Forum Discussion
The new Azure AD sign-in and “Keep me signed in” experiences rolling out now!
We don't use ADFS but we have AD Connect, is there any reason why we are not seeing the new KMSI experience? It is very hard to keep users informed IF we rely on the roll out dates suggested by Microsoft.
This new KMSI experience is completely rolled out now for a few weeks. We added some logic to hide the prompt if we detect that the login session is risky, if it's a shared machine or if SSO is set up. Can you please try logging in on an in-private/incognito browser and see if the prompt shows?
Kelvin Xia what exactly does the "shared machine" logic cover? I stopped receiving the KMSI prompt on my personal PC, which is pretty much the most secure machine I use (even added as trusted IP), and since I'm not using any form of SSO for said account, that only leaves the "shared machine" scenario? On the same machine, another user from the same tenant is getting the KMSI prompt...
- Hey Vasil, the shared machine logic essentially stops showing the KMSI prompt if a different account has been used on the same browser. That logic will reset (and KMSI will show again) if you clear browser cookies, or if you continue to only sign in with that one account for a few days.
For the other user that's getting the prompt, are you using the same browser?We are experiencing the same as VasilMichev, no KMSI prompt after successful sign-in in IE11 or Chrome. And every time browser is started a sign-in prompt (password) is shown. Also sign-in prompt is shown every time I open locally installed Outlook client.
Hi Kelvin,
We have SSO set up and based on your statement, Microsoft has added logic not to show the prompt.
Is there a way we can show this prompt with SSO enabled? To your previous question, we have not set up ADFS to pass PSSO Claim for SharePoint.
Appreciate your help.
- May I know why you want to see the prompt even when SSO happens? By definition, when SSO'ed your user should just always automatically sign in without any interactive prompts. So, asking the user if they want to remain signed in doesn't really mean anything when SSO happens.
Kelvin Xia wrote:
May I know why you want to see the prompt even when SSO happens? By definition, when SSO'ed your user should just always automatically sign in without any interactive prompts. So, asking the user if they want to remain signed in doesn't really mean anything when SSO happens.That's almost right, but: For SSO to work, you need to provide the username / email address / UPN (which may be saved, but has to be confirmed by clicking it) before SSO kicks in. This is the issue in our case.
Imagine the following (real-world) scenario: Customer is using a SharePoint Online document library to store attachments for his Navision users. So when clicking on a link in Navision to open such an attachment (mostly PDF documents), you would expect your PDF viewer to open. In the current situation, your browser opens asking for your login (which perhaps was saved before), you confirm it, SSO happens and the PDF opens. After doing whatever with the document, the user closes the PDF and the browser window. After that, he clicks the next link in Navision and the same happens ... browser, confirm username, SSO, PDF. Only by leaving open the browser (as a workaround), the annoying clicking and waiting can be bypassed.
This behavior most likely applies to any SharePoint related content storage ...
By using the persistent session token, a true SSO experience (as seen in the old version) could be setup again.
