Azure ad/office365 with managed identity NO adfs and chrome

Highlighted
Occasional Contributor

Not sure if I can describe this but here goes!

Remember no ADFS using managed identity and using MFA.

 

So we have chrome users that when they are onprem with a domain joined device they do not get the option to select keep me signed in (KMSI),  oddly enough if they are on a less trusted device like a kiosk somewhere they get the prompt and can KMSI..  Seems strange to me.  We've added the remember my device (RMD)  for the chrome users for now but I don't like doing that.  Also doing RMD messes up the modern app clients since they are forced to re auth once the RMD time expires.

What am I doing wrong?

 

Hopefully this makes sense.

thanks

4 Replies
Highlighted

@Kelvin Xia might be able to help here.

Highlighted

Hey Tony,

 

the "Stay signed in?" prompt does not show when any sort of SSO is set up. In your case, it might either be Browser SSO (if the managed Azure AD account is added to Windows) or Seamless SSO. We don't show the prompt in SSO cases as throwing a prompt breaks the promise of SSO.

 

If the kiosk devices do not have SSO enabled (which I assume is the case since they are shared), we'll show the "Stay signed in" prompt on login but will suppress that prompt if we detect that more than 1 account has been used in the browser.

 

If you want to completely disable the prompt, use the 'Show option to remain signed in' setting in Company Branding:

https://docs.microsoft.com/en-us/azure/active-directory/customize-branding

Highlighted
So this all goes back to true sso vs managed identity, which would you choose if you have many 3rd party RP/SP's, currently we use both azure ad and adfs to handle this and we use the entire o365 suite with AAD connect? Seems like adfs checks more boxes then aad connect and would enable true sso, correct? So confused.
Highlighted
We also use published applications which utilize managed service identities (msi) which I think are not compatible with ADFS, correct?