Microsoft 365 Session Times

Overview

The following chart below provides the default configuration for the session token for each service in M365. Additionally, a link is provided on how to modify these session times for your organization.

Microsoft 365 service	Session timeout
Microsoft 365 admin center	You're asked to provide credentials for the admin center every 8 hours.
SharePoint	5 days of inactivity as long as the users chooses Keep me signed in. If the user accesses SharePoint again after 24 or more hours have passed from the previous sign-in, the timeout value is reset to five days.
Outlook Web App	Six hours. You can change this value by using the ActivityBasedAuthenticationTimeoutInterval parameter in the Set-OrganizationConfig cmdlet.
Microsoft Entra ID (Used by Office and Microsoft 365 applications in Windows clients with modern authentication enabled)	Modern authentication uses access tokens and refresh tokens to grant user access to Microsoft 365 resources using Microsoft Entra ID. An access token is a JSON Web Token provided after a successful authentication and is valid for 1 hour. A refresh token with a longer lifetime is also provided. When access tokens expire, Office clients use a valid refresh token to obtain a new access token. This exchange succeeds if the user's initial authentication is still valid. Refresh tokens are valid for 90 days, and with continuous use, they can be valid until revoked. Refresh tokens can be invalidated by several events such as: User's password has changed since the refresh token was issued. An administrator can apply conditional access policies that restrict access to the resource the user is trying to access.
SharePoint and OneDrive mobile apps for Android, iOS, and Windows 10	The default lifetime for the access token is 1 hour. The default max inactive time of the refresh token is 90 days. Learn more about tokens and how to configure token lifetimes To revoke the refresh token, you can reset the user's Microsoft 365 password
Viva Engage with Microsoft 365 Sign-In	Lifetime of the browser. If users close the browser and access Viva Engage in a new browser, Viva Engage will reauthenticate them with Microsoft 365. If users use third-party browsers that cache cookies, they may not need to reauthenticate when they reopen the browser. > [!NOTE]> This is valid only for networks using Microsoft 365 Sign-In for Viva Engage.

Token Lifetime Configuration Reference

Configurable token lifetimes - Microsoft identity platformMicrosoftLearn