A common requirement from Power BI customers in highly-regulated industries is the need to log users out of Power BI if they have been inactive for a certain amount of time. If your Power BI reports contain extremely sensitive data you don’t want someone to open a report, leave their desk for lunch, forget to lock their PC and let everyone in the office see what’s on their screen, for obvious reasons. This has actually been possible for some time now with Power BI and is now supported for Fabic, so I thought I’d write a blog post to raise awareness.
The feature that makes this possible is Microsoft 365’s Idle Session Timeout, which you can read about here:
To turn it on, a Microsoft 365 admin has to go to the M365 admin centre and Org Settings/Security & Privacy and select Idle Session Timeout. There you can set the amount of time to wait before users are logged out:
Once that is set, anyone who has Power BI open in their browser but doesn’t interact with it will see the following message after the specified period of time:
Your session is about to expire
Your organization’s policy enforces automatic sign out after a period of inactivity on Microsoft 365 web applications.
Do you want to stay signed in?
There are a few things to point out about how this works (read this for the full details):
- You can’t turn it on for just Power BI, you have to turn it on for all supported Microsoft 365 web apps. This includes Outlook and the other Office web apps
- You can’t turn it on for specific users – it has to be for the whole organisation
- Users won’t get signed out if they get single sign-on into the web app from the device-joined account, or select “Stay signed in” when they log in (an option that can be hidden), or if they’re on a managed device and using a supported browser like Edge or Chrome
You’ll need to be on friendly terms with your M365 admin if you want to use this, clearly, but if you need this functionality it makes sense to enforce activity-based timeout rules for more apps than just Power BI.