#details-about-idle-session-timeout" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide&WT.mc_id=365AdminCSH_inproduct#details-about-idle-session-timeout
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Imagine you're running a coffee shop. You have a rule that if a customer leaves their table for too long without buying anything, you clear their table to make room for new customers. This is similar to how the current activity-based timeout (ABT) works in Outlook on the web. If a user is inactive for a certain period, they are automatically signed out to keep things secure and efficient.
However, starting in January 2026, this specific rule for Outlook on the web is being retired. Instead, Microsoft wants to apply a new rule across all its apps, like having a uniform policy for all tables in your coffee shop, not just the ones by the window. This new rule is called the Microsoft 365 idle session timeout. It ensures that all apps follow the same guidelines for when to clear a table, or in this case, sign out a user due to inactivity.
For managers and HR staff, this means you need to ensure that your IT administrators enable this new idle session timeout. If they don't, users won't be automatically signed out of Outlook on the web when they're inactive, which could lead to security risks, like leaving sensitive information visible on an unattended screen.
Think of it as updating your employee handbook to include this new policy so everyone knows what to expect. You'll need to communicate this change to your team, especially those who handle IT and security, to ensure they understand the new process and can implement it smoothly. Additionally, any internal documentation that mentions the old ABT rule should be updated to reflect this new policy.
By preparing for this change, you ensure that your organization maintains a consistent and secure approach to managing user sessions across all Microsoft 365 applications, much like ensuring all your coffee shop tables are managed efficiently and securely.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 4 weeks ago ago
