Enforcing a maximum session duration in Atlassian Guard Standard ensures that managed accounts are automatically signed out after a fixed period, regardless of user activity. In our detailed walkthrough, we show you exactly how to configure session expiration in your Atlassian Cloud authentication policies to meet compliance requirements like SOC 2 and support zero trust security models.
This feature provides your security team with a hard guarantee on session lifetime, eliminating the risk of sessions persisting longer than your organization allows.
In our video, we walk through the entire configuration process step by step:
Why Session Security in Atlassian Cloud Matters
Session security in Atlassian Cloud is often overlooked, but it is critical for organizations operating in regulated industries or adopting zero trust security frameworks. By default, Atlassian sessions can remain active for an extended period as long as the user keeps interacting with the product. For many organizations, especially those subject to compliance frameworks like SOC 2 or ISO, this default behavior is simply not acceptable. An active session that never expires creates a window of opportunity for unauthorized access, whether through shared devices, stolen credentials, or session hijacking.
The core problem is straightforward: without a fixed session expiration, sessions can stay active indefinitely as long as users interact with products like Jira or Confluence. This means unauthorized access can persist far longer than intended, and your security team has no hard guarantee on when a session will actually end. In environments where compliance and risk management are paramount, this represents a significant gap in your security posture.
What Is Session Expiration?
Session expiration is a security control that automatically signs users out after a fixed period of time, regardless of whether they are still actively using the product. This is a simple but powerful mechanism for enforcing strict session lifetimes across your organization. You can configure session expiration to log users out after a set duration such as 8 hours, 12 hours, or 24 hours – no exceptions.
Idle Timeout vs Session Expiration
It is important to understand the key difference between idle session duration and session expiration, as they serve different purposes. The idle session duration setting will end a session only if the user has been inactive for a specified period. If the user becomes active again before the idle timeout triggers, the session is extended. This means that a continuously active user could theoretically maintain their session indefinitely.
Session expiration, on the other hand, enforces a maximum session lifetime that cannot be extended by activity. Once the configured duration has elapsed – say 12 hours from the moment the user signed in – they are automatically signed out. The next time they try to use Jira, Confluence, or any other Atlassian product, they will be prompted to sign in again. This is the setting you want when you need absolute control over how long any single session can last.
How to Configure Maximum Session Duration
Setting up session expiration requires Atlassian Guard Standard at a minimum. Here is the step-by-step process we demonstrated in our video:
- Navigate to admin.atlassian.com
- Go to Security, then select User Security and Authentication Policies
- Open the authentication policy that applies to your managed accounts (for example, your SAML single sign-on authentication policy)
- Scroll down to the Session Controls section
- Locate the Session Expiration setting
- Change the default from “Never expires after” to your desired duration
- Select your preferred time unit – days, hours, or minutes
- Click Update and confirm the change
In our example, we configured the session expiration to 12 hours. Once saved, every managed account covered by that authentication policy will be automatically signed out after 12 hours, no matter what they are doing at the time.
Understanding Policy Behavior
The session expiration setting applies per authentication policy. This is an important detail to understand when managing multiple policies within your Atlassian organization. If a user falls under multiple authentication policies, Atlassian will apply the most restrictive policy. This means that if one policy sets session expiration to 24 hours and another sets it to 8 hours, the 8-hour limit will take effect for users covered by both.
This behavior ensures that your security posture defaults to the strictest configuration, which aligns well with zero trust principles where you always assume the least permissive stance.
Why This Is Critical for Compliance and Zero Trust
Enforcing a maximum session lifetime is one of those high-impact, low-effort security changes that delivers significant value. Here is why it matters for your organization:
- Compliance frameworks like SOC 2 and ISO often require demonstrable controls around session management. A fixed session expiration gives you auditable proof that sessions cannot persist beyond your defined threshold.
- Zero trust security models operate on the principle of never trusting and always verifying. Forcing re-authentication at regular intervals ensures that user identity is continuously validated.
- It reduces the risk of unauthorized session reuse. Even if a session token is compromised, its useful lifetime is limited to the configured expiration window.
- It is simple to implement – the entire configuration takes just a few clicks in the Atlassian admin panel, yet it delivers a measurable improvement to your security posture.
Practical Recommendations
When choosing your session expiration duration, consider the balance between security and user experience. A 12-hour expiration aligns well with a standard workday, ensuring users re-authenticate at least once daily. For higher-security environments, an 8-hour window may be more appropriate. Organizations with less stringent requirements might opt for a 24-hour expiration as a reasonable starting point.
Keep in mind that this setting applies to web sessions. There is also a separate option for mobile app session expiration within the same Session Controls section, which you can configure independently based on your organization’s mobile security requirements.
If you manage Atlassian in a professional environment, enforcing maximum session duration is a must-have security setting. It takes minutes to configure and provides your security team with the hard guarantees they need to satisfy both internal policies and external compliance audits.
