Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Fewer login prompts: The new “Keep me signed in” experience for Azure AD is in preview
Published Sep 07 2018 08:56 AM 80.8K Views
First published on CloudBlogs on Sep, 19 2017
Howdy folks, A common request we get from our customers is to reduce the number of times users are prompted to sign into Azure AD. One way to reduce the frequency of prompts is to check the "Keep me signed in" checkbox on the sign-in flow, but our telemetry shows that usage of that checkbox is very low. But we know from talking to customers, that cutting down on the number of signin prompts is REALLY important. Nobody wants to have to signin to an app multiple times! So today I'm happy to share that we're improving how "Keep me signed in" option is shown to users. We're also adding intelligence to ensure users are prompted to remain signed in only when it's safe to do so. First, as a quick refresher, here's what the existing "Keep me signed in" experience is like. As you might guess, most users cruise right past the check box and never think twice.

What's changing

We're replacing the "Keep me signed in" checkbox with a prompt that displays after the user successfully signs in. This prompt asks the user if they'd like to remain signed in. If a user responds "Yes" to this prompt, the service gives them a persistent refresh token. This is the same behavior that currently occurs when a user checks the "Keep me signed in" checkbox. For federated tenants, this prompt will show after the user successfully authenticates with the federated identity service.

And for those of you who are security minded, you be happy to know that we've built a lot of smarts into this flow and the "Stay signed in?" option won't display if our machine learning system detects a high risk signin or a signin from a shared device.

Some things to know

  • During the public preview period of the new sign-in experience , the updated "Keep me signed in" prompt will only show when users opt into the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt.
  • Admins can choose to hide this new prompt for users by using the "Show option to remain signed in" setting in company branding .

    (Note: Existing configurations of this setting will carry forward, so if you previously chose to hide the "Keep me signed in" checkbox in your tenant, we won't show the new prompt to users in your tenant.)

  • This change won't affect any token lifetime settings you have configured.

An additional note about security

Because "Keep me signed in" drops a persistent refresh token, some members of the IT community have asked if this might alter the security posture of their organization. We've done a significant amount of analysis on this topic and have concluded that increasing refresh token lifetime improves the user experience without reducing security posture. For more on that topic, please see our recent blog post on changes to default refresh token lifetimes .

Let us know what you think!

Look for this new "Keep me signed in" prompt to start rolling out on the new sign-in experience in early October. Let us know if you have any questions, and head on over to the Azure Active Directory community to share your feedback and suggestions with us – we look forward to hearing from you! Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division
19 Comments
Copper Contributor

Windows 10, post these changes when trying to access an SPO doclib via a Quick access short-cut link, or a previously mapped drive, my users are getting the error:

 

An error occurred while reconnecting ...

Web Client Network: Access Denied. Before opening files in this location, you must first add the web site to your trusted sites list, browse to the web site, and select the option to login automatically.

 

This no longer appears to be possible. :( 

Iron Contributor

We do not get the 'Keep me signed in' prompt for domain joined federated computers. Is there something we are missing? I have checked our company branding in Azure and can confirm 'show option to remain signed in' is enabled. Besides this works for clients connecting from outside the company network.

Deleted
Not applicable

How to get the "Stay Signed In" box back after checking "Don't show this again"?  For IE or Chrome.

Copper Contributor

I clicked "Stay Signed In", and "Don't show this again", however, I still have to sign in throughout the day. We have also started seeing this error when attempting to access network drives, clicking 'Open with Explorer', in SharePoint, and publishing InfoPath forms (Yes, we are still using InfoPath, have no intentions of stopping).

"Web Client Network: Access Denied. Before opening files in this location, you must first add the web site to your trusted sites list, browse to the web site, and select the option to login automatically"

 

I ended up having to hide the Open with Explorer button from the users, just they would stop b*tching me out because it no longer works :(

 

For my organization, everything has gone to crap since the roll out of the "new experience". I opened a premier support ticket, but they were unable to find a solution. 

Copper Contributor

my question is that when the option is ticked to allow this function there is no logon each time a user connects .

 

as such its hard to track when someone was logged on to a tenant .

 

this means if someone makes a change it would be hard to say yes we can see u connect at x time and then did y .

 

as such GA can go wild .

Copper Contributor

I want to disable this option only for the App interaction which I have created rather than applying the change at global level Company Branding. How could I achieve this.

Scenario: We want to get unread emails count from outlook in our web application. So created an app under Azure. And used Graph API to get the count. Now whenever user logs in, we don't want the stay signed in popup only for this flow or application.

Copper Contributor

We find that this extra prompt, the "Stay signed in? Do this to reduce the number of times you are asked to sign in." pop-up doesn't make the slightest bit of difference to how many times we have to sign in, whether selecting Yes or No at that prompt.  Neither does the "Don't show this message again" option actually stop the pop-up continually reappearing.   So in reality all the feature does is add another step to the login process each time, in addition to entering username and password, we then have to respond to that additional pop-up.

 

Any way to actually switch it off?  If it doesn't work for us there's no point in adding that extra login step.

Copper Contributor

This doesn't necessarily work 100% of the time, but I've had success when clearing the browser's cookies.  Then, the first time logging in after that, at the prompt, select Yes to stay signed in but DON'T check the checkbox for Don't show this again.  If the user ever selects to Sign Out after that, you'll likely need to do that process again.

 

I personally use Chrome and never have to sign-in.  For users with IE, clearing just cookies doesn't always work and I've had to do a reset.

Copper Contributor

Alex, the "stay signed in?" option presents in situations where the SAML authentication request has ForceAuthn=true - e.g. in e-signature/approval scenarios where an app may be presenting the user a popup re-authentication window. I have seen "stay signed in?" present in these popups even when I have already elected "yes" previously - e.g. when initially signing in to the app. In my testing, the "stay signed in" option has no effect here and is not really relevant or desirable. i.e. it presents again is i do more than one such e-sign/approve operation back to back - even if I elected "yes" previously. I think it's appropriate for AAD to be re-prompting for username + password in these situations - and confirms the "stay signed in" has no effect here. Can the dev team investigate suppressing it for situations like this?

Copper Contributor

Did anyone find a fix for this?   As far as I can see the option does absolutely nothing the change the number of times users need to sign in, it's just yet another option they need to click on every time.  And the "don't show this again" option doesn't stop it appearing next time either.   Can't we just get rid of it?

Copper Contributor

I am playing the PCH games and every time I submit a entry it keep asking me to sign in and I don't see my name of the top when I have signed in I also click the button on the page keep me signing What is happen are my entry being processed or what??? 

Copper Contributor

Makes no difference whatsoever! Tick untick, I always get it!

Copper Contributor

Exactly.  The pop up serves no purpose whatsoever except to make you have to click on yet another thing before you can log in.  Naturally the "Don't show this again" option doesn't work either.   It's as if this function has been added purely as an irritant, to make logging into Microsoft as annoying as possible.

Bronze Contributor

@Alex Simons (AZURE) and others,

Does anybody knows how to clear following items from users:

a) If user has selected: "Do not show this again", how to uncheck this?

b) If user has selected: "Yes" for question "Stay Signed in", how to reset that back to default?

 

We are facing issues with e.g. Teams which says: "Can not get WebAccountId for active signed in user", but we have not found a way to get this cleared/reset. Most often this is happening when users change their passwords.

Copper Contributor

I don't think anyone has ever found that checking "Do not show this again" has any effect whatsoever.  The "Stay Signed In" pop up serves no function at all, whether you say "Yes" or "No" makes no difference to how often you need to login.  And checking "Do not show this again" does nothing to stop it appearing again in the future.  Pointless dialogue box with two options that serve no purpose whatsoever.

 

Based on that I suggest your Teams issue is unrelated.

Bronze Contributor

@aesmith 

Thank you for reply.

 

I believe these selections could have some impacts, especially when at the moment user is unable to sign-in, Teams seems to skip the login phase in case user has selected these. That is why I'm trying to found some ways to reset the selections.

 

Of course it gets me worried when @Alex Simons (AZURE) has published this, but when there has been great questions from readers to get better understanding, there has been no more updates to this topic.

Microsoft

Hey @Petri X and @aesmith - I work on our authentication experiences and am happy to help here. Thank you for bringing this valuable feedback thread back to our attention. We are going to look into this. Can you please DM me on twitter with your emails so we can follow up? https://twitter.com/ajamess 

 

Thanks so much!

 

Adam.

Bronze Contributor

Thanks @Adam Steenwyk , but I believe you have closed to send messages on twitter, so I used DM on TechCommunity instead :)

Brass Contributor

Admins can choose to hide this new prompt for users by using the "Show option to remain signed in" setting in company branding .

Is moved, just in case anyone goes looking.

Version history
Last update:
‎Jul 27 2020 06:39 PM
Updated by: