Home

The new Azure AD sign-in and “Keep me signed in” experiences rolling out now!

%3CLINGO-SUB%20id%3D%22lingo-sub-128267%22%20slang%3D%22en-US%22%3EThe%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128267%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20excited%20to%20announce%20that%20the%20general%20availability%20rollout%20of%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F08%2F02%2Fthe-new-azure-ad-signin-experience-is-now-in-public-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Enew%20Azure%20AD%20sign-in%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%3C%2FA%3E%26nbsp%3Bexperiences%20has%20started!%20These%20experiences%20should%20reach%20all%20users%20globally%20by%20the%20end%20of%20the%20week.%20Users%20who%20go%20to%20our%20sign-in%20page%20will%20start%20to%20see%20the%20new%20experiences%20by%20default%2C%20but%20a%20link%20allowing%20users%20to%20go%20back%20to%20the%20old%20experiences%20will%20be%20available%20until%20early%20December%20to%20give%20you%20some%20extra%20time%20to%20make%20the%20transition.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3EWe'd%20like%20to%20take%20this%20opportunity%20to%20acknowledge%20the%20delays%20we%20have%20had%20with%20these%20features%20and%20thank%20you%20all%20for%20your%20patience.%20When%20we%20released%20these%20experiences%20in%20preview%2C%20we%20received%20a%20lot%20of%20great%20feedback%20from%20you%20and%20it%20was%20pretty%20clear%20we%20needed%20to%20take%20a%20little%20extra%20time%20to%20ensure%20the%20new%20experiences%20worked%20well%20with%20all%20the%20scenarios%20Azure%20AD%20sign-in%20is%20used%20for.%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F24211i77B31C28F5B44656%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Slide1.PNG%22%20title%3D%22Slide1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3ERead%20about%20it%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F11%2F15%2Fthe-new-azure-ad-sign-in-and-keep-me-signed-in-experiences-rolling-out-now%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEnterprise%20Mobility%20%26amp%3B%20Security%20blog%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-128267%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391865%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391865%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F311683%22%20target%3D%22_blank%22%3E%40HarishMenda%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20make%20the%20psso%20claim%20work%20with%20my%20non-ADFS%20IdP%2C%20I%20had%20to%20add%20a%20claim%26nbsp%3Bnamed%20psso%20with%20name%20format%20%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2F2014%2F03%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2F2014%2F03%3C%2FA%3E%2C%20and%20set%20it%20to%20a%20value%20of%20%22yes%22.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391738%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391738%22%20slang%3D%22en-US%22%3EWhat%20is%20the%20parameter%20you%20added%2C%20to%20make%20this%20change%20at%20tenant%20app%20level%20rather%20than%20global%20company%20branding%20level.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391728%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391728%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F96132%22%20target%3D%22_blank%22%3E%40Michael%20Kostuch%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20get%20permanent%20solution%20for%20this%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20could%20you%20please%20let%20us%20know%20the%20steps%20to%20get%20this%20change%20done%20at%20tenant%20app%20level%20from%20Microsoft.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391723%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391723%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F96132%22%20target%3D%22_blank%22%3E%40Michael%20Kostuch%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EDid%20you%20get%20any%20permanent%20solution%20for%20this%3F%20Meanwhile%20could%20you%20please%20explain%20the%20process%20of%20make%20this%20turn%20off%20at%20tenant%20app%20level.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253211%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253211%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78060%22%20target%3D%22_blank%22%3E%40Daniel%20Park%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%26nbsp%3Bdoes%20this%20new%20claim%20rule%20replace%20both%20the%20insidecorporatenetwork%20claim%20and%20the%20psso%20claim%20or%20is%20it%20in%20addition%20to%20them%3F%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EI%20can't%20really%20remember%20(should%20have%20blogged%20it%2C%20darn!)%2C%20but%20I%20suppose%2C%20it%20was%20a%20replacement%2C%20as%20it%20issues%20the%20PSSO%20when%20inside%20network%20condition%20is%20met.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-234478%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-234478%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%26nbsp%3Bdoes%20this%20new%20claim%20rule%20replace%20both%20the%20insidecorporatenetwork%20claim%20and%20the%20psso%20claim%20or%20is%20it%20in%20addition%20to%20them%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181874%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181874%22%20slang%3D%22en-US%22%3E%3CP%3ESorry%20I'm%20a%20little%20late%20to%20the%20party%2C%20but%20I%20just%20didn't%20have%20time%20back%20when%20the%20thread%20started%20and%20I%20kind%20of%20forgot%20about%20it.%20But%20now%20that%20I've%20read%20through%20all%20the%203%20pages%20I'm%20chiming%20in%20with%20my%20issues%3A%3CBR%20%2F%3EOur%20SSO%20with%20Chrome%20and%20IE%20worked%20fine%20somewhere%20last%20year.%20Probably%20due%20to%20these%20changes%20it%20stopped%20working%20flawlessly%2C%20but%20not%20completely.%3CBR%20%2F%3EMy%20setup%20consisted%20of%20configured%20Trusted%20Zones%2C%20ADFS%20on%202012R2%20(I%20remember%20doing%20something%20to%20get%20this%20working%20for%20Chrome%20on%20ADFS%202%20years%20ago)%2C%20MFA%20exemption%20for%20onPrem%20IP%20Range%2C%20AAD-Connect%20and%20some%20URL%20tricks%2C%20like%20using%20the%20WHR%20parameter%20(%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F%3Fwhr%3Dmycustomdomain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%3Fwhr%3Dmycustomdomain.com%3C%2FA%3E)%3CBR%20%2F%3E%3CBR%20%2F%3EThen%20it%20stopped%20working%20flawlessly%2C%20and%20degraded%20to%20having%20to%20click%20the%20pre-populated%20UPN%20and%20getting%20automatically%20signed%20in%20again%20after%20every%20browser%20closure.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20to%20have%20improved%20the%20experience%2C%20by%20dropping%20the%20WHR%20parameter%2C%20after%20which%20the%20users%20only%20had%20to%20click%20the%20pre-populated%20UPN%20about%20once%20a%20day.%3CBR%20%2F%3EThis%20is%20also%20my%20current%20status%2C%20as%20far%20as%20I%20remember.%20I've%20noticed%20that%20when%20I%20leave%20my%20computer%20running%20over%20night%20(no%20standby)%20and%20return%20in%20the%20morning%2C%20I'm%20signed%20out%20of%20office.com%20or%20other%20pages.%20There%20is%20a%20sign%20in%20button%20on%20that%20office.com%20sign%20out%20portal%20and%20when%20I%20click%20it%2C%20I'm%20automatically%20signed%20in%20again%20after%20a%20few%20redirects%20without%20further%20input.%20A%20negative%20side%20effect%20of%20all%20this%20is%2C%20that%20on%20the%20first%20browser%20open%20any%20additional%20Sharepoint%20sites%20are%20not%20opened%20automatically%2C%20since%20the%20first%20site%20hasn't%20fully%20authenticated%20yet.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ESSO%20seems%20wo%20work%20with%20no%20issues%20on%20my%20home%20computer%20(Mac%2FSafari)%20where%20I%20get%20all%20the%20KMSI%20and%20MFA%20prompts%20and%20I%20stay%20signed%20for%20multiple%20weeks.%3CBR%20%2F%3E%3CBR%20%2F%3EBy%20reading%20through%20everything%20here%20I'll%20start%20digging%20in%20into%20the%20ADFS%20configuration%20(and%20this%20article%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%3C%2FA%3E)%2C%20but%20I'll%20appreciate%20any%20shortcuts%20you%20guys%20have%20to%20offer%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181795%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181795%22%20slang%3D%22en-US%22%3EFrom%20your%20description%2C%20it%20doesn't%20sound%20like%20PSSO%20is%20set%20up%20correctly%2C%20or%20it%20could%20be%20due%20to%20an%20interaction%20with%20some%20external%20site%20settings%20(as%20you%20pointed%20out).%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20not%20familiar%20with%20how%20SharePoint%20handles%20internal%20vs%20external%20sites.%20I%20would%20recommend%20that%20you%20contact%20Office%20365%20or%20SharePoint%20support%20to%20help%20you%20with%20that.%20They%20would%20be%20the%20best%20resource%20to%20help%20you%20here.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-179783%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-179783%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFollowing%20on%20from%20my%20former%20posts%20it%20seems%20now%20that%20the%20biggest%20issue%20now%26nbsp%3Bis%20the%20number%20of%20times%20internal%20users%20are%20prompted%20for%20authentication%20whilst%20accessing%20%26nbsp%3Ba%20site%20within%20our%20tenant%20that%20is%20shared%20externally.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20sites%20that%20are%20not%20shared%26nbsp%3Bexternally%26nbsp%3Bthe%20experience%20is%20that%20you%20can%20access%20a%20site%20authenticate%20and%20then%20close%20and%20reopen%20the%20browser%20several%20times%20without%20being%20authenticated%20again.%20(no%20KMSI%20option%20it%20just%20works)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20for%20sites%20that%20are%20shared%20externally%20every%20time%20the%20browser%20is%20closed%20the%20user%20needs%20to%20choose%20the%20%22account%20pick%22%20screen%20when%20re-accessing%20the%20site.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20two%20questions%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Are%20the%20settings%20handled%20differently%20for%20externally%20shared%20sites%20rather%20than%20sites%20with%20only%20internal%20user%20access%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20Is%20there%20another%20option%20other%20than%20enabling%20PSSO%20(if%20this%20even%20works)%20as%20we%20have%20security%20concerns%20about%20issuing%20a%20PSSO%20token..%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAndy%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-179076%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-179076%22%20slang%3D%22en-US%22%3ETo%20be%20accurate%3A%20Sending%20the%20PSSO%20claim%20will%20suppress%20the%20KMSI%20prompt%20(since%20it's%20not%20needed%20as%20PSSO%20essentially%20says%20%22Yes%22%20to%20that%20question)%2C%20and%20drops%20a%20persistent%20Azure%20AD%20token%20in%20your%20browser.%20SPO%20will%20use%20that%20persistent%20token.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-178865%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-178865%22%20slang%3D%22en-US%22%3ETo%20make%20sure%20I%20understand%2C%20sending%20the%20PSSO%20claim%20should%20suppress%20the%20%22Keep%20Me%20Logged%20In%22%20question%20from%20SharePoint%20Online%20and%20drop%20the%20persistent%20SPO%20cookies%20in%20my%20browser%20automatically%2C%20correct%3F%20MS%20Support%20seems%20stymied%20for%20the%20moment%20on%20this%20one.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-178604%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-178604%22%20slang%3D%22en-US%22%3EAzure%20AD%20does%20respect%20the%20PSSO%20claim%20even%20when%20it%20comes%20from%20a%20source%20besides%20ADFS.%20So%2C%20it%20should%20work%20in%20your%20case.%20I%20would%20recommend%20that%20you%20contact%20Microsoft%20support%20to%20take%20a%20look%20at%20what's%20going%20on.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177403%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177403%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20having%20a%20slightly%20different%20issue.%26nbsp%3B%20We%20don't%20use%20ADFS%20for%20our%20IdP%2C%20(we%20use%20PingFederate%20instead)%2C%20and%20I've%20configured%20it%20to%20pass%20%22true%22%20for%20both%20the%20psso%20and%20insidecorporatenetwork%20claims%20when%20a%20user%20authenticates%20through%20our%20SSO.%26nbsp%3B%20While%20I%20can%20see%20the%20SamlAttributes%20appear%20in%20the%20conversation%20with%20Azure%2C%20it%20doesn't%20seem%20to%20affect%20anything%3A%20I%20still%20get%20prompted%20for%20%22keep%20me%20signed%20in%22%20if%20I%20clear%20my%20cookies%20first%2C%20and%20no%20persistent%20cookies%20are%20ever%20dropped%20on%20my%20computer.%26nbsp%3B%20Does%20Microsoft%20have%20any%20guidance%20for%20those%20of%20us%20not%20using%20ADFS%20but%20still%20wanting%20those%20persistent%20cookies%20placed%3F%26nbsp%3B%20We%20also%20have%20users%20that%20claim%20the%20KMSI%26nbsp%3Bprompt%20never%20appears%2C%20so%20having%20the%20SSO%20system%20do%20it%20for%20them%20is%20ideal.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167294%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167294%22%20slang%3D%22en-US%22%3E%3CP%3ESetting%20up%20this%20option%20seems%20to%20have%20resolved%20our%20issues.%20To%20be%20confirmed%20over%20the%20next%20week%2C%20but%20initial%20testing%20on%20premise%2C%20with%20Seamless%20SSO%20enabled%2C%20on%20W10%20in%20Chrome%2C%20Firefox%2C%20IE%20and%20Edge%20looks%20positive.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20anyone%20needs%20the%20instructions%20to%20enable%26nbsp%3B%22Allow%20users%20to%20remember%20multi-factor%20authentication%20on%20devices%20they%20trust%22%20they%20are%20here%3A%20%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23remember-multi-factor-authentication-for-trusted-devices%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23remember-multi-factor-authentication-for-trusted-devices%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23remember-multi-factor-authentication-for-trusted-devices%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167106%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167106%22%20slang%3D%22en-US%22%3EHi%20Marc%2C%20We're%20trying%20it%20out.%20Many%20thanks!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166997%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166997%22%20slang%3D%22en-US%22%3EHi%20Marco%2C%3CBR%20%2F%3E%3CBR%20%2F%3Esorry%20for%20the%20delay.%20I%20had%20to%20sync%20with%20the%20Seamless%20SSO%20team%20to%20understand%20what's%20going%20on.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20correct%20way%20to%20ensure%20the%20user%20isn't%20always%20prompted%20with%20MFA%20when%20Seamless%20SSO%20is%20set%20up%20is%20for%20the%20user%20to%20check%20the%20%22Don't%20ask%20me%20again%20for%20%3CX%3E%20days%22%20checkbox%20on%20the%20MFA%20screen.%20This%20suppresses%20MFA%20for%20the%20duration%20called%20out.%20Note%20that%20%3CX%3E%20can%20be%20configured%20on%20MFA.%3CBR%20%2F%3E%3C%2FX%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166740%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166740%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20didn't%20%22train%22%20the%20users%20directly%2C%20they%20just%20found%20that%20by%20clicking%20the%20KMSI%20check%20box%20they%20needed%20to%20log%20in%20less%20so%20they%20just%20did%20it.%20Even%20with%20the%20new%20experience%20whilst%20the%20option%20was%20available%20to%20revert%20to%20the%20old%20experience%20they%20did%20that.%20Now%20that%20option%20has%20disappeared%20they%20cannot%20do%20it%20(without%20visiting%20the%20old%20portal%20directly).%20The%20users%20are%20indicating%20that%20the%20Office%202010%26nbsp%3BHRD%20popup%26nbsp%3Bonly%20started%20occurring%20recently%20but%20they%20cannot%20be%20100%25%20sure%2C%26nbsp%3Bas%20it%20may%20have%20been%20occurring%20since%20the%20new%26nbsp%3Bsignin%20experience%20rollout%26nbsp%3Bbut%20probably%20they%20have%20noticed%20more%20as%20they%20can%20no%20longer%20can%20set%20the%20KMSI%20option%20to%20supress%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166166%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166166%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F75442%22%20target%3D%22_blank%22%3E%40Jeroen%20Lammens%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20facing%20the%20same%20problem.%20External%20users%20get%20the%20KMSI%20dialog%2C%20internal%20users%20do%20not%20(both%20after%20authentication%20against%20ADFS).%20As%20a%20result%20SharePoint%20Online%20WebDAV%20is%20not%20working%20anymore.%20Have%20you%20found%20a%20solution%20to%20this%3F%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3ERight%2C%20and%20I%20found%20a%20solution%20(together%20with%20MS%20support).%20Use%20the%20claim%20rule%20provided%20in%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory%2FThe-new-Azure-AD-sign-in-and-Keep-me-signed-in-experiences%2Fm-p%2F165285%2Fhighlight%2Ftrue%23M1386%22%20target%3D%22_blank%22%3Ethis%20answer%3C%2FA%3E%2C%20that%20worked%20for%20me%20very%20well.%20Still%20I%20cannot%20say%2C%20if%20that%20helps%20with%20your%20WebDAV%20problem.%20But%20would%20be%20worth%20a%20try%2C%20as%20it%20doesn't%20break%20anything.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165891%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165891%22%20slang%3D%22en-US%22%3EOne%20more%20question%20-%20With%20the%20old%20login%20page%2C%20if%20your%20users%20did%20*not*%20check%20the%20KMSI%20option%2C%20were%20they%20also%20prompted%20to%20click%20on%20their%20username%20each%20time%3F%20Did%20you%20train%20all%20your%20users%20to%20always%20check%20the%20KMSI%20option%20on%20the%20old%20login%20experience%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165627%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165627%22%20slang%3D%22en-US%22%3EHi%20Kelvin%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYes%20the%20pick%20account%20screen%20is%20appearing%20this%20started%20showing%20in%20the%20last%202%20weeks%20or%20so%20according%20to%20the%20users.%20The%20main%20issue%20is%20this%20appears%20each%20time%20an%20office%202010%20user%20opens%20an%20office%20document%20from%20SPO.%20A%20workaround%20is%20to%20visit%20the%20old%20login%20page%20and%20check%20the%20KMSI%20option%20but%20this%20is%20far%20from%20ideal.%20When%20opening%20a%20document%20the%20pick%20an%20account%20screen%20appears%2C%20if%20users%20click%20the%20page%20they%20are%20authenticated%20to%20ADFS%20and%20the%20document%20opens%2C%20but%20this%20occurs%20each%20time%20a%20document%20is%20opened.%20There%20is%20no%20issue%20with%20office%202016%20but%20we%20have%20thousands%20of%20office%202010%20users%20who%20are%20not%20updated%20to%202016%20yet.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165511%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165511%22%20slang%3D%22en-US%22%3EHi%20Andy%2C%20a%20quick%20clarification%20-%20are%20you%20reporting%20that%20the%20%22Pick%20an%20account%22%20screen%20is%20showing%20up%20for%20you%20now%20but%20it%20didn't%20before%3F%20If%20so%2C%20can%20when%20did%20it%20start%20showing%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165441%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165441%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20new%20rule%20has%20worked%20for%20us%20so%20far!%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165285%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165285%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3ETo%20support%20SharePoint%20mapped%20drives%20with%20ADFS%2C%20we%20recommend%20setting%20up%20PSSO%20which%20will%20result%20in%20the%20same%20logic%20as%20a%20user%20manually%20checking%20the%20old%20KMSI%20checkbox.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%23enable-psso-for-office-365-users-to-access-sharepoint-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%23enable-psso-for-office-365-users-to-access-sharepoint-online%3C%2FA%3E%3CBR%20%2F%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EThat%20claim%20did%20not%20work%20for%20me%20and%20my%20customers%20(tried%20it%20with%20two%20different%20setups)%2C%20but%20MS%20support%20supplied%20the%20following%20claim%20rule%2C%20that%20works%20just%20perfectly%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3Ec%3A%5BType%20%3D%3D%20%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2012%2F01%2Finsidecorporatenetwork%22%5D%0A%20%3D%26gt%3B%20issue(Type%20%3D%20%22http%3A%2F%2Fschemas.microsoft.com%2F2014%2F03%2Fpsso%22%2C%20Issuer%20%3D%20c.Issuer%2C%20OriginalIssuer%20%3D%20c.OriginalIssuer%2C%20Value%20%3D%20c.Value%2C%20ValueType%20%3D%20c.ValueType)%3B%0A%3C%2FPRE%3E%0A%3CP%3EUsing%20this%20rule%20gets%20rid%20of%20the%20username%20prompt%20%22Pick%20an%20account%22.%20For%20my%20customer%26nbsp%3B%3CSTRONG%3Ethat%20is%20the%20solution%20to%20the%20problem%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%3A%20I'd%20be%20pleased%20to%20keep%20on%20working%20on%20the%20%22Pick%20an%20account%22%20prompt%20to%20get%20it%20working%20as%20designed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165271%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165271%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3EHi%20Marc%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20the%20screen%20where%20your%20user%20has%20to%20click%20on%20a%20username%20the%20%22Pick%20an%20account%22%20screen%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20that%20what%20you're%20seeing%20is%20caused%20by%20a%20different%20change%20in%20our%20code.%20Can%20you%20please%20send%20me%20a%20Fiddler%20trace%20of%20a%20user%20running%20through%20the%20scenario%20you%20mentioned%20and%20seeing%20the%20%22Pick%20an%20account%22%20prompt%3F%20Please%20DM%20me%20the%20trace%20so%20we%20can%20look%20into%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EKelvin%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3Eyes%2C%20it%20is%20the%20%22Pick%20an%20account%22%20screen%2C%20that%20is%20displayed.%20I'll%20send%20the%20trace%20asap.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMarc%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165209%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165209%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20is%20the%20recommendation%20where%20SPO%20acceleration%20is%20not%20an%20option%20e.g.%20due%20to%20large%20numbers%20of%20heavily%20utilised%20externally%20shared%20sites.%20In%20this%20scenario%20internal%20users%20will%20still%20get%20the%20%22username%22%20prompt%20(required%20to%20support%20the%20external%20users%20authentication%20flow%20to%20their%20IDP).%20Presumably%20as%20there%20is%20a%20%22flag%22%20set%20on%20the%20site%20to%20say%20it%20is%20externally%20shared%20and%20therefore%20should%20not%20support%20honour%20the%20accelerated%20redirect%20to%20ADFS.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20in%20addition%20where%20persistent%20SSO%20is%20not%20an%20option%20due%20to%20the%20security%20risks%20e.g.%20Persistent%20cookie%20coupled%20with%20insidecorporatenetwork%20claims%20result%20in%20users%20being%20issued%20a%20persistent%20cookie%20that%20can%20then%20be%20used%20when%20they%20travel%20off%20the%20corporate%20network.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIdeally%20it%20would%26nbsp%3Bseem%20better%20and%20easier%20if%20the%20accelerated%20feature%20differentiated%20between%20the%20corporate%20users%20(based%20on%20UPN%20suffix%3F%3F)%20%26nbsp%3Band%20redirected%20the%20authentication%20to%20ADFS%20but%20allowed%20the%20redirection%20to%20the%20login.microsoftonline.com%20for%20the%20external%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20pointers%20on%20a%20supported%20solution%20or%20indication%20on%20when%20a%20fix%20for%20externally%20shared%20sites%20might%20become%20available%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165097%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165097%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F12882%22%20target%3D%22_blank%22%3E%40Daniel%20Billington%3C%2FA%3E%26nbsp%3B-%20we%20have%20exactly%20this%20issue%20since%20we%20enabled%20Azure%20MFA.%20Did%20you%20find%20any%20solution%20yet%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%26nbsp%3Bthis%20is%20really%20a%20big%20annoyance%20for%20anyone%20using%20Seamless%20SSO%20and%20MFA.%20The%20KMSI%20dialogue%20does%20not%20show%20up%20if%20Seamless%20SSO%20ist%20enabled%2C%20which%20results%20in%20repeated%20MFA%20requests%20every%20time%26nbsp%3Bthe%20browser%20is%20restarted.%26nbsp%3BOnce%20we%20disable%20Seamless%20SSO%20on%20the%20client%20side%20(Browser%20Intranet%20Zone)%2C%20users%26nbsp%3Bsee%20the%20KMSI%20and%20are%20able%20to%20stay%20signed%20in...%20no%20unnecessary%20MFA%20requests%20anymore.%20We%20still%20want%20to%20use%20both%3A%20Seamless%20SSO%20and%20MFA%2C%20but%20at%20the%20current%20state%20this%20is%20not%20possible.%26nbsp%3BWhats%20the%20best%20practice%20if%20we%20want%20to%20combine%20both%20methods%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEDIT%3A%20we%20are%20not%20using%20AD%20FS%2C%20instead%20we%20are%20relying%20on%20Azure%20AD%20Connect.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-164006%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-164006%22%20slang%3D%22en-US%22%3EHi%20Marc%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20the%20screen%20where%20your%20user%20has%20to%20click%20on%20a%20username%20the%20%22Pick%20an%20account%22%20screen%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20that%20what%20you're%20seeing%20is%20caused%20by%20a%20different%20change%20in%20our%20code.%20Can%20you%20please%20send%20me%20a%20Fiddler%20trace%20of%20a%20user%20running%20through%20the%20scenario%20you%20mentioned%20and%20seeing%20the%20%22Pick%20an%20account%22%20prompt%3F%20Please%20DM%20me%20the%20trace%20so%20we%20can%20look%20into%20it.Thanks%2CKelvin%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-164002%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-164002%22%20slang%3D%22en-US%22%3ETo%20support%20SharePoint%20mapped%20drives%20with%20ADFS%2C%20we%20recommend%20setting%20up%20PSSO%20which%20will%20result%20in%20the%20same%20logic%20as%20a%20user%20manually%20checking%20the%20old%20KMSI%20checkbox.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%23enable-psso-for-office-365-users-to-access-sharepoint-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%23enable-psso-for-office-365-users-to-access-sharepoint-online%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-163677%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163677%22%20slang%3D%22en-US%22%3EIndeed%2C%20the%20KMSI%20screen%20does%20not%20show%20up%20after%20authentication%20against%20ADFS%20for%20our%20internal%20users.%20As%20a%20result%2C%20WebDAV%2Fmapped%20drives%20are%20just%20not%20working%20anymore.%20%3CBR%20%2F%3E%3CBR%20%2F%3EWhile%20I%20can%20understand%20this%20is%20legacy%20tech%2C%20it%20should%20still%20be%20supported%20until%20a%20replacement%20solution%20is%20delivered.%20I'm%20thinking%20along%20the%20lines%20of%20the%20OneDrive%20files-on-demand%20with%20the%20possibility%20to%20keep%20the%20synced%20files%20only%20in%20the%20cloud%20and%20not%20have%20them%20synced%20locally%20whenever%20one%20is%20opened%20(we%20don't%20have%20the%20storage%20for%20this%20%2F%20don't%20want%20to%20support%20this%20scenario).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162735%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162735%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%26nbsp%3BI%20think%20the%20last%20few%20complaints%20are%20about%20the%20WebDAV%2Fmapped%20drives%20experience.%20Previously%2C%20we%20were%20able%20to%20make%20this%20persistent%20by%20making%20sure%20the%20%22LoginOptions%22%20parameter%20is%20passed%20via%20the%20smart%20links%20used.%20In%20the%20new%20experience%2C%20this%20seems%20to%20no%20longer%20be%20the%20case%2C%20thus%20the%20session%20expire%20more%20often%20and%20break%20the%20user%20experience.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162621%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162621%22%20slang%3D%22en-US%22%3EHi%20everyone%2C%3CBR%20%2F%3E%3CBR%20%2F%3Eour%20recommendation%20to%20bypass%20the%20additional%20%22Pick%20an%20account%22%20prompt%20and%20redirect%20automatically%20to%20on-prem%20IdPs%20(eg.%20ADFS)%20for%20auth%20is%20to%20enable%20SharePoint%20auto-acceleration%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fenable-or-disable-auto-acceleration-for-your-sharepoint-online-tenancy-74985ebf-39e1-4c59-a74a-dcdfd678ef83%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fenable-or-disable-auto-acceleration-for-your-sharepoint-online-tenancy-74985ebf-39e1-4c59-a74a-dcdfd678ef83%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20take%20note%20of%20the%20call%20out%20on%20how%20this%20might%20not%20work%20if%20you%20have%20users%20that%20are%20external%20to%20your%20organization%20(guest%20users)%20access%20your%20SharePoint%20site.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20SharePoint%20auto-acceleration%20does%20not%20work%20for%20your%20environment%2C%20you%20can%20consider%20setting%20up%20ADFS%20to%20return%20the%20Persistent%20SSO%20claim%20with%20every%20sign%20in.%20That%20will%20cause%20Azure%20AD%20to%20drop%20a%20persistent%20token%20which%20will%20bypass%20the%20%22Pick%20an%20account%22%20screen.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162606%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162606%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F75442%22%20target%3D%22_blank%22%3E%40Jeroen%20Lammens%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20facing%20the%20same%20problem.%20External%20users%20get%20the%20KMSI%20dialog%2C%20internal%20users%20do%20not%20(both%20after%20authentication%20against%20ADFS).%20As%20a%20result%20SharePoint%20Online%20WebDAV%20is%20not%20working%20anymore.%20Have%20you%20found%20a%20solution%20to%20this%3F%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EWe%20have%20opened%20a%20MS%20call%20and%20we%20are%20currently%20working%20on%20it.%20Until%20now%2C%20we%20have%20made%20no%20progress%20as%20MS%20(or%20at%20least%20the%20technician%20dealing%20with%20the%20ticket)%20claims%20this%20to%20be%20the%20way%20it%20is%20intended%20to%20work.%3C%2FP%3E%0A%3CP%3EI'll%20report%20back%20as%20soon%20as%20I%20got%20news.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162437%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162437%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20experiencing%20this%20issue%20as%20well.%26nbsp%3B%20Has%20there%20been%20any%20resolution%20identified%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162288%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162288%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20organization%20is%20experiencing%20the%20same%20problems.%20We%20use%20ADFS%20for%20authentication.%20KMSI%20dialog%20is%20shown%20externally%2C%20but%20not%20internally.%20SPO%20WebDAV%20doesn't%20work%20anymore%20and%20users%20have%20to%20choose%20their%20UPN%20every%20time%20they%20launch%20the%20browser.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162263%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162263%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20facing%20the%20same%20problem.%20%20External%20users%20get%20the%20KMSI%20dialog%2C%20internal%20users%20do%20not%20(both%20after%20authentication%20against%20ADFS).%20As%20a%20result%20SharePoint%20Online%20WebDAV%20is%20not%20working%20anymore.%20Have%20you%20found%20a%20solution%20to%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160384%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160384%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3EMay%20I%20know%20why%20you%20want%20to%20see%20the%20prompt%20even%20when%20SSO%20happens%3F%20By%20definition%2C%20when%20SSO'ed%20your%20user%20should%20just%20always%20automatically%20sign%20in%20without%20any%20interactive%20prompts.%20So%2C%20asking%20the%20user%20if%20they%20want%20to%20remain%20signed%20in%20doesn't%20really%20mean%20anything%20when%20SSO%20happens.%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EThat's%20almost%20right%2C%20but%3A%20For%20SSO%20to%20work%2C%20you%20need%20to%20provide%20the%20username%20%2F%20email%20address%20%2F%20UPN%20(which%20may%20be%20saved%2C%20but%20has%20to%20be%20confirmed%20by%20clicking%20it)%26nbsp%3B%3CSTRONG%3Ebefore%3C%2FSTRONG%3E%20SSO%20kicks%20in.%20This%20is%20the%20issue%20in%20our%20case.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EImagine%20the%20following%20(real-world)%20scenario%3A%20Customer%20is%20using%20a%20SharePoint%20Online%20document%20library%20to%20store%20attachments%20for%20his%20Navision%20users.%20So%20when%20clicking%20on%20a%20link%20in%20Navision%20to%20open%20such%20an%20attachment%20(mostly%20PDF%20documents)%2C%20you%20would%20expect%20your%20PDF%20viewer%20to%20open.%20In%20the%20current%20situation%2C%20your%20browser%20opens%20asking%20for%20your%20login%20(which%20perhaps%20was%20saved%20before)%2C%20you%20confirm%20it%2C%20SSO%20happens%20and%20the%20PDF%20opens.%20After%20doing%20whatever%20with%20the%20document%2C%20the%20user%20closes%20the%20PDF%20and%20the%20browser%20window.%20After%20that%2C%20he%20clicks%20the%20next%20link%20in%20Navision%20and%20the%20same%20happens%20...%20browser%2C%20confirm%20username%2C%20SSO%2C%20PDF.%20Only%20by%20leaving%20open%20the%20browser%20(as%20a%20workaround)%2C%20the%20annoying%20clicking%20and%20waiting%20can%20be%20bypassed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20behavior%20most%20likely%20applies%20to%20any%20SharePoint%20related%20content%20storage%20...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20using%20the%20persistent%20session%20token%2C%20a%20true%20SSO%20experience%20(as%20seen%20in%20the%20old%20version)%20could%20be%20setup%26nbsp%3B%3CSTRONG%3Eagain%3C%2FSTRONG%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160329%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160329%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3EMay%20I%20know%20why%20you%20want%20to%20see%20the%20prompt%20even%20when%20SSO%20happens%3F%20By%20definition%2C%20when%20SSO'ed%20your%20user%20should%20just%20always%20automatically%20sign%20in%20without%20any%20interactive%20prompts.%20So%2C%20asking%20the%20user%20if%20they%20want%20to%20remain%20signed%20in%20doesn't%20really%20mean%20anything%20when%20SSO%20happens.%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EThere%20is%20one%20case%20where%20it%20would%20be%20really%20useful%20to%20have%20KMSI%20available%20when%20using%20SSO%20and%20that%20is%20when%20Azure%20MFA%20is%20enabled%2C%20to%20allow%20to%20remain%20signed%20in%20without%20getting%20prompted%20for%20the%20MFA%20code%20each%20time%20the%20browser%20is%20launched.%20When%20outside%20the%20LAN%20the%20KMSI%20appears%20(since%20then%20SSO%20is%20not%20active)%2C%20so%20no%20reason%20not%20to%20show%20KMSI%20when%20on%20the%20LAN.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20there%20any%20thought%20to%20allow%20this%3F%20Thanks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153841%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153841%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3Eo%20my%20team%20and%20I%20sat%20down%20in%20a%20room%20to%20compare%20our%26nbsp%3Bdifferent%20experiences.%20We%20found%20that%20each%20browser%26nbsp%3Bhas%20settings%20that%20delete%20cookies%26nbsp%3B%20In%20Chrome%20I%20had%20this%20setting%20%22%3C%2FSPAN%3E%3CSPAN%3EKeep%20local%20data%20only%20until%20you%20quit%20your%20browser%22%20turned%20on.%20When%20I%20turned%20this%20off%20I%20was%20presented%20with%20the%20%22Stay%20Signed%20In%22%20option%20and%20was%20able%20to%20stay%20logged%20in%20once%20I%20had%20authenticated%20and%20verified%20with%20MFA.%20I%20have%20not%20had%20to%20reauthenticate.%20This%20is%20a%20per%20browser%20setting.%20Each%20browser%20has%20different%20settings%20of%20course.%26nbsp%3B%20We%20think%20Macs%20have%20a%20privacy%20setting%20Website%20Tracking%20Prevent%20cross-site-tracking%20and%20if%20this%20is%20checked%20this%20will%20prevent%20the%20Stay%20Signed%20in%20feature%20to%20work.%20I%20haven't%20confirmed%20yet%20but%20will%20update%20this%20post%20once%20we%20do.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153293%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153293%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20spent%20about%20a%20day%20figuring%20out%20the%20same%20%22keep%20me%20signed%20in%22%20issue%2C%20as%20discussed%20here.%20The%20problem%20seems%20to%20be%20related%20to%20ADFS%20and%20WIA.%20I%20can%20provide%20some%20details%20on%20my%20customers%20setup%20and%20how%20to%20reproduce%20the%20problem%20(got%20a%20workaround%2C%20too)%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20a%20federated%20O365%20domain%2C%20ADFS%20on%20prem%20for%20authentication%20and%20WIA%20%2F%20IE%20trusted%20zones%20setup%20internally%2C%20so%20that%20no%20logon%20prompt%20used%20to%20display%20when%20accessing%20O365%20resources%20(tested%20access%20to%20OneDrive%20in%20browser).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EInternal%20behavior%3A%3C%2FSTRONG%3E%20With%20the%20new%20login%20experience%2C%20user%20name%20needs%20to%20be%20provided%2C%20redirect%20to%20ADFS%20and%20automatic%20logon%20succeed%2C%20then%20you%20are%20returned%20to%20your%20desired%20destination%20in%20your%20browser%20--%26gt%3B%20No%20prompt%20for%20%22keep%20me%20signed%20in%22.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EExternal%20behavior%3A%3C%2FSTRONG%3E%20User%20name%20needs%20to%20be%20provided%2C%20redirect%20to%20ADFS%20shows%20ADFS%20login%20page.%20Password%20must%20be%20entered%20there%2C%20redirect%20to%20MS%20happens%20(eventually%20MFA%20thereafter)%2C%20then%20%22keep%20me%20signed%20in%22%20appears%2C%20can%20be%20set%20and%20works%20correctly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20I%20already%20did%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ERemoved%20the%20corresponding%20WIA%20agents%20from%20ADFS%20config%20to%20have%20the%20ADFS%20login%20page%20experience%20from%20internal%20clients.%20KMSI%20dialog%20from%20MS%20is%26nbsp%3B%3CSTRONG%3Enot%3C%2FSTRONG%3E%20displayed.%3C%2FLI%3E%0A%3CLI%3EEnabled%20KMSI%20in%20ADFS%20properties%20and%20added%20claim%20rules%20to%20pass%20through%20PSSO%20claim.%20Now%20on%20the%20ADFS%20website%2C%20there%20is%20a%20keep%20me%20signed%20in%20checkbox%2C%20which%20does%20place%20a%20permanent%20cookie%2C%20so%20that%20subsequent%20logins%20(after%20closing%20and%20reopening%20the%20browser)%20are%26nbsp%3B%3CSTRONG%3Enot%20required%3C%2FSTRONG%3E.%20The%20KMSI%20dialog%20from%20MS%20is%26nbsp%3B%3CSTRONG%3Enot%26nbsp%3B%3C%2FSTRONG%3Edisplayed.%20%3CSTRONG%3EThis%20is%20my%20current%20workaround%2C%20but%20not%20the%20desired%20state.%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EI%20think%2C%20the%20problem%20is%20the%20combination%20of%20ADFS%20and%20WIA-enabled%20authentication%20from%20inside%20the%20coorp%20network.%20The%20exactly%20same%20setup%20works%20as%20expected%20from%20external%20locations%2C%20but%20not%20from%20internal%20ones.%20This%20used%20to%20work%20in%20the%20%22old%20style%22.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20would%20gladly%20help%20getting%20this%20thing%20done%2C%20if%20you%20need%20more%20input.%20Just%20get%20in%20touch%20with%20me.%20Already%20checked%20this%20issue%20with%20a%20second%20setup%2C%20same%20behavior%20there%20...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153102%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153102%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20one%20user%20who%20is%20having%20an%20issue%20of%20%22looping.%22%26nbsp%3B%20They%20sign%20into%20SharePoint%20via%20the%20SSO%20and%20then%20the%20page%20refreshes%20and%20says%20%22you%20are%20already%20signed%20in%22%20and%20just%20keeps%20spinning%20like%20it%20is%20trying%20to%20load%20the%20page.%26nbsp%3B%20However%2C%20it%20never%20moves%20past%20the%20log%20in%20page.%26nbsp%3B%20The%20only%20way%20we%20can%20move%20past%20is%20to%20log%20in%20again%20as%20another%20user.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152594%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152594%22%20slang%3D%22en-US%22%3E%3CP%3ETrying%20to%20understand%20exact%20implications%20of%20hiding%20the%20KMSI%20option.%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcustomize-branding%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EThis%20link%3C%2FA%3E%20states%2C%20%22Some%20features%20of%20SharePoint%20Online%20and%20Office%202010%20depend%20on%20users%20being%20able%20to%20choose%20to%20remain%20signed%20in.%20If%20you%20set%20this%20option%20to%20No%2C%20your%20users%20may%20see%20additional%20and%20unexpected%20prompts%20to%20sign-in.%22%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20list%20of%20the%20features%2Ffunctionality%20that%20may%20be%20impacted%20when%20hiding%20this%20option%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148991%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148991%22%20slang%3D%22en-US%22%3EPlease%20send%20me%20a%20private%20message%20with%20your%20email%20address%20and%20I'll%20send%20instructions%20via%20email.%20It'll%20be%20a%20lot%20easier%20that%20way.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148974%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148974%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20please%20send%20me%20instructions%20on%20how%20to%20run%20the%20Fiddler%20trace.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148967%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148967%22%20slang%3D%22en-US%22%3ECan%20you%20please%20send%20me%20a%20fiddler%20trace%20of%20your%20login%20via%20private%20message%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148937%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148937%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20would%20really%20appreciate%20some%20insight%20into%20this%20issue%2C%20we'd%20really%20like%20to%20communicate%20to%20our%20users%20about%20this%20change.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148078%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148078%22%20slang%3D%22en-US%22%3E%3CP%3EI%20mean%20accept%20the%20push%20notification%20to%20my%20smartphone%20from%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148047%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148047%22%20slang%3D%22en-US%22%3EWhen%20you%20say%20%22accept%20prompt%22%20what%20prompt%20do%20you%20refer%20to%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148046%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148046%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20did%20not%20work.%20I%20get%20taken%20to%20my%20organizations%20SSO%20page%2C%20get%20prompted%20for%20MFA%20accept%20prompt%26nbsp%3Band%20then%20go%20straight%20to%20Office%20365.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148036%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148036%22%20slang%3D%22en-US%22%3ETry%20clearing%20browser%20cookies%20and%20signing%20in%20again.%20Let%20me%20know%20if%20you%20see%20the%20%22Keep%20me%20signed%20in%22%20prompt%20then.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148033%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148033%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20Office%20365%20MFA%20enabled.%20When%20the%20%22Keep%20me%20signed%20in%22%20experience%20rolled%20out%20in%20December%20I%20saw%20it.%20I%20clicked%20on%20Keep%20me%20signed%20in%20did%20not%20require%20authentication%20when%20I%20logged%20into%20Office%20365%20from%20any%20browser.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20some%20point%20in%20early%26nbsp%3BJanuary%2C%20I%20believe%20this%20changed.%20Now%20when%20I%20log%20in%20I%20get%20taken%20straight%20to%20my%20organization's%20login%20page%2C%20enter%20my%20credentials%20and%20I'm%20in.%20I%20have%20to%20log%20into%20Office%20365%20from%20my%20browser%20every%20day.%20The%20experience%20is%20the%20same%20across%20all%20my%20devices.%20I%20have%20not%20seen%20the%20%22Keep%20me%20signed%20in%22%20feature%20since.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHelp%20please%3F!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-144732%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144732%22%20slang%3D%22en-US%22%3EHi%20Greg%2C%20we%20just%20checked%20in%20a%20tweak%20to%20the%20prompt%20logic%20that%20should%20make%20the%20prompt%20show%20up%20a%20lot%20more%20consistently.%20Please%20look%20for%20it%20to%20release%20in%20a%20week%20or%20so.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-143454%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143454%22%20slang%3D%22en-US%22%3EWe're%20also%20not%20seeing%20it%20after%20the%20initial%20sign%20in%2C%20meaning%20that%20mapped%20drives%20no%20longer%20work.%20Very%20unhelpful.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-143450%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143450%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20utilise%20WebDAV%20to%20map%20SharePoint%20Online%20drives%20for%20all%20of%20our%20365%20clients%2C%20and%20the%20new%20sign%20in%20has%20a%26nbsp%3B%20critical%20flaw.%20After%20the%20initial%20sign%20in%20using%20IE%20the%20option%20to%20stay%20signed%20in%20is%20not%20presented%2C%20meaning%20that%20the%20mapped%20WebDAV%20drives%20do%20not%20reconnect.%20Returning%20to%20the%20old%20sign%20in%20and%20ticking%20the%20%22Keep%20me%20signed%20in%22%20still%20works%20fine%20however.%20If%20we%20log%20in%20to%20an%20inprivate%20browser%20the%20stay%20signed%20in%20option%20returns%2C%20however%20this%20is%20no%20good%20to%20us%20as%20it%20will%20not%20map%20a%20drive%20this%20way.%20Resetting%20IE%20also%20returns%20the%26nbsp%3B%3C%2FP%3E%0A%3CP%3Estay%20signed%20in%20prompt%2C%20however%20again%20this%20disappears%20after%20the%20initial%20sign%20in.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142741%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142741%22%20slang%3D%22en-US%22%3EHi%20Andy%2C%20yes%2C%20this%20is%20a%20known%20issue%20where%20if%20the%20user%20first%20says%20%22Yes%22%20to%20the%20prompt%2C%20then%20explicitly%20signs%20out%2C%20they%20would%20not%20see%20the%20prompt%20again%20on%20subsequent%20sign%20ins%20for%203%20days.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20something%20we're%20looking%20into%20fixing.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142190%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142190%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20use%26nbsp%3BSAML%20SSO%20with%20several%20vendors%20using%26nbsp%3BADFS%20as%20our%20iDp.%26nbsp%3BOur%20ADFS%20server%20is%20under%20a%20different%20domain%20so%20we%20have%20a%20Claims%20Provider%20Trust%20setup%20with%20our%20AAD.%26nbsp%3BWe%20have%20an%20issue%20with%20the%20new%20sign-in%20experience.%20When%20a%20user%20initially%20signs%20in%20they%20get%20presented%20with%20the%20%22Stay%20signed%20in%3F%22%20prompt.%20If%20they%20say%20Yes%20a%20persistent%20cookie%20is%20set%20and%20things%20work%20like%20they%20should.%20However%2C%20if%20they%20were%20to%20go%20back%20to%20the%20iDp%20initiated%20signon%20page%20and%20log%20out%20for%20whatever%20reason%2C%20when%20they%20go%20to%20sign-in%20again%20they%20won't%20get%20the%20%22Stay%20signed%20in%3F%22%20prompt%20so%20it%20just%20sets%20a%20session%20cookie%20that%20is%20terminated%20if%20they%20close%20their%20browser.%20If%26nbsp%3Bthey%20choose%20to%20go%20back%20to%20the%20old%20sign-in%20experience%20the%20%22Keep%20me%20signed%20in%22%20checkbox%20will%20be%20there%20so%20they%20once%20again%20can%20set%20a%20persistent%20cookie.%20Is%20this%20a%20known%20issue%3F%20Is%20there%20a%20fix%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142149%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142149%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20think%20so%2C%20it%20will%20most%20likely%20not%20recognize%20the%20claim.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142147%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142147%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%2C%20Thank%20you%20for%20the%20response.%20The%20old%20sign%20in%20page%20has%20%22keep%20me%20signed%20in%22%20check%20box%20that%20helps%20the%20user%20not%20be%20prompted%20to%20pick%20account%20or%20see%20login%20prompt%20the%20next%20time%20they%20re-launch%20the%20browser%20and%20access%20SharePoint%20site.%20The%20new%20UI%20has%20no%20such%20option%20any%20more.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20new%20ADFS%20version%20on%20Windows%202012%20seems%20to%20have%20an%20option%20to%20create%20custom%20claim%20rules%20to%20issue%20PSSO%20claims%20that%20avoids%20%22pick%20an%20account%22%20prompt%20as%20shared%20by%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20you%20recommended%2C%20I%20researched%20and%26nbsp%3BI%20was%20able%20to%20create%20a%20SMART%20link%26nbsp%3Bwhich%20does%20the%20same%20job%20as%20%22keep%20me%20signed%20in%22%20check%20box.%20The%20user%20has%20to%20browse%20this%20link%20once%2C%20interestingly%20it%20won't%20even%20prompt%20for%20UPN%20(password%20not%26nbsp%3Brequired%20as%20we%20are%20SSO)%26nbsp%3Band%20process%20sets%20the%20persistent%20cookie%20on%20the%20machine%20and%20he%2Fshe%20never%20needs%20to%20pick%20account%20going%20forward.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20question%20I%20have%20now%20is%2C%20Our%20organization%20would%20like%20to%20enable%20PSSO%20but%20we%20are%20on%20ADFS%202.0%20and%20Windows%202008%20R2.%26nbsp%3BThe%20article%20on%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Elink%3C%2FA%3E%26nbsp%3Bdescribes%20how%20to%20configure%20ADFS%20to%20issue%20PSSO%20claims%20but%20not%20sure%20if%20this%20applies%20to%20Windows%202008%20R2.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141364%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141364%22%20slang%3D%22en-US%22%3EHi%20Johannes%2C%20can%20you%20please%20private%20message%20me%20your%20email%20address%20and%20I'll%20reach%20out%20to%20you%20to%20get%20more%20information.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141130%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141130%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3Eat%20one%20of%20my%20customers%20I%20have%20exactly%20the%20same%20problem%20like%20Srikanth%20Komirishetty.%20Every%20time%20the%20browser%20is%20closed%20and%20reopend%20the%20Account%20Picking%20window%20is%20showing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141069%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141069%22%20slang%3D%22en-US%22%3EHi%20Unnie%2C%20you%20can%20configure%20ADFS%20to%20pass%20the%20Persistent%20SSO%20(PSSO)%20claim%20so%20that%20Azure%20AD%20will%20automatically%20drop%20persistent%20cookies.%20That%20should%20get%20you%20what%20you%20need.%20You%20can%20find%20more%20information%20about%20PSSO%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141013%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141013%22%20slang%3D%22en-US%22%3EHi%20Joe%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ecan%20you%20please%20clarify%20what%20you're%20trying%20to%20achieve%3F%20Is%20this%20an%20issue%20that%20has%20occurred%20with%20the%20new%20sign-in%20experience%20or%20is%20this%20just%20new%20functionality%20you%20want%20enabled%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141011%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141011%22%20slang%3D%22en-US%22%3EHi%20Teemu%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ewould%20you%20mind%20private%20messaging%20me%20your%20email%20address%3F%20I'll%20need%20some%20additional%20info%20(eg.%20traces)%20to%20investigate%20this.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EKelvin%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-140833%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-140833%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20experiencing%20the%20same%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%2C%20no%20KMSI%20prompt%20after%20successful%20sign-in%20in%20IE11%20or%20Chrome.%20And%20every%20time%20browser%20is%20started%20a%20sign-in%20prompt%20(password)%20is%20shown.%20Also%20sign-in%20prompt%20is%20shown%20every%20time%20I%20open%20locally%20installed%20Outlook%20client.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138800%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138800%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%3CU%3ECurrent%20set%20up%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E%26nbsp%3B%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWe%20have%20SharePoint%20Online%20site%20with%20auto%20acceleration%20enabled.%20Our%20Azure%20AD%20is%20federated%20with%20on-premise%20ADFS.%20We%20have%20seamless%20SSO%20working%20in%20IE%20where%20user%20does%20not%20need%20to%20type%20any%20username%20password.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EProblem%20statement%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20default%2C%20when%20the%20user%20logins%20in%20thru%20IE%2C%20only%20Session%20cookie%20is%20generated%2C%20so%20when%20the%20user%20closes%20the%20browser%20and%20reopens%20the%20user%20is%20authenticated%20again.%20Also%2C%20the%20new%20KMSI%20(Keep%20me%20signed%20In)%20screen%20is%20not%20displayed%20to%20the%20user%20during%20the%20login%20experience%20in%20IE%2C%20so%20there%20is%20no%20way%20for%20user%20to%20generate%20persistent%20cookie%20which%20works%20across%20multiple%20sessions.%20In%20chrome%2C%20user%20can%20see%20the%20KMSI%20screen%20and%20hence%20persistent%20cookies%20can%20be%20generated.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EQuestions%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3BIs%20there%20a%20way%20by%20which%20global%20admin%20can%20configure%20such%20that%20all%20users%20by%20default%20gets%20persistent%20cookies%20instead%20of%20session%20cookie%2C%20so%20that%20they%20don%E2%80%99t%20even%20need%20to%20click%20%E2%80%9Cyes%E2%80%9D%20in%20KMSI%20screen%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20saw%20below%20blog%20where%20it%20says%20to%20create%20custom%20claim%20rule%20in%20ADFS%20to%20issue%20Persistent%20SSO%20claim.%20But%20again%2C%20the%20last%20line%20of%20the%20blog%20says%20%E2%80%9CAs%20of%20right%20now%2C%20AAD%20does%20not%20support%20SAML%20based%20use%20of%20the%20Persistent%20Single%20Sign%20On%20Claim%20%2F%20SAML%20attribute.%E2%80%9D%20So%2C%20is%20this%20blog%20relevant%20now%3F%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsposupport%2F2017%2F09%2F16%2Fcookie-persistence-in-sharepoint-online%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fsposupport%2F2017%2F09%2F16%2Fcookie-persistence-in-sharepoint-online%2F%3C%2FA%3E%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138416%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138416%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F99582%22%20target%3D%22_blank%22%3E%40Srikanth%20Komirishetty%3C%2FA%3E%26nbsp%3Bdo%20you%20happen%20to%20be%20using%20Smart%20links%3F%20Even%20with%20the%20old%20experience%2C%20without%20smart%20links%20configured%20you%20have%20to%20enter%2Fselect%20the%20UPN%20before%20federation%20happens.%20But%20you%20can%20construct%20%22smart%20links%22%20(basically%20an%20URL%20with%20added%20parameter%20for%20the%20domain)%20to%20bypass%20this%20process%20and%20have%20you%20log%20in%20automatically.%20Perhaps%20those%20are%20not%20working%20with%20the%20new%20experience%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138314%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138314%22%20slang%3D%22en-US%22%3E%3CP%3EKelvin%2C%3C%2FP%3E%0A%3CP%3EThe%20reason%20I%20ask%20is%2C%26nbsp%3Bwe%20get%20this%20window%20every%20single%20time%20when%20we%20close%20the%20browser.%20I%20need%20not%20enter%20my%20password%20but%20I%20have%20to%20click%20on%20my%20account%20(I%20have%20to%20pick%20every%20single%20time%20I%20close%20the%20browser).%20If%20I%20switch%20to%20old%20sign%20in%20experience%2C%20I%20can%20check%20the%20box%20to%20keep%20me%20signed%20in%20and%20it%20will%20never%20ask%20me%20to%20pick%20the%20account.%20As%20the%20old%20sign%20in%20page%20is%20going%20away%2C%20we%20need%20to%20provide%20our%20users%20a%20way%20to%20avoid%20picking%20account%20each%20and%20every%20time%20the%20re-open%20the%20browser.%20The%20only%2C%20I%20saw%20is%20with%20the%20prompt%20and%20that%20is%20why%2C%20I'm%20reaching%20you%20to%20see%20if%20we%20can%20enable%20that%20prompt%20on%20SSO.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F25821i85C76C2100E7DC14%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Pick%20an%20account.PNG%22%20title%3D%22Pick%20an%20account.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138225%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138225%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%26nbsp%3Bwhat%20exactly%20does%20the%20%22shared%20machine%22%20logic%20cover%3F%20I%20stopped%20receiving%20the%20KMSI%20prompt%20on%20my%20personal%20PC%2C%20which%20is%20pretty%20much%20the%20most%20secure%20machine%20I%20use%20(even%20added%20as%20trusted%20IP)%2C%20and%20since%20I'm%20not%20using%20any%20form%20of%20SSO%20for%20said%20account%2C%20that%20only%20leaves%20the%20%22shared%20machine%22%20scenario%3F%20On%20the%20same%20machine%2C%20another%20user%20from%20the%20same%20tenant%20is%20getting%20the%20KMSI%20prompt...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138224%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138224%22%20slang%3D%22en-US%22%3EMay%20I%20know%20why%20you%20want%20to%20see%20the%20prompt%20even%20when%20SSO%20happens%3F%20By%20definition%2C%20when%20SSO'ed%20your%20user%20should%20just%20always%20automatically%20sign%20in%20without%20any%20interactive%20prompts.%20So%2C%20asking%20the%20user%20if%20they%20want%20to%20remain%20signed%20in%20doesn't%20really%20mean%20anything%20when%20SSO%20happens.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138142%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138142%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20SSO%20set%20up%20and%20based%20on%20your%20statement%2C%20Microsoft%20has%20added%20logic%20not%20to%20show%20the%20prompt.%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20way%20we%20can%20show%20this%20prompt%20with%20SSO%20enabled%3F%20To%20your%20previous%20question%2C%20we%20have%20not%20set%20up%20ADFS%20to%20pass%20PSSO%20Claim%20for%20SharePoint.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAppreciate%20your%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137426%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137426%22%20slang%3D%22en-US%22%3EHi%20Paul%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20new%20KMSI%20experience%20is%20completely%20rolled%20out%20now%20for%20a%20few%20weeks.%20We%20added%20some%20logic%20to%20hide%20the%20prompt%20if%20we%20detect%20that%20the%20login%20session%20is%20risky%2C%20if%20it's%20a%20shared%20machine%20or%20if%20SSO%20is%20set%20up.%20Can%20you%20please%20try%20logging%20in%20on%20an%20in-private%2Fincognito%20browser%20and%20see%20if%20the%20prompt%20shows%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137424%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137424%22%20slang%3D%22en-US%22%3EHi%20Jason%2C%3CBR%20%2F%3E%3CBR%20%2F%3Eare%20you%20still%20seeing%20issues%2C%20if%20you%20are%2C%20can%20you%20please%20DM%20me%20your%20email%20address%20and%20I'll%20contact%20you%20to%20get%20more%20information%20to%20troubleshoot%20the%20problem.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137287%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137287%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20don't%26nbsp%3Buse%20ADFS%20but%20we%20have%20AD%20Connect%2C%20is%20there%20any%20reason%20why%20we%20are%20not%20seeing%20the%20new%20KMSI%20experience%3F%26nbsp%3B%20It%20is%20very%20hard%20to%20keep%20users%20informed%20IF%20we%20rely%20on%20the%20roll%20out%20dates%20suggested%20by%20Microsoft.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133960%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133960%22%20slang%3D%22en-US%22%3E%3CP%3EBernd%2C%3C%2FP%3E%0A%3CP%3EWe%20are%20seeing%20this%20issue%20as%20well%20when%20we%20try%20to%20map%20a%20users%20onedrive.%20%26nbsp%3BHave%20you%20found%20a%20fix%20yet%3F%3C%2FP%3E%0A%3CP%3EJason%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133585%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133585%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20that%20detail%20Kelvin.%20But%20I%20need%20to%20request%20yet%20another%20documentation%20update%20here%26nbsp%3B-%20the%20only%20place%20I've%20seen%20the%20PSSO%20claim%20detailed%20so%20far%20is%20the%20claims%20rules%20added%20by%20AAD%20Connect.%20As%20some%20organizations%20might%20not%20be%20using%20AAD%20Connect%20(or%20at%20least%20not%20managing%20the%20AD%20FS%20farm%20with%20it)%2C%20can%20you%20please%20post%20a%20detailed%20article%20on%20how%20the%20claim%20should%20look%20like%20and%20so%20on%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133515%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133515%22%20slang%3D%22en-US%22%3EThe%20fix%20is%20rolled%20out%20already.%20To%20clarify%20what%20I%20was%20saying%2C%20if%20your%20ADFS%20is%20set%20to%20pass%20the%20PSSO%20claim%2C%20we%20will%20not%20show%20the%20prompt.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133514%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133514%22%20slang%3D%22en-US%22%3EHi%20Bernd%2C%3CBR%20%2F%3E%3CBR%20%2F%3Esorry%20for%20the%20delay%20in%20replying%20here.%20Can%20you%20please%20DM%20me%20so%20I%20can%20get%20more%20details%20from%20you%3F%20Thanks.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133513%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133513%22%20slang%3D%22en-US%22%3EHi%20Kelvin%2C%20thank%20you%20for%20quick%20response.%20Its%20still%20the%20issue%20for%20us.%20Should%20we%20perform%20any%20steps%20to%20speed%20up%20the%20change%20to%20our%20tenant%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133512%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133512%22%20slang%3D%22en-US%22%3EIs%20your%20ADFS%20set%20up%20to%20send%20the%20PSSO%20claim%2C%20or%20do%20you%20have%20Windows%20SSO%20set%20up%3F%20If%20it%20is%2C%20we're%20automatically%20dropping%20the%20persistent%20auth%20cookie%20(which%20the%20%22Stay%20signed-in%22%20prompt%20does%20when%20the%20user%20selects%20%22Yes%22).%20We%20have%20a%20few%20bugs%20a%20few%20weeks%20ago%20when%20we%20did%20not%20do%20that%2C%20which%20could%20explain%20the%20difference%20in%20behavior%20you're%20seeing%20now%20vs%20then.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133511%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133511%22%20slang%3D%22en-US%22%3ESorry%20about%20that.%20We%20pushed%20out%20a%20fix%20for%20that%20mid-last%20week.%20It%20should%20work%20now.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133484%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133484%22%20slang%3D%22en-US%22%3EDoes%20anyone%20has%20issues%20with%20%22Stay%20Signed-in%22%20prompt%20that%20shows%20after%20successful%20authentication%20with%20ADFS%3F%20Our%20tenant%20is%20not%20presenting%20the%20prompt%20(as%20described%20here%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%3C%2FA%3E%20)as%20it%20did%20couple%20of%20weeks%20ago.%20The%20option%20to%20keep%20the%20user%20signed%20in%20has%20been%20enabled%20in%20our%20Company%20Branding%20settings.%20Any%20thoughts%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-132067%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-132067%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20seeing%20unexpected%20behavior%20when%20we%20choose%20%22don't%20show%20me%20this%20again%22%20and%20click%20No.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEvery%20time%20we%20login%20again%20it%20gives%20the%20prompt%20again.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EShouldn't%20%22don't%20show%20me...%22%20respect%20a%20yes%20or%20no%20answer%20and%20go%20away%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131250%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131250%22%20slang%3D%22en-US%22%3E%3CP%3EAm%20I%20the%20only%20one%20not%20seeing%20the%20KMSI%20at%20all%20now%3F%20Cloud%20account%2C%20no%20federation.%20I%20tried%20deleting%20cookies%2C%20private%20sessions%20and%20different%20browsers%2C%20I%20don't%20ever%20see%20KMSI%20now.%20I%20thought%20the%20changes%20are%20supposed%20to%20only%20effect%20federated%20scenarios%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130322%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130322%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3EI%20did%20some%20additional%20tests%20on%20the%20SSO%20experience.%20When%20I%20delete%20my%20cookies%20and%20open%20a%20mapped%20sharepoint%20webdav%20connection%20I%20cannot%20load%20it%20which%20is%20expected%20(cookie%20is%20removed).%20When%20I%20open%20the%20sharepoint%20tenant%20url%20I%20get%20logged%20in%20through%20SSO%20and%20most%20of%20the%20time%20the%20magical%20cookie%20is%20created.%26nbsp%3BWhen%20the%20cookie%20is%20created%20I'm%26nbsp%3Bable%20to%20open%20the%20webdav%20connection.%20For%20other%20users%20(same%20permission%20etc)%20they%26nbsp%3Bget%20a%20sign%20in%20screen%20where%20they%20need%20to%20enter%20there%20username.%20then%20they%20are%20redirected%20to%20the%20homepage%20but%20they%20are%20not%20able%20to%20open%20the%20webdav%20connection.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9956%22%20target%3D%22_blank%22%3E%40Eddy%20Verbeemen%3C%2FA%3E%26nbsp%3Bplease%20correct%20me%20if%20I'm%20wrong%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bfew%20years%20ago%20we%20used%20the%20smartlinks%20to%20enforce%20the%20'keep%20me%20signed%20in'.%20At%20a%20certain%20moment%20this%20was%20not%20longer%20working%20and%20we%20went%20back%20to%20the%20default%20login%20where%20we%20could%20choose%20to%20'keep%20me%20signed%20in'.%3CBR%20%2F%3EIt%20seems%20that%20there%20is%20a%20different%20between%20SSO%20where%20a%20prompt%20is%20shown%20for%20a%20username%20and%20no%20prompt%20is%20shown...%3CBR%20%2F%3ECheers%3CBR%20%2F%3EBernd%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130258%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130258%22%20slang%3D%22en-US%22%3EThe%20KMSI%20setting%20in%20Company%20Branding%20doesn't%20allow%20that.%20You%20might%20want%20to%20look%20up%20Conditional%20Access%20which%20might%20get%20you%20what%20you%20want.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130250%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130250%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8293%22%20target%3D%22_blank%22%3E%40Bernd%20Verhofstadt%3C%2FA%3E%26nbsp%3BJust%20curious%2C%20are%20you%20using%20smart%20links%20and%20passing%20the%20LoginOptions%20parameter%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%40Kelvin%2C%20that's%20one%20of%20the%20use%20cases%20I%20warned%20you%20about%20-%20mapped%20drives%20rely%20on%20this%20functionality%2C%20and%20the%20LoginOptions%20parameter%20was%20a%20nice%20and%20easy%20way%20to%20handle%20this%20in%20federated%20setups.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130249%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130249%22%20slang%3D%22en-US%22%3EHi%20Bernd%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ehow%20did%20%22Keep%20me%20signed%20in%22%20work%20for%20your%20users%20before%3F%20If%20you%20had%20SSO%20turned%20on%20they%20wouldn't%20have%20seen%20the%20login%20screen%20nor%20the%20%22Keep%20me%20signed%20in%22%20checkbox%20in%20the%20old%20experience.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130193%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130193%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20had%20Microsoft%20turn%20ours%20off%20at%20the%20tenant%20level%20until%20a%20better%20plan%20could%20be%20put%20in%20place.%26nbsp%3B%20The%20problem%20with%20Company%20branding%20is%3A%201.)%20It's%20a%20global%20setting%202.)%20It%20can%20affect%20Sharepoint%20Online%20users%20and%20Office%202010%20users%20(and%20we%20had%20just%20moved%20over%2030K%20sharepoint%20sites%20to%20Sharepoint%20Online%2C%20so%20I%20didn't%20want%20to%20interrupt%20their%20experience%20for%20my%20experience%20with%20Power%20BI%20to%20work%2C%203.)%20Even%20as%20a%20global%20admin%2C%20we%20could%20not%20delete%20the%20company%20branding.%20The%20delete%20button%20would%20not%20highlight%20and%20we%20verified%20our%20permissions.%26nbsp%3B%20We%20could%20turn%20it%20on%20or%20off%20for%20KMSI%2C%20but%20we%20could%20not%20delete%20company%20branding%204.)%20We%20found%20the%20KMSI%20box%20%22Don't%20ask%20me%20again%20doesn't%20work%22%20either.%26nbsp%3B%20It%20only%20stays%20for%20the%20session%2C%20so%20to%20the%20user%20they%20think%20they%20should%20never%20have%20to%20see%20it%20again.%205.)%20We%20were%20told%20we%20could%20add%20a%20parameter%20to%20the%20Web%20app%20to%20turn%20this%20off%20in%20the%20code%2C%20so%20we%20are%20pursuing%20this%20now%20as%20our%20permanent%20solution%2C%20but%20for%20now%20our%20customers%20can%20function%20again%20with%20KMSI.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130161%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130161%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20of%20our%20users%20have%20set%20a%20site%2C%20library%20or%20folder%20as%20favorites%20in%20File%20Explorer%20which%20connects%20through%20webdav(%3F)%20to%20SharePoint.%20As%20we%20are%20using%20SSO%2C%20users%20don't%20get%20the%20option%20'keep%20me%20signed%20in'%20anymore.%20This%20causes%20a%20permission%20denied%20when%20opening%20the%20folder%20or%20library%20in%20file%20explorer%20-%26gt%3B%20no%20cookie%20is%20saved.%20Is%20there%20a%26nbsp%3Bworkaround%20to%20have%20the%20cookie%20or%20'Keep%20me%20signed%20in'%20back%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3EBernd%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130155%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130155%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3Ewhile%20I%20do%20see%20some%20benefit%20on%20the%20KMSI%20feature%20for%20regular%20users%2C%20I%20would%20prefer%20to%20have%20privileged%20admin%20accounts%20be%20prompted%20for%20MFA%20Login%20in%20their%20browser%20profiles%20every%20time.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHow%20can%20I%20achieve%20this%20without%20turning%20the%20feature%20off%20for%20everyone%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3EKarsten%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129550%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129550%22%20slang%3D%22en-US%22%3E%3CP%3ELet%20me%20see%20what%20I%20can%20do%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129445%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129445%22%20slang%3D%22en-US%22%3E%3CP%3E%40Kelvin%20I%20see%20your%20point%2C%20but%20if%20we%20had%20proper%20documentation%20on%20what's%20supported%20and%20not%20and%20how%20the%20different%20flow%20works%2C%20I'm%20sure%20that%20would%20decrease%20the%20number%20of%20escalations%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESmart%20links%20are%20still%20required%20for%20true%2C%20seamless%20SSO%20experience%20in%20some%20cases%2C%20and%20there%20is%20definitely%20demand%20for%20such%20from%20the%20enterprise%20customers.%20If%20you%20can%20publish%20some%20guidelines%20and%20recommendations%2C%20I%20think%20it%20will%20benefit%20all%20sides.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%2C%20I'll%20stop%20with%20the%20offtopic%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129201%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129201%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20makes%20me%20feel%20better.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMay%20I%20suggest%20stating%20that%20in%20more%20places%3F%26nbsp%3B%20Like%20the%20announcements%2C%20relevant%20blog%20posts%2C%20or%20other%20places%20that%20admins%20will%20see%20before%20they%20start%20to%20flip%20out%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129197%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129197%22%20slang%3D%22en-US%22%3EHi%20Matt%2C%20we%20have%20a%20best-effort%20algorithm%20that%20prevents%20the%20new%20%22Stay%20signed%20in%22%20dialog%20from%20showing%20if%20we%20detect%20that%20the%20login%20is%20happening%20on%20a%20shared%20machine.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20essentially%20looks%20to%20see%20if%20a%20different%20account%20than%20what%20is%20currently%20being%20used%20to%20login%20was%20used%20on%20the%20machine%20in%20the%20last%203%20days.%20If%20so%2C%20we%20won't%20show%20the%20dialog.%20We%20also%20use%20our%20adaptive%20protection%20logic%20to%20hide%20the%20dialog%20if%20we%20detect%20that%20the%20login%20is%20risky.%20Note%20that%20this%20logic%20is%20subject%20to%20change%20as%20we%20iterate%20on%20the%20logic%20to%20increase%20confidence%20that%20we%20only%20show%20this%20dialog%20on%20personal%20devices.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129190%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129190%22%20slang%3D%22en-US%22%3EHi%20Michael%2C%20you%20can%20turn%20this%20off%20by%20setting%20%22Show%20option%20to%20remain%20signed%20in%22%20in%20Company%20Branding%20to%20%22No%22.%20Here's%20the%20help%20article%20for%20that%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcustomize-branding%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcustomize-branding%3C%2FA%3E%20%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129169%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129169%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20want%20this%20turned%20off%2C%20anyone%20know%20how%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129163%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129163%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20using%20Power%20BI%20with%20a%20Web%20app%20and%20this%20web%20app%20is%20embedded%20reports%20in%20Salesforce.%26nbsp%3B%20As%20soon%20as%20this%20was%20implemented%2C%20we%20started%20getting%20these%20dialog%20boxes%2C%20so%20the%20reports%20would%20not%20come%20through.%26nbsp%3B%20HOw%20can%20we%20turn%20these%20off%20so%20they%20have%20a%20smoother%20experience.%26nbsp%3B%20Currently%20Salesforce%20won't%20allow%20that%20dialog%20at%20all%2C%20so%20they%20get%20blank%20pages%20as%20a%20result%20of%20this.%26nbsp%3B%20If%20they%20go%20through%20the%20web%20app%20directly%20in%20a%20url%2C%20and%20answer%20the%20dialog%2C%20the%20dashboard%20reports%20render%20fine.%26nbsp%3B%20But%20this%20dialog%20caused%20our%20field%20to%20lose%20a%20week's%20worth%20of%20work%20so%20far.%26nbsp%3B%20I%20finally%20found%20this%20so%20I%20am%20hoping%20someone%20can%20tell%20me%20how%20to%20turn%20it%20off...for%20good%3F%26nbsp%3B%20We%20have%20a%20critical%20case%20open%20with%20MSFT%20right%20now%20as%20a%20result.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129153%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129153%22%20slang%3D%22en-US%22%3E%3CP%3EOkay%2C%20but%20what%20if%20that%20is%20entirely%20undesirable%20behavior%20in%20half%20of%20your%20use%20cases%3F%26nbsp%3B%20When%20my%20users%20are%20on%20their%20personal%20computers%2C%20this%20is%20a%20good%20thing.%26nbsp%3B%20When%20they%20are%20using%20one%20of%20our%20many%20shared%20workstations%2C%20the%20last%20thing%20I%20want%20is%20for%20them%20to%20be%20encouraged%20to%20%22Stay%20signed%20in%22.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20I%20prevent%20it%20from%20being%20offered%20on%20office%20computers%20without%20preventing%20it%20on%20their%20personal%20devices%3F%26nbsp%3B%20Most%2C%20though%20not%20all%2C%20of%20our%20offices%20are%20AD%20joined%2C%20so%20if%20there's%20a%20GPO%20I%20can%20push%20out%20please%20indicate%20that%20in%20some%20way.%3C%2FP%3E%3CP%3EIf%20the%20classic%20login%20screen%20can%20be%20%3CEM%3Epermanently%3C%2FEM%3E%20forced%20per-domain%20(per%20tenant%20may%20not%20work%20for%20our%20parent%20company)%2C%20that%20would%20also%20be%20acceptable.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBecause%20as%20it%20stands%2C%20this%20is%20a%20horrible%20idea.%26nbsp%3B%20I'm%20going%20to%20have%20realtors%20reading%20each%20other's%20emails%20after%20we%20told%20them%20we%20were%20setting%20them%20up%20with%20MFA%20to%20keep%20anyone%20else%20from%20getting%20into%20their%20email.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129139%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129139%22%20slang%3D%22en-US%22%3EThat's%20because%20we%20don't%20officially%20support%20them%20%3A).%20%3CBR%20%2F%3E%3CBR%20%2F%3EWe've%20seen%20multiple%20issues%20and%20escalations%20caused%20by%20customers%20creating%20links%20that%20jump%20straight%20into%20the%20middle%20of%20our%20flows%20in%20a%20way%20that%20they%20weren't%20designed%20for.%20That%20makes%20things%20very%20fragile%20as%20those%20customizations%20break%20when%20we%20push%20new%20features%20or%20updates.%20%3CBR%20%2F%3E%3CBR%20%2F%3EI'll%20take%20an%20action%20to%20see%20if%20we%20can%20get%20out%20an%20official%20message%20regarding%20use%20of%20smartlinks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129123%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129123%22%20slang%3D%22en-US%22%3EYes%2C%20that%20might%20have%20been%20caused%20by%20Chrome%20SSO.%20Everything%20we%20do%20in%20the%20new%20sign%20in%20experience%20and%20stay%20signed%20in%20experience%20are%20cookie-based%2C%20and%20cookies%20are%20not%20shared%20across%20regular%20and%20in-private%20sessions.%3CBR%20%2F%3E%3CBR%20%2F%3ERegarding%20the%20other%20two%20issues%20you%20reported%3A%3CBR%20%2F%3E1.%20Translation%20issue%20-%20thanks%20for%20reporting%20this.%20I'll%20work%20with%20our%20localization%20team%20to%20get%20that%20fixed.%3CBR%20%2F%3E2.%20Checkbox%20-%20the%20checkbox%20is%20essentially%20a%20no-op%20when%20you%20say%20Yes%20since%20saying%20Yes%20means%20that%20you%20won't%20have%20to%20interactively%20sign%20in%20again%20in%20the%20future.%20It%20only%20applies%20when%20you%20say%20No%20so%20we%20don't%20nag%20you.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129035%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129035%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BI%20tried%20Chrome%2C%20we%20are%20federated%20and%20are%20using%20WIA%20indeed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20now%20removed%20SSO%26nbsp%3Bfor%20Chrome%20in%20our%20ADFS.%20It%20is%26nbsp%3Bprobably%20not%20related%20to%20the%20new%20sign-in%2C%20Chrome%20was%20added%20as%20SSO%20browser%20to%20our%20ADFS%20a%20few%20days%20ago.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128956%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128956%22%20slang%3D%22en-US%22%3E%3CP%3E%40Kelvin%2C%20I'm%20not%20a%20programmer%20so%20I%20will%20trust%20you%20on%20the%20Private%20session%20thingy%2C%20although%20I've%20seen%20some%20JS%20samples%20that%20supposedly%20to%20just%20that.%20In%20all%20fairness%2C%20the%20previous%20experience%20wasn't%20detecting%20private%20sessions%20either.%20It's%20just%20that%20the%20KMSI%20is%20a%20separate%20step%20now%2C%20thus%20more%20visible%2C%20and%20can%20be%20a%20bit%20irritating%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20on%20a%20related%20topic%2C%20can%20you%20folks%20please%20publish%20an%20official%20statement%20on%20what's%20supported%20in%20terms%20of%20smartlinks%20now%3F%20Just%20the%20other%20day%20you%20published%20an%20article%20mentioning%2046%25%20of%20all%20auths%20are%20AD%20FS%2C%20and%20I'm%20certain%20many%20of%20these%20do%20take%20advantage%20of%20smart%20links.%20Yet%2C%20there%20is%20zero%20documentation%20on%20them%20from%20Microsoft.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128946%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128946%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20browser%20are%20using%20Bart%3F%20What%20you%20are%20describing%20in%20scenario%203%20shouldn't%20be%20happening%2C%20unless%20maybe%20in%20federated%20environment%20with%20WIA%20autologin.%26nbsp%3BKelvin%20can%20correct%20me%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128945%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128945%22%20slang%3D%22en-US%22%3E%3CP%3EThree%20remarks%20on%20the%20new%20experience%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Spelling%20mistake%20(in%20Dutch%20translation%2C%20a%20period%26nbsp%3Bin%20the%20middle%20of%20a%20sentence)%3C%2FP%3E%3CP%3E2.%20The%20checkbox%20in%20the%20KMSI%20dialog%20is%20confusing%20(don't%20show%20this%20again).%20Does%20it%20make%20me%20stay%20logged%20in%20even%20longer%20when%20I%20select%20Yes%20and%26nbsp%3Bthick%20the%20checbox%3F%3C%2FP%3E%3CP%3E3.%20When%20I%20choose%20%22Yes%22%20in%26nbsp%3Bmy%20regular%20browser%26nbsp%3Bsession%2C%20open%20a%20private%20session%2C%20enter%20a%20different%20account%20in%20the%20private%20session.%26nbsp%3BI%20get%20logged%20in%20with%20the%20account%20of%20the%20regular%20session%20anyway%2C%20no%20matter%20the%20account%20I%20filled%20in.%20Is%20this%20by%20design%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBart%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20371px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F24352i058D2A2CA961CDE1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22kmsi.png%22%20title%3D%22kmsi.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128830%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128830%22%20slang%3D%22en-US%22%3EIt's%20actually%20more%20than%20the%20KMSI%20checkbox%20-%20doing%20a%20full%20page%20redirect%20when%20a%20user%20doesn't%20expect%20it%20causes%20usability%20issues.%20It's%20also%20not%20a%20standard%20interaction%20model%20anywhere%20on%20the%20web%2C%20causing%20user%20confusion%20and%20frustration.%20%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20are%20correct%2C%20showing%20KMSI%20in%20private%20sessions%20doesn't%20really%20do%20very%20much.%20However%2C%20there's%20no%20deterministic%20way%20for%20us%20to%20determine%20that%20we're%20in%20a%20private%20browser%20session.%3CBR%20%2F%3E%3CBR%20%2F%3ERegarding%20LoginOptions%2C%20I%20believe%20we%20have%20discussed%20this%20before.%20We%20don't%20officially%20support%20the%20use%20of%20LoginOptions%20-%20it's%20an%20internal%20parameter%20used%20to%20pass%20information%20across%20our%20pages.%20We%20did%20not%20change%20how%20it%20is%20used%20with%20the%20new%20experiences%2C%20though%20we%20cannot%20guarantee%20that%20it%20won't%20happen%20in%20a%20future%20change.%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128756%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128756%22%20slang%3D%22en-US%22%3E%3CP%3EKelvin%2C%20correct%20me%20if%20I'm%20wrong%2C%20but%20most%20of%20the%20complaint%20about%20the%20auto-redirect%20with%20just%20filling%20in%20the%20UPN%20were%20because%20it%20didn't%20allow%20users%20to%20select%20the%20KSMI%20checkbox.%20Now%20that%20that's%20a%20separate%20step%2C%20this%20issue%20no%20longer%20applies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20Private%20session%20thingy%2C%20does%20KMSI%20even%20work%20with%20Private%20sessions%3F%20It%20writes%20a%20cookie%2C%20no%3F%20Which%20is%20*not*%20saved%20if%2Fwhen%20I'm%20using%20a%20Private%20session.%20So%20displaying%20the%20KMSI%20step%20is%20pointless%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20one%20other%20thing%20comes%20to%20mind%20after%20seeing%20the%20comments%20made%20by%20other%20folks%20here%20-%20are%20you%20guys%20respecting%20the%20%22LoginOptions%22%20parameter%20for%20federated%20logins%2Fsmart%20links%3F%20The%20idea%20being%20that%20it%20automatically%20ticked%20the%20KMSI%20checkbox%20in%20the%20old%20experience...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128677%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128677%22%20slang%3D%22en-US%22%3EHey%20Vasil%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20the%20feedback.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20%231%3A%20This%20is%20by%20design%20in%20the%20new%20experience.%20We%20had%20a%20lot%20of%20strong%20feedback%20about%20the%20old%20design%20where%20we%20initiated%20the%20redirect%20when%20focus%20was%20lost%20on%20the%20username%20field.%20Most%20users%20thought%20that%20it%20was%20unexpected%20and%20jarring%20and%20did%20not%20give%20them%20the%20opportunity%20to%20go%20back%20and%20correct%20typos.%20We%20decided%20to%20wait%20to%20redirect%20only%20after%20the%20user%20clicks%20the%20Next%20button.%20This%20experience%20is%20consistent%20with%20almost%20all%20other%20identity%20systems.%3CBR%20%2F%3E%3CBR%20%2F%3E%232%3A%20Can%20you%20help%20me%20understand%20your%20scenario%20where%20you%20don't%20want%20KMSI%20to%20show%20up%20in%20private%20sessions%20and%20why%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128666%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128666%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20also%20experiencing%20this%20issue%20where%20the%20KMSI%20dialog%20is%20being%20displayed%20for%20all%20of%20our%20internal%20ADFS%20sign%20ins%20when%20previously%20it%20was%20automatic.%20For%20now%2C%20we%20have%20disabled%20the%20feature.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20there%20is%20a%20fix%20for%20this%2C%20please%20let%20me%20know.%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128447%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128447%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20support%20answered%20it%20for%20me.%20Turn%20it%20off%20in%20Company%20branding%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128410%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128410%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20we%20are%20using%20a%20Federated%20domain%20With%20local%20ADFS.%20Before%20this%20change%2C%20single%20signon%20worked%20without%20any%20questions%20when%20we%20are%20logged%20into%20the%20local%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20after%20this%20New%20%22experience%22%2C%20Our%20users%20must%20click%20on%20a%20Choice%20on%20the%20keep%20me%20logged%20in%20or%20not%20page.%20This%20is%20an%20anucence%20for%20Our%20users.%20We%20use%20Azure%20AD%20for%20authentication%20to%20Our%20intranet%20in%20the%20cloud.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20setting%20on%20an%20Application%20or%20Azure%20AD%20Directory%2C%20or%20a%20URL%20parameter%20or%20similar%20that%20can%20be%20used%20to%20disable%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128398%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128398%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%26nbsp%3Btwo%20minor%20issues%20still%20remain%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20When%20using%20federated%20account%2C%20I%20have%20to%20press%20the%20Next%20button%20in%20order%20to%20be%20taken%20to%20the%20AD%20FS%20login%20page.%20In%20the%20previous%20experience%20this%20was%20automatic%2C%20simply%20pressing%20Tab%20for%20example%20did%20the%20trick.%3C%2FP%3E%3CP%3E2)%20Why%20am%20I%20being%20prompted%20for%20the%26nbsp%3BKMSI%20experience%20when%20using%20Private%20sessions%3F%20Maybe%20you%20should%20implement%20a%20check%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128306%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128306%22%20slang%3D%22en-US%22%3EHey%20Jeremy%2C%20the%20web%20theme%20can%20be%20found%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FadfsWebCustomization%2Ftree%2Fmaster%2FcenteredUi%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoft%2FadfsWebCustomization%2Ftree%2Fmaster%2FcenteredUi%3C%2FA%3E%20%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128275%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128275%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41707%22%20target%3D%22_blank%22%3E%40Eric%20Starker%3C%2FA%3E%26nbsp%3BDo%20you%20have%20any%20information%20on%20the%20ADFS%20web%20theme%20to%20allow%20on-premises%20ADFS%20look%20and%20feel%20to%20match%20the%20new%20sign%20in%20experience%3F%26nbsp%3B%20We%20saw%20some%20information%20during%20the%20original%20preview%20announcement%20that%20this%20would%20be%20coming%20but%20are%20unable%20to%20find%20any%20info.%26nbsp%3B%20We%20have%20our%20TAM%20also%20checking%20for%20information%20but%20thought%20I'd%20check%20here%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FX%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138940%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138940%22%20slang%3D%22en-US%22%3EHi%20Srikanth%2C%20I'll%20reach%20out%20to%20you%20via%20DM%20to%20get%20more%20information%20so%20we%20can%20look%20into%20this.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138943%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138943%22%20slang%3D%22en-US%22%3EHi%20Unnie%2C%20thanks%20for%20the%20breakdown.%20%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20are%20you%20trying%20to%20achieve%20with%20persistent%20cookies%3F%20If%20you%20have%20seamless%20SSO%20set%20up%2C%20every%20time%20your%20user%20goes%20to%20the%20Sharepoint%20site%20they%20will%20SSO%20automatically%2C%20which%20makes%20the%20need%20for%20a%20persistent%20cookie%20unnecessary.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138947%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138947%22%20slang%3D%22en-US%22%3EHey%20Vasil%2C%20the%20shared%20machine%20logic%20essentially%20stops%20showing%20the%20KMSI%20prompt%20if%20a%20different%20account%20has%20been%20used%20on%20the%20same%20browser.%20That%20logic%20will%20reset%20(and%20KMSI%20will%20show%20again)%20if%20you%20clear%20browser%20cookies%2C%20or%20if%20you%20continue%20to%20only%20sign%20in%20with%20that%20one%20account%20for%20a%20few%20days.%20%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20the%20other%20user%20that's%20getting%20the%20prompt%2C%20are%20you%20using%20the%20same%20browser%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138978%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138978%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Kelvin.%20I%20did%20clear%20cookies%2C%20but%20that%20doesn't%20seem%20to%20had%20any%20effect.%20And%20if%20it's%20cookie%20based%2C%20doesn't%20explain%20why%20I%20don't%20see%20the%20prompt%20in%20Private%20session%20or%20when%20using%20other%20browsers%20on%20the%20same%20machine%3F%20Is%20there%20perhaps%20any%20%22server-side%22%20component%20to%20it%3F%20Same%20machine%2C%20same%20browsers%2C%20same%20O365%20tenant%26nbsp%3B-%20one%20user%20gets%20the%20prompt%20in%20Private%20session%2C%20the%20other%20one%20does%20not.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-139003%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-139003%22%20slang%3D%22en-US%22%3EIt's%20the%20performance%20.%20Our%20home%20page%20for%20IE%20is%20SPO%20based%20intranet%20and%20it%20loads%20slowly%20because%20of%20the%20authentication%20hops%20from%20the%20site%20--%26gt%3B%20Microsoft%20login%20--%26gt%3B%20on-prem%20ADFS%20and%20then%20the%20journey%20back.%20The%20user%20can%20see%20the%20urls%20changing%20and%20it%20takes%20a%20good%208-10%20secs%20every%20time%20the%20browser%20is%20opened.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-139663%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-139663%22%20slang%3D%22en-US%22%3EThanks%20for%20verifying.%20We%20also%20take%20into%20account%20a%20risk%20score%20provided%20by%20our%20Identity%20mechanisms.%20We've%20had%20isolated%20reports%20that%20it%20is%20kicking%20in%20a%20tad%20bit%20too%20aggressively%2C%20but%20we%20don't%20have%20confirmation%20yet.%20%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20you%20please%20DM%20me%20the%20following%3A%3CBR%20%2F%3E1.%20UPN%20of%20the%20account%20you%20used%20where%20KMSI%20doesn't%20show%20and%20also%20the%20one%20where%20KMSI%20does%20show.%3CBR%20%2F%3E2.%20Co-relation%20id%20of%20the%20request%20when%20logging%20in%20on%20the%20account%20where%20KMSI%20doesn't%20show.%20You%20can%20get%20this%20by%20clicking%20on%20the%20three%20dots%20at%20the%20bottom%20right%20corner%20of%20the%20page%20when%20you're%20on%20the%20password%20screen.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-139665%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-139665%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20details.%20We're%20going%20to%20take%20a%20look%20into%20this%20early%20next%20year%20once%20the%20team%20gets%20back%20into%20the%20office%20after%20the%20holidays.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-140338%22%20slang%3D%22en-US%22%3ERE%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-140338%22%20slang%3D%22en-US%22%3EHi%2C%20MS%20admin%20for%20years%2C%20new%20here.%20Just%20saw%20this%2C%20perhaps%20it%20can%20help%20us.%20Our%20call%20to%20Microsoft%20(before%20this%20change)%20had%20no%20immediate%20fix.%20Our%208k%2B%20users%20to%20o365%2FSPO%20need%20access%20to%20SP%20sites.%20We%20would%20like%20to%20use%20this%20...%22Keep%20me%20singed%20in%22%20for%20most%20users.%20Others%20with%20Generic%20IDs%20which%20would%20only%20prompt%20for%20a%20password%20to%20get%20to%20secure%20content%20on%20SPO%20sites.%20Is%20this%20possible%20to%20do%20both%3F%20Details%20would%20be%20golden!!!%20Thanks%2C%20Joe%3C%2FLINGO-BODY%3E
Community Manager

We're excited to announce that the general availability rollout of the new Azure AD sign-in and “Keep me signed in” experiences has started! These experiences should reach all users globally by the end of the week. Users who go to our sign-in page will start to see the new experiences by default, but a link allowing users to go back to the old experiences will be available until early December to give you some extra time to make the transition.

 

We'd like to take this opportunity to acknowledge the delays we have had with these features and thank you all for your patience. When we released these experiences in preview, we received a lot of great feedback from you and it was pretty clear we needed to take a little extra time to ensure the new experiences worked well with all the scenarios Azure AD sign-in is used for.

 

Slide1.PNG

 

Read about it in the Enterprise Mobility & Security blog.

120 Replies

@Eric Starker Do you have any information on the ADFS web theme to allow on-premises ADFS look and feel to match the new sign in experience?  We saw some information during the original preview announcement that this would be coming but are unable to find any info.  We have our TAM also checking for information but thought I'd check here as well.

@Kelvin Xia two minor issues still remain:

 

1) When using federated account, I have to press the Next button in order to be taken to the AD FS login page. In the previous experience this was automatic, simply pressing Tab for example did the trick.

2) Why am I being prompted for the KMSI experience when using Private sessions? Maybe you should implement a check for this?

Hi, we are using a Federated domain With local ADFS. Before this change, single signon worked without any questions when we are logged into the local domain.

 

Now, after this New "experience", Our users must click on a Choice on the keep me logged in or not page. This is an anucence for Our users. We use Azure AD for authentication to Our intranet in the cloud.

 

Is there a setting on an Application or Azure AD Directory, or a URL parameter or similar that can be used to disable this?

We are also experiencing this issue where the KMSI dialog is being displayed for all of our internal ADFS sign ins when previously it was automatic. For now, we have disabled the feature.

 

If there is a fix for this, please let me know. Thank you.

Hey Vasil,

Thanks for the feedback.

For #1: This is by design in the new experience. We had a lot of strong feedback about the old design where we initiated the redirect when focus was lost on the username field. Most users thought that it was unexpected and jarring and did not give them the opportunity to go back and correct typos. We decided to wait to redirect only after the user clicks the Next button. This experience is consistent with almost all other identity systems.

#2: Can you help me understand your scenario where you don't want KMSI to show up in private sessions and why?

Kelvin, correct me if I'm wrong, but most of the complaint about the auto-redirect with just filling in the UPN were because it didn't allow users to select the KSMI checkbox. Now that that's a separate step, this issue no longer applies?

 

On the Private session thingy, does KMSI even work with Private sessions? It writes a cookie, no? Which is *not* saved if/when I'm using a Private session. So displaying the KMSI step is pointless?

 

And one other thing comes to mind after seeing the comments made by other folks here - are you guys respecting the "LoginOptions" parameter for federated logins/smart links? The idea being that it automatically ticked the KMSI checkbox in the old experience...

It's actually more than the KMSI checkbox - doing a full page redirect when a user doesn't expect it causes usability issues. It's also not a standard interaction model anywhere on the web, causing user confusion and frustration.

You are correct, showing KMSI in private sessions doesn't really do very much. However, there's no deterministic way for us to determine that we're in a private browser session.

Regarding LoginOptions, I believe we have discussed this before. We don't officially support the use of LoginOptions - it's an internal parameter used to pass information across our pages. We did not change how it is used with the new experiences, though we cannot guarantee that it won't happen in a future change. :)

Three remarks on the new experience:

 

1. Spelling mistake (in Dutch translation, a period in the middle of a sentence)

2. The checkbox in the KMSI dialog is confusing (don't show this again). Does it make me stay logged in even longer when I select Yes and thick the checbox?

3. When I choose "Yes" in my regular browser session, open a private session, enter a different account in the private session. I get logged in with the account of the regular session anyway, no matter the account I filled in. Is this by design?

 

Thanks!

 

Bart

 

kmsi.png

What browser are using Bart? What you are describing in scenario 3 shouldn't be happening, unless maybe in federated environment with WIA autologin. Kelvin can correct me here.

@Kelvin, I'm not a programmer so I will trust you on the Private session thingy, although I've seen some JS samples that supposedly to just that. In all fairness, the previous experience wasn't detecting private sessions either. It's just that the KMSI is a separate step now, thus more visible, and can be a bit irritating :)

 

And on a related topic, can you folks please publish an official statement on what's supported in terms of smartlinks now? Just the other day you published an article mentioning 46% of all auths are AD FS, and I'm certain many of these do take advantage of smart links. Yet, there is zero documentation on them from Microsoft.

@Vasil Michev I tried Chrome, we are federated and are using WIA indeed.

 

We have now removed SSO for Chrome in our ADFS. It is probably not related to the new sign-in, Chrome was added as SSO browser to our ADFS a few days ago.

 

 

Yes, that might have been caused by Chrome SSO. Everything we do in the new sign in experience and stay signed in experience are cookie-based, and cookies are not shared across regular and in-private sessions.

Regarding the other two issues you reported:
1. Translation issue - thanks for reporting this. I'll work with our localization team to get that fixed.
2. Checkbox - the checkbox is essentially a no-op when you say Yes since saying Yes means that you won't have to interactively sign in again in the future. It only applies when you say No so we don't nag you.
That's because we don't officially support them :).

We've seen multiple issues and escalations caused by customers creating links that jump straight into the middle of our flows in a way that they weren't designed for. That makes things very fragile as those customizations break when we push new features or updates.

I'll take an action to see if we can get out an official message regarding use of smartlinks.

Okay, but what if that is entirely undesirable behavior in half of your use cases?  When my users are on their personal computers, this is a good thing.  When they are using one of our many shared workstations, the last thing I want is for them to be encouraged to "Stay signed in".  

 

How do I prevent it from being offered on office computers without preventing it on their personal devices?  Most, though not all, of our offices are AD joined, so if there's a GPO I can push out please indicate that in some way.

If the classic login screen can be permanently forced per-domain (per tenant may not work for our parent company), that would also be acceptable. 

 

Because as it stands, this is a horrible idea.  I'm going to have realtors reading each other's emails after we told them we were setting them up with MFA to keep anyone else from getting into their email.  

 

We are using Power BI with a Web app and this web app is embedded reports in Salesforce.  As soon as this was implemented, we started getting these dialog boxes, so the reports would not come through.  HOw can we turn these off so they have a smoother experience.  Currently Salesforce won't allow that dialog at all, so they get blank pages as a result of this.  If they go through the web app directly in a url, and answer the dialog, the dashboard reports render fine.  But this dialog caused our field to lose a week's worth of work so far.  I finally found this so I am hoping someone can tell me how to turn it off...for good?  We have a critical case open with MSFT right now as a result.

We want this turned off, anyone know how?

Hi Michael, you can turn this off by setting "Show option to remain signed in" in Company Branding to "No". Here's the help article for that: https://docs.microsoft.com/en-us/azure/active-directory/customize-branding
Hi Matt, we have a best-effort algorithm that prevents the new "Stay signed in" dialog from showing if we detect that the login is happening on a shared machine.

It essentially looks to see if a different account than what is currently being used to login was used on the machine in the last 3 days. If so, we won't show the dialog. We also use our adaptive protection logic to hide the dialog if we detect that the login is risky. Note that this logic is subject to change as we iterate on the logic to increase confidence that we only show this dialog on personal devices.

That makes me feel better.

 

May I suggest stating that in more places?  Like the announcements, relevant blog posts, or other places that admins will see before they start to flip out?

@Kelvin I see your point, but if we had proper documentation on what's supported and not and how the different flow works, I'm sure that would decrease the number of escalations :)

 

Smart links are still required for true, seamless SSO experience in some cases, and there is definitely demand for such from the enterprise customers. If you can publish some guidelines and recommendations, I think it will benefit all sides.

 

Anyway, I'll stop with the offtopic :)

Hi,

while I do see some benefit on the KMSI feature for regular users, I would prefer to have privileged admin accounts be prompted for MFA Login in their browser profiles every time.

 

How can I achieve this without turning the feature off for everyone?

 

Regards,

Karsten

Hi, 

Many of our users have set a site, library or folder as favorites in File Explorer which connects through webdav(?) to SharePoint. As we are using SSO, users don't get the option 'keep me signed in' anymore. This causes a permission denied when opening the folder or library in file explorer -> no cookie is saved. Is there a workaround to have the cookie or 'Keep me signed in' back? 

 

Thanks

Bernd

We had Microsoft turn ours off at the tenant level until a better plan could be put in place.  The problem with Company branding is: 1.) It's a global setting 2.) It can affect Sharepoint Online users and Office 2010 users (and we had just moved over 30K sharepoint sites to Sharepoint Online, so I didn't want to interrupt their experience for my experience with Power BI to work, 3.) Even as a global admin, we could not delete the company branding. The delete button would not highlight and we verified our permissions.  We could turn it on or off for KMSI, but we could not delete company branding 4.) We found the KMSI box "Don't ask me again doesn't work" either.  It only stays for the session, so to the user they think they should never have to see it again. 5.) We were told we could add a parameter to the Web app to turn this off in the code, so we are pursuing this now as our permanent solution, but for now our customers can function again with KMSI.

Hi Bernd,

how did "Keep me signed in" work for your users before? If you had SSO turned on they wouldn't have seen the login screen nor the "Keep me signed in" checkbox in the old experience.

@Bernd Verhofstadt Just curious, are you using smart links and passing the LoginOptions parameter?

 

@Kelvin, that's one of the use cases I warned you about - mapped drives rely on this functionality, and the LoginOptions parameter was a nice and easy way to handle this in federated setups.

The KMSI setting in Company Branding doesn't allow that. You might want to look up Conditional Access which might get you what you want.

Hi @Kelvin Xia,

I did some additional tests on the SSO experience. When I delete my cookies and open a mapped sharepoint webdav connection I cannot load it which is expected (cookie is removed). When I open the sharepoint tenant url I get logged in through SSO and most of the time the magical cookie is created. When the cookie is created I'm able to open the webdav connection. For other users (same permission etc) they get a sign in screen where they need to enter there username. then they are redirected to the homepage but they are not able to open the webdav connection.

@Eddy Verbeemen please correct me if I'm wrong :) 

@Vasil Michev few years ago we used the smartlinks to enforce the 'keep me signed in'. At a certain moment this was not longer working and we went back to the default login where we could choose to 'keep me signed in'.
It seems that there is a different between SSO where a prompt is shown for a username and no prompt is shown...
Cheers
Bernd

Am I the only one not seeing the KMSI at all now? Cloud account, no federation. I tried deleting cookies, private sessions and different browsers, I don't ever see KMSI now. I thought the changes are supposed to only effect federated scenarios?

 

We are seeing unexpected behavior when we choose "don't show me this again" and click No.

 

Every time we login again it gives the prompt again.


Shouldn't "don't show me..." respect a yes or no answer and go away?

Does anyone has issues with "Stay Signed-in" prompt that shows after successful authentication with ADFS? Our tenant is not presenting the prompt (as described here https://cloudblogs.microsoft.com/enterprisemobility/2017/09/19/fewer-login-prompts-the-new-keep-me-s... )as it did couple of weeks ago. The option to keep the user signed in has been enabled in our Company Branding settings. Any thoughts?
Sorry about that. We pushed out a fix for that mid-last week. It should work now.
Is your ADFS set up to send the PSSO claim, or do you have Windows SSO set up? If it is, we're automatically dropping the persistent auth cookie (which the "Stay signed-in" prompt does when the user selects "Yes"). We have a few bugs a few weeks ago when we did not do that, which could explain the difference in behavior you're seeing now vs then.
Hi Kelvin, thank you for quick response. Its still the issue for us. Should we perform any steps to speed up the change to our tenant?
Hi Bernd,

sorry for the delay in replying here. Can you please DM me so I can get more details from you? Thanks.
The fix is rolled out already. To clarify what I was saying, if your ADFS is set to pass the PSSO claim, we will not show the prompt.

Thanks for that detail Kelvin. But I need to request yet another documentation update here - the only place I've seen the PSSO claim detailed so far is the claims rules added by AAD Connect. As some organizations might not be using AAD Connect (or at least not managing the AD FS farm with it), can you please post a detailed article on how the claim should look like and so on?

Bernd,

We are seeing this issue as well when we try to map a users onedrive.  Have you found a fix yet?

Jason

We don't use ADFS but we have AD Connect, is there any reason why we are not seeing the new KMSI experience?  It is very hard to keep users informed IF we rely on the roll out dates suggested by Microsoft. 

Hi Jason,

are you still seeing issues, if you are, can you please DM me your email address and I'll contact you to get more information to troubleshoot the problem.
Hi Paul,

This new KMSI experience is completely rolled out now for a few weeks. We added some logic to hide the prompt if we detect that the login session is risky, if it's a shared machine or if SSO is set up. Can you please try logging in on an in-private/incognito browser and see if the prompt shows?

Hi Kelvin,

 

We have SSO set up and based on your statement, Microsoft has added logic not to show the prompt.

Is there a way we can show this prompt with SSO enabled? To your previous question, we have not set up ADFS to pass PSSO Claim for SharePoint.

 

Appreciate your help.

May I know why you want to see the prompt even when SSO happens? By definition, when SSO'ed your user should just always automatically sign in without any interactive prompts. So, asking the user if they want to remain signed in doesn't really mean anything when SSO happens.

@Kelvin Xia what exactly does the "shared machine" logic cover? I stopped receiving the KMSI prompt on my personal PC, which is pretty much the most secure machine I use (even added as trusted IP), and since I'm not using any form of SSO for said account, that only leaves the "shared machine" scenario? On the same machine, another user from the same tenant is getting the KMSI prompt...

Kelvin,

The reason I ask is, we get this window every single time when we close the browser. I need not enter my password but I have to click on my account (I have to pick every single time I close the browser). If I switch to old sign in experience, I can check the box to keep me signed in and it will never ask me to pick the account. As the old sign in page is going away, we need to provide our users a way to avoid picking account each and every time the re-open the browser. The only, I saw is with the prompt and that is why, I'm reaching you to see if we can enable that prompt on SSO.

Pick an account.PNG

@Srikanth Komirishetty do you happen to be using Smart links? Even with the old experience, without smart links configured you have to enter/select the UPN before federation happens. But you can construct "smart links" (basically an URL with added parameter for the domain) to bypass this process and have you log in automatically. Perhaps those are not working with the new experience?

Current set up

 

We have SharePoint Online site with auto acceleration enabled. Our Azure AD is federated with on-premise ADFS. We have seamless SSO working in IE where user does not need to type any username password.

Problem statement:

 

By default, when the user logins in thru IE, only Session cookie is generated, so when the user closes the browser and reopens the user is authenticated again. Also, the new KMSI (Keep me signed In) screen is not displayed to the user during the login experience in IE, so there is no way for user to generate persistent cookie which works across multiple sessions. In chrome, user can see the KMSI screen and hence persistent cookies can be generated.

 

Questions:

 Is there a way by which global admin can configure such that all users by default gets persistent cookies instead of session cookie, so that they don’t even need to click “yes” in KMSI screen?

 

I saw below blog where it says to create custom claim rule in ADFS to issue Persistent SSO claim. But again, the last line of the blog says “As of right now, AAD does not support SAML based use of the Persistent Single Sign On Claim / SAML attribute.” So, is this blog relevant now?

https://blogs.technet.microsoft.com/sposupport/2017/09/16/cookie-persistence-in-sharepoint-online/   

 

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies