Home
First published on CloudBlogs on Sep, 19 2017
Howdy folks, A common request we get from our customers is to reduce the number of times users are prompted to sign into Azure AD. One way to reduce the frequency of prompts is to check the "Keep me signed in" checkbox on the sign-in flow, but our telemetry shows that usage of that checkbox is very low. But we know from talking to customers, that cutting down on the number of signin prompts is REALLY important. Nobody wants to have to signin to an app multiple times! So today I'm happy to share that we're improving how "Keep me signed in" option is shown to users. We're also adding intelligence to ensure users are prompted to remain signed in only when it's safe to do so. First, as a quick refresher, here's what the existing "Keep me signed in" experience is like. As you might guess, most users cruise right past the check box and never think twice.

What's changing

We're replacing the "Keep me signed in" checkbox with a prompt that displays after the user successfully signs in. This prompt asks the user if they'd like to remain signed in. If a user responds "Yes" to this prompt, the service gives them a persistent refresh token. This is the same behavior that currently occurs when a user checks the "Keep me signed in" checkbox. For federated tenants, this prompt will show after the user successfully authenticates with the federated identity service.

And for those of you who are security minded, you be happy to know that we've built a lot of smarts into this flow and the "Stay signed in?" option won't display if our machine learning system detects a high risk signin or a signin from a shared device.

Some things to know

  • During the public preview period of the new sign-in experience , the updated "Keep me signed in" prompt will only show when users opt into the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt.
  • Admins can choose to hide this new prompt for users by using the "Show option to remain signed in" setting in company branding .

    (Note: Existing configurations of this setting will carry forward, so if you previously chose to hide the "Keep me signed in" checkbox in your tenant, we won't show the new prompt to users in your tenant.)

  • This change won't affect any token lifetime settings you have configured.

An additional note about security

Because "Keep me signed in" drops a persistent refresh token, some members of the IT community have asked if this might alter the security posture of their organization. We've done a significant amount of analysis on this topic and have concluded that increasing refresh token lifetime improves the user experience without reducing security posture. For more on that topic, please see our recent blog post on changes to default refresh token lifetimes .

Let us know what you think!

Look for this new "Keep me signed in" prompt to start rolling out on the new sign-in experience in early October. Let us know if you have any questions, and head on over to the Azure Active Directory community to share your feedback and suggestions with us – we look forward to hearing from you! Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division
6 Comments
Occasional Visitor

Windows 10, post these changes when trying to access an SPO doclib via a Quick access short-cut link, or a previously mapped drive, my users are getting the error:

 

An error occurred while reconnecting ...

Web Client Network: Access Denied. Before opening files in this location, you must first add the web site to your trusted sites list, browse to the web site, and select the option to login automatically.

 

This no longer appears to be possible. :( 

Contributor

We do not get the 'Keep me signed in' prompt for domain joined federated computers. Is there something we are missing? I have checked our company branding in Azure and can confirm 'show option to remain signed in' is enabled. Besides this works for clients connecting from outside the company network.

Occasional Visitor

How to get the "Stay Signed In" box back after checking "Don't show this again"?  For IE or Chrome.

Occasional Contributor

I clicked "Stay Signed In", and "Don't show this again", however, I still have to sign in throughout the day. We have also started seeing this error when attempting to access network drives, clicking 'Open with Explorer', in SharePoint, and publishing InfoPath forms (Yes, we are still using InfoPath, have no intentions of stopping).

"Web Client Network: Access Denied. Before opening files in this location, you must first add the web site to your trusted sites list, browse to the web site, and select the option to login automatically"

 

I ended up having to hide the Open with Explorer button from the users, just they would stop b*tching me out because it no longer works :(

 

For my organization, everything has gone to crap since the roll out of the "new experience". I opened a premier support ticket, but they were unable to find a solution. 

Occasional Visitor

my question is that when the option is ticked to allow this function there is no logon each time a user connects .

 

as such its hard to track when someone was logged on to a tenant .

 

this means if someone makes a change it would be hard to say yes we can see u connect at x time and then did y .

 

as such GA can go wild .

New Contributor

I want to disable this option only for the App interaction which I have created rather than applying the change at global level Company Branding. How could I achieve this.

Scenario: We want to get unread emails count from outlook in our web application. So created an app under Azure. And used Graph API to get the count. Now whenever user logs in, we don't want the stay signed in popup only for this flow or application.