Forum Discussion
The new Azure AD sign-in and “Keep me signed in” experiences rolling out now!
We're excited to announce that the general availability rollout of the new Azure AD sign-in and “Keep me signed in” experiences has started! These experiences should reach all users globally by the end of the week. Users who go to our sign-in page will start to see the new experiences by default, but a link allowing users to go back to the old experiences will be available until early December to give you some extra time to make the transition.
We'd like to take this opportunity to acknowledge the delays we have had with these features and thank you all for your patience. When we released these experiences in preview, we received a lot of great feedback from you and it was pretty clear we needed to take a little extra time to ensure the new experiences worked well with all the scenarios Azure AD sign-in is used for.
Read about it in the Enterprise Mobility & Security blog.
121 Replies
Hi,
while I do see some benefit on the KMSI feature for regular users, I would prefer to have privileged admin accounts be prompted for MFA Login in their browser profiles every time.
How can I achieve this without turning the feature off for everyone?
Regards,
Karsten
- The KMSI setting in Company Branding doesn't allow that. You might want to look up Conditional Access which might get you what you want.
We are using Power BI with a Web app and this web app is embedded reports in Salesforce. As soon as this was implemented, we started getting these dialog boxes, so the reports would not come through. HOw can we turn these off so they have a smoother experience. Currently Salesforce won't allow that dialog at all, so they get blank pages as a result of this. If they go through the web app directly in a url, and answer the dialog, the dashboard reports render fine. But this dialog caused our field to lose a week's worth of work so far. I finally found this so I am hoping someone can tell me how to turn it off...for good? We have a critical case open with MSFT right now as a result.
Okay, but what if that is entirely undesirable behavior in half of your use cases? When my users are on their personal computers, this is a good thing. When they are using one of our many shared workstations, the last thing I want is for them to be encouraged to "Stay signed in".
How do I prevent it from being offered on office computers without preventing it on their personal devices? Most, though not all, of our offices are AD joined, so if there's a GPO I can push out please indicate that in some way.
If the classic login screen can be permanently forced per-domain (per tenant may not work for our parent company), that would also be acceptable.
Because as it stands, this is a horrible idea. I'm going to have realtors reading each other's emails after we told them we were setting them up with MFA to keep anyone else from getting into their email.
- Hi Matt, we have a best-effort algorithm that prevents the new "Stay signed in" dialog from showing if we detect that the login is happening on a shared machine.
It essentially looks to see if a different account than what is currently being used to login was used on the machine in the last 3 days. If so, we won't show the dialog. We also use our adaptive protection logic to hide the dialog if we detect that the login is risky. Note that this logic is subject to change as we iterate on the logic to increase confidence that we only show this dialog on personal devices.That makes me feel better.
May I suggest stating that in more places? Like the announcements, relevant blog posts, or other places that admins will see before they start to flip out?
Hi, we are using a Federated domain With local ADFS. Before this change, single signon worked without any questions when we are logged into the local domain.
Now, after this New "experience", Our users must click on a Choice on the keep me logged in or not page. This is an anucence for Our users. We use Azure AD for authentication to Our intranet in the cloud.
Is there a setting on an Application or Azure AD Directory, or a URL parameter or similar that can be used to disable this?
Microsoft support answered it for me. Turn it off in Company branding:
https://cloudblogs.microsoft.com/enterprisemobility/2017/09/19/fewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview/
EricStarker Do you have any information on the ADFS web theme to allow on-premises ADFS look and feel to match the new sign in experience? We saw some information during the original preview announcement that this would be coming but are unable to find any info. We have our TAM also checking for information but thought I'd check here as well.
- Hey Jeremy, the web theme can be found here: https://github.com/Microsoft/adfsWebCustomization/tree/master/centeredUi
We use SAML SSO with several vendors using ADFS as our iDp. Our ADFS server is under a different domain so we have a Claims Provider Trust setup with our AAD. We have an issue with the new sign-in experience. When a user initially signs in they get presented with the "Stay signed in?" prompt. If they say Yes a persistent cookie is set and things work like they should. However, if they were to go back to the iDp initiated signon page and log out for whatever reason, when they go to sign-in again they won't get the "Stay signed in?" prompt so it just sets a session cookie that is terminated if they close their browser. If they choose to go back to the old sign-in experience the "Keep me signed in" checkbox will be there so they once again can set a persistent cookie. Is this a known issue? Is there a fix for this?
