Home

Fewer login prompts: The new “Keep me signed in” experience for Azure AD is in preview

First published on CloudBlogs on Sep, 19 2017
Howdy folks, A common request we get from our customers is to reduce the number of times users are prompted to sign into Azure AD. One way to reduce the frequency of prompts is to check the "Keep me signed in" checkbox on the sign-in flow, but our telemetry shows that usage of that checkbox is very low. But we know from talking to customers, that cutting down on the number of signin prompts is REALLY important. Nobody wants to have to signin to an app multiple times! So today I'm happy to share that we're improving how "Keep me signed in" option is shown to users. We're also adding intelligence to ensure users are prompted to remain signed in only when it's safe to do so. First, as a quick refresher, here's what the existing "Keep me signed in" experience is like. As you might guess, most users cruise right past the check box and never think twice.

What's changing

We're replacing the "Keep me signed in" checkbox with a prompt that displays after the user successfully signs in. This prompt asks the user if they'd like to remain signed in. If a user responds "Yes" to this prompt, the service gives them a persistent refresh token. This is the same behavior that currently occurs when a user checks the "Keep me signed in" checkbox. For federated tenants, this prompt will show after the user successfully authenticates with the federated identity service.

And for those of you who are security minded, you be happy to know that we've built a lot of smarts into this flow and the "Stay signed in?" option won't display if our machine learning system detects a high risk signin or a signin from a shared device.

Some things to know

  • During the public preview period of the new sign-in experience , the updated "Keep me signed in" prompt will only show when users opt into the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt.
  • Admins can choose to hide this new prompt for users by using the "Show option to remain signed in" setting in company branding .

    (Note: Existing configurations of this setting will carry forward, so if you previously chose to hide the "Keep me signed in" checkbox in your tenant, we won't show the new prompt to users in your tenant.)

  • This change won't affect any token lifetime settings you have configured.

An additional note about security

Because "Keep me signed in" drops a persistent refresh token, some members of the IT community have asked if this might alter the security posture of their organization. We've done a significant amount of analysis on this topic and have concluded that increasing refresh token lifetime improves the user experience without reducing security posture. For more on that topic, please see our recent blog post on changes to default refresh token lifetimes .

Let us know what you think!

Look for this new "Keep me signed in" prompt to start rolling out on the new sign-in experience in early October. Let us know if you have any questions, and head on over to the Azure Active Directory community to share your feedback and suggestions with us – we look forward to hearing from you! Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division
3 Comments
Occasional Visitor

Windows 10, post these changes when trying to access an SPO doclib via a Quick access short-cut link, or a previously mapped drive, my users are getting the error:

 

An error occurred while reconnecting ...

Web Client Network: Access Denied. Before opening files in this location, you must first add the web site to your trusted sites list, browse to the web site, and select the option to login automatically.

 

This no longer appears to be possible. :( 

Contributor

We do not get the 'Keep me signed in' prompt for domain joined federated computers. Is there something we are missing? I have checked our company branding in Azure and can confirm 'show option to remain signed in' is enabled. Besides this works for clients connecting from outside the company network.

Occasional Visitor

How to get the "Stay Signed In" box back after checking "Don't show this again"?  For IE or Chrome.