The new Azure AD sign-in and “Keep me signed in” experiences rolling out now!

%3CLINGO-SUB%20id%3D%22lingo-sub-128267%22%20slang%3D%22en-US%22%3EThe%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128267%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20excited%20to%20announce%20that%20the%20general%20availability%20rollout%20of%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F08%2F02%2Fthe-new-azure-ad-signin-experience-is-now-in-public-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Enew%20Azure%20AD%20sign-in%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%3C%2FA%3E%26nbsp%3Bexperiences%20has%20started!%20These%20experiences%20should%20reach%20all%20users%20globally%20by%20the%20end%20of%20the%20week.%20Users%20who%20go%20to%20our%20sign-in%20page%20will%20start%20to%20see%20the%20new%20experiences%20by%20default%2C%20but%20a%20link%20allowing%20users%20to%20go%20back%20to%20the%20old%20experiences%20will%20be%20available%20until%20early%20December%20to%20give%20you%20some%20extra%20time%20to%20make%20the%20transition.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3EWe'd%20like%20to%20take%20this%20opportunity%20to%20acknowledge%20the%20delays%20we%20have%20had%20with%20these%20features%20and%20thank%20you%20all%20for%20your%20patience.%20When%20we%20released%20these%20experiences%20in%20preview%2C%20we%20received%20a%20lot%20of%20great%20feedback%20from%20you%20and%20it%20was%20pretty%20clear%20we%20needed%20to%20take%20a%20little%20extra%20time%20to%20ensure%20the%20new%20experiences%20worked%20well%20with%20all%20the%20scenarios%20Azure%20AD%20sign-in%20is%20used%20for.%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F24211i77B31C28F5B44656%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Slide1.PNG%22%20title%3D%22Slide1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3ERead%20about%20it%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F11%2F15%2Fthe-new-azure-ad-sign-in-and-keep-me-signed-in-experiences-rolling-out-now%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEnterprise%20Mobility%20%26amp%3B%20Security%20blog%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-128267%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391865%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391865%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F311683%22%20target%3D%22_blank%22%3E%40HarishMenda%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20make%20the%20psso%20claim%20work%20with%20my%20non-ADFS%20IdP%2C%20I%20had%20to%20add%20a%20claim%26nbsp%3Bnamed%20psso%20with%20name%20format%20%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2F2014%2F03%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2F2014%2F03%3C%2FA%3E%2C%20and%20set%20it%20to%20a%20value%20of%20%22yes%22.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391738%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391738%22%20slang%3D%22en-US%22%3EWhat%20is%20the%20parameter%20you%20added%2C%20to%20make%20this%20change%20at%20tenant%20app%20level%20rather%20than%20global%20company%20branding%20level.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391728%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391728%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F96132%22%20target%3D%22_blank%22%3E%40Michael%20Kostuch%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20get%20permanent%20solution%20for%20this%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20could%20you%20please%20let%20us%20know%20the%20steps%20to%20get%20this%20change%20done%20at%20tenant%20app%20level%20from%20Microsoft.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391723%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391723%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F96132%22%20target%3D%22_blank%22%3E%40Michael%20Kostuch%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EDid%20you%20get%20any%20permanent%20solution%20for%20this%3F%20Meanwhile%20could%20you%20please%20explain%20the%20process%20of%20make%20this%20turn%20off%20at%20tenant%20app%20level.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253211%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253211%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78060%22%20target%3D%22_blank%22%3E%40Daniel%20Park%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%26nbsp%3Bdoes%20this%20new%20claim%20rule%20replace%20both%20the%20insidecorporatenetwork%20claim%20and%20the%20psso%20claim%20or%20is%20it%20in%20addition%20to%20them%3F%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EI%20can't%20really%20remember%20(should%20have%20blogged%20it%2C%20darn!)%2C%20but%20I%20suppose%2C%20it%20was%20a%20replacement%2C%20as%20it%20issues%20the%20PSSO%20when%20inside%20network%20condition%20is%20met.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-234478%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-234478%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%26nbsp%3Bdoes%20this%20new%20claim%20rule%20replace%20both%20the%20insidecorporatenetwork%20claim%20and%20the%20psso%20claim%20or%20is%20it%20in%20addition%20to%20them%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181874%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181874%22%20slang%3D%22en-US%22%3E%3CP%3ESorry%20I'm%20a%20little%20late%20to%20the%20party%2C%20but%20I%20just%20didn't%20have%20time%20back%20when%20the%20thread%20started%20and%20I%20kind%20of%20forgot%20about%20it.%20But%20now%20that%20I've%20read%20through%20all%20the%203%20pages%20I'm%20chiming%20in%20with%20my%20issues%3A%3CBR%20%2F%3EOur%20SSO%20with%20Chrome%20and%20IE%20worked%20fine%20somewhere%20last%20year.%20Probably%20due%20to%20these%20changes%20it%20stopped%20working%20flawlessly%2C%20but%20not%20completely.%3CBR%20%2F%3EMy%20setup%20consisted%20of%20configured%20Trusted%20Zones%2C%20ADFS%20on%202012R2%20(I%20remember%20doing%20something%20to%20get%20this%20working%20for%20Chrome%20on%20ADFS%202%20years%20ago)%2C%20MFA%20exemption%20for%20onPrem%20IP%20Range%2C%20AAD-Connect%20and%20some%20URL%20tricks%2C%20like%20using%20the%20WHR%20parameter%20(%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F%3Fwhr%3Dmycustomdomain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%3Fwhr%3Dmycustomdomain.com%3C%2FA%3E)%3CBR%20%2F%3E%3CBR%20%2F%3EThen%20it%20stopped%20working%20flawlessly%2C%20and%20degraded%20to%20having%20to%20click%20the%20pre-populated%20UPN%20and%20getting%20automatically%20signed%20in%20again%20after%20every%20browser%20closure.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20to%20have%20improved%20the%20experience%2C%20by%20dropping%20the%20WHR%20parameter%2C%20after%20which%20the%20users%20only%20had%20to%20click%20the%20pre-populated%20UPN%20about%20once%20a%20day.%3CBR%20%2F%3EThis%20is%20also%20my%20current%20status%2C%20as%20far%20as%20I%20remember.%20I've%20noticed%20that%20when%20I%20leave%20my%20computer%20running%20over%20night%20(no%20standby)%20and%20return%20in%20the%20morning%2C%20I'm%20signed%20out%20of%20office.com%20or%20other%20pages.%20There%20is%20a%20sign%20in%20button%20on%20that%20office.com%20sign%20out%20portal%20and%20when%20I%20click%20it%2C%20I'm%20automatically%20signed%20in%20again%20after%20a%20few%20redirects%20without%20further%20input.%20A%20negative%20side%20effect%20of%20all%20this%20is%2C%20that%20on%20the%20first%20browser%20open%20any%20additional%20Sharepoint%20sites%20are%20not%20opened%20automatically%2C%20since%20the%20first%20site%20hasn't%20fully%20authenticated%20yet.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ESSO%20seems%20wo%20work%20with%20no%20issues%20on%20my%20home%20computer%20(Mac%2FSafari)%20where%20I%20get%20all%20the%20KMSI%20and%20MFA%20prompts%20and%20I%20stay%20signed%20for%20multiple%20weeks.%3CBR%20%2F%3E%3CBR%20%2F%3EBy%20reading%20through%20everything%20here%20I'll%20start%20digging%20in%20into%20the%20ADFS%20configuration%20(and%20this%20article%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%3C%2FA%3E)%2C%20but%20I'll%20appreciate%20any%20shortcuts%20you%20guys%20have%20to%20offer%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181795%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181795%22%20slang%3D%22en-US%22%3EFrom%20your%20description%2C%20it%20doesn't%20sound%20like%20PSSO%20is%20set%20up%20correctly%2C%20or%20it%20could%20be%20due%20to%20an%20interaction%20with%20some%20external%20site%20settings%20(as%20you%20pointed%20out).%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20not%20familiar%20with%20how%20SharePoint%20handles%20internal%20vs%20external%20sites.%20I%20would%20recommend%20that%20you%20contact%20Office%20365%20or%20SharePoint%20support%20to%20help%20you%20with%20that.%20They%20would%20be%20the%20best%20resource%20to%20help%20you%20here.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-179783%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-179783%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFollowing%20on%20from%20my%20former%20posts%20it%20seems%20now%20that%20the%20biggest%20issue%20now%26nbsp%3Bis%20the%20number%20of%20times%20internal%20users%20are%20prompted%20for%20authentication%20whilst%20accessing%20%26nbsp%3Ba%20site%20within%20our%20tenant%20that%20is%20shared%20externally.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20sites%20that%20are%20not%20shared%26nbsp%3Bexternally%26nbsp%3Bthe%20experience%20is%20that%20you%20can%20access%20a%20site%20authenticate%20and%20then%20close%20and%20reopen%20the%20browser%20several%20times%20without%20being%20authenticated%20again.%20(no%20KMSI%20option%20it%20just%20works)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20for%20sites%20that%20are%20shared%20externally%20every%20time%20the%20browser%20is%20closed%20the%20user%20needs%20to%20choose%20the%20%22account%20pick%22%20screen%20when%20re-accessing%20the%20site.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20two%20questions%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Are%20the%20settings%20handled%20differently%20for%20externally%20shared%20sites%20rather%20than%20sites%20with%20only%20internal%20user%20access%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20Is%20there%20another%20option%20other%20than%20enabling%20PSSO%20(if%20this%20even%20works)%20as%20we%20have%20security%20concerns%20about%20issuing%20a%20PSSO%20token..%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAndy%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-179076%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-179076%22%20slang%3D%22en-US%22%3ETo%20be%20accurate%3A%20Sending%20the%20PSSO%20claim%20will%20suppress%20the%20KMSI%20prompt%20(since%20it's%20not%20needed%20as%20PSSO%20essentially%20says%20%22Yes%22%20to%20that%20question)%2C%20and%20drops%20a%20persistent%20Azure%20AD%20token%20in%20your%20browser.%20SPO%20will%20use%20that%20persistent%20token.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-178865%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-178865%22%20slang%3D%22en-US%22%3ETo%20make%20sure%20I%20understand%2C%20sending%20the%20PSSO%20claim%20should%20suppress%20the%20%22Keep%20Me%20Logged%20In%22%20question%20from%20SharePoint%20Online%20and%20drop%20the%20persistent%20SPO%20cookies%20in%20my%20browser%20automatically%2C%20correct%3F%20MS%20Support%20seems%20stymied%20for%20the%20moment%20on%20this%20one.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-178604%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-178604%22%20slang%3D%22en-US%22%3EAzure%20AD%20does%20respect%20the%20PSSO%20claim%20even%20when%20it%20comes%20from%20a%20source%20besides%20ADFS.%20So%2C%20it%20should%20work%20in%20your%20case.%20I%20would%20recommend%20that%20you%20contact%20Microsoft%20support%20to%20take%20a%20look%20at%20what's%20going%20on.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177403%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177403%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20having%20a%20slightly%20different%20issue.%26nbsp%3B%20We%20don't%20use%20ADFS%20for%20our%20IdP%2C%20(we%20use%20PingFederate%20instead)%2C%20and%20I've%20configured%20it%20to%20pass%20%22true%22%20for%20both%20the%20psso%20and%20insidecorporatenetwork%20claims%20when%20a%20user%20authenticates%20through%20our%20SSO.%26nbsp%3B%20While%20I%20can%20see%20the%20SamlAttributes%20appear%20in%20the%20conversation%20with%20Azure%2C%20it%20doesn't%20seem%20to%20affect%20anything%3A%20I%20still%20get%20prompted%20for%20%22keep%20me%20signed%20in%22%20if%20I%20clear%20my%20cookies%20first%2C%20and%20no%20persistent%20cookies%20are%20ever%20dropped%20on%20my%20computer.%26nbsp%3B%20Does%20Microsoft%20have%20any%20guidance%20for%20those%20of%20us%20not%20using%20ADFS%20but%20still%20wanting%20those%20persistent%20cookies%20placed%3F%26nbsp%3B%20We%20also%20have%20users%20that%20claim%20the%20KMSI%26nbsp%3Bprompt%20never%20appears%2C%20so%20having%20the%20SSO%20system%20do%20it%20for%20them%20is%20ideal.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167294%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167294%22%20slang%3D%22en-US%22%3E%3CP%3ESetting%20up%20this%20option%20seems%20to%20have%20resolved%20our%20issues.%20To%20be%20confirmed%20over%20the%20next%20week%2C%20but%20initial%20testing%20on%20premise%2C%20with%20Seamless%20SSO%20enabled%2C%20on%20W10%20in%20Chrome%2C%20Firefox%2C%20IE%20and%20Edge%20looks%20positive.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20anyone%20needs%20the%20instructions%20to%20enable%26nbsp%3B%22Allow%20users%20to%20remember%20multi-factor%20authentication%20on%20devices%20they%20trust%22%20they%20are%20here%3A%20%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23remember-multi-factor-authentication-for-trusted-devices%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23remember-multi-factor-authentication-for-trusted-devices%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23remember-multi-factor-authentication-for-trusted-devices%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138416%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138416%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F99582%22%20target%3D%22_blank%22%3E%40Srikanth%20Komirishetty%3C%2FA%3E%26nbsp%3Bdo%20you%20happen%20to%20be%20using%20Smart%20links%3F%20Even%20with%20the%20old%20experience%2C%20without%20smart%20links%20configured%20you%20have%20to%20enter%2Fselect%20the%20UPN%20before%20federation%20happens.%20But%20you%20can%20construct%20%22smart%20links%22%20(basically%20an%20URL%20with%20added%20parameter%20for%20the%20domain)%20to%20bypass%20this%20process%20and%20have%20you%20log%20in%20automatically.%20Perhaps%20those%20are%20not%20working%20with%20the%20new%20experience%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138314%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138314%22%20slang%3D%22en-US%22%3E%3CP%3EKelvin%2C%3C%2FP%3E%0A%3CP%3EThe%20reason%20I%20ask%20is%2C%26nbsp%3Bwe%20get%20this%20window%20every%20single%20time%20when%20we%20close%20the%20browser.%20I%20need%20not%20enter%20my%20password%20but%20I%20have%20to%20click%20on%20my%20account%20(I%20have%20to%20pick%20every%20single%20time%20I%20close%20the%20browser).%20If%20I%20switch%20to%20old%20sign%20in%20experience%2C%20I%20can%20check%20the%20box%20to%20keep%20me%20signed%20in%20and%20it%20will%20never%20ask%20me%20to%20pick%20the%20account.%20As%20the%20old%20sign%20in%20page%20is%20going%20away%2C%20we%20need%20to%20provide%20our%20users%20a%20way%20to%20avoid%20picking%20account%20each%20and%20every%20time%20the%20re-open%20the%20browser.%20The%20only%2C%20I%20saw%20is%20with%20the%20prompt%20and%20that%20is%20why%2C%20I'm%20reaching%20you%20to%20see%20if%20we%20can%20enable%20that%20prompt%20on%20SSO.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F25821i85C76C2100E7DC14%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Pick%20an%20account.PNG%22%20title%3D%22Pick%20an%20account.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138225%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138225%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%26nbsp%3Bwhat%20exactly%20does%20the%20%22shared%20machine%22%20logic%20cover%3F%20I%20stopped%20receiving%20the%20KMSI%20prompt%20on%20my%20personal%20PC%2C%20which%20is%20pretty%20much%20the%20most%20secure%20machine%20I%20use%20(even%20added%20as%20trusted%20IP)%2C%20and%20since%20I'm%20not%20using%20any%20form%20of%20SSO%20for%20said%20account%2C%20that%20only%20leaves%20the%20%22shared%20machine%22%20scenario%3F%20On%20the%20same%20machine%2C%20another%20user%20from%20the%20same%20tenant%20is%20getting%20the%20KMSI%20prompt...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138224%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138224%22%20slang%3D%22en-US%22%3EMay%20I%20know%20why%20you%20want%20to%20see%20the%20prompt%20even%20when%20SSO%20happens%3F%20By%20definition%2C%20when%20SSO'ed%20your%20user%20should%20just%20always%20automatically%20sign%20in%20without%20any%20interactive%20prompts.%20So%2C%20asking%20the%20user%20if%20they%20want%20to%20remain%20signed%20in%20doesn't%20really%20mean%20anything%20when%20SSO%20happens.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138142%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138142%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20SSO%20set%20up%20and%20based%20on%20your%20statement%2C%20Microsoft%20has%20added%20logic%20not%20to%20show%20the%20prompt.%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20way%20we%20can%20show%20this%20prompt%20with%20SSO%20enabled%3F%20To%20your%20previous%20question%2C%20we%20have%20not%20set%20up%20ADFS%20to%20pass%20PSSO%20Claim%20for%20SharePoint.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAppreciate%20your%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137426%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137426%22%20slang%3D%22en-US%22%3EHi%20Paul%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20new%20KMSI%20experience%20is%20completely%20rolled%20out%20now%20for%20a%20few%20weeks.%20We%20added%20some%20logic%20to%20hide%20the%20prompt%20if%20we%20detect%20that%20the%20login%20session%20is%20risky%2C%20if%20it's%20a%20shared%20machine%20or%20if%20SSO%20is%20set%20up.%20Can%20you%20please%20try%20logging%20in%20on%20an%20in-private%2Fincognito%20browser%20and%20see%20if%20the%20prompt%20shows%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137424%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137424%22%20slang%3D%22en-US%22%3EHi%20Jason%2C%3CBR%20%2F%3E%3CBR%20%2F%3Eare%20you%20still%20seeing%20issues%2C%20if%20you%20are%2C%20can%20you%20please%20DM%20me%20your%20email%20address%20and%20I'll%20contact%20you%20to%20get%20more%20information%20to%20troubleshoot%20the%20problem.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137287%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137287%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20don't%26nbsp%3Buse%20ADFS%20but%20we%20have%20AD%20Connect%2C%20is%20there%20any%20reason%20why%20we%20are%20not%20seeing%20the%20new%20KMSI%20experience%3F%26nbsp%3B%20It%20is%20very%20hard%20to%20keep%20users%20informed%20IF%20we%20rely%20on%20the%20roll%20out%20dates%20suggested%20by%20Microsoft.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133960%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133960%22%20slang%3D%22en-US%22%3E%3CP%3EBernd%2C%3C%2FP%3E%0A%3CP%3EWe%20are%20seeing%20this%20issue%20as%20well%20when%20we%20try%20to%20map%20a%20users%20onedrive.%20%26nbsp%3BHave%20you%20found%20a%20fix%20yet%3F%3C%2FP%3E%0A%3CP%3EJason%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133585%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133585%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20that%20detail%20Kelvin.%20But%20I%20need%20to%20request%20yet%20another%20documentation%20update%20here%26nbsp%3B-%20the%20only%20place%20I've%20seen%20the%20PSSO%20claim%20detailed%20so%20far%20is%20the%20claims%20rules%20added%20by%20AAD%20Connect.%20As%20some%20organizations%20might%20not%20be%20using%20AAD%20Connect%20(or%20at%20least%20not%20managing%20the%20AD%20FS%20farm%20with%20it)%2C%20can%20you%20please%20post%20a%20detailed%20article%20on%20how%20the%20claim%20should%20look%20like%20and%20so%20on%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133515%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133515%22%20slang%3D%22en-US%22%3EThe%20fix%20is%20rolled%20out%20already.%20To%20clarify%20what%20I%20was%20saying%2C%20if%20your%20ADFS%20is%20set%20to%20pass%20the%20PSSO%20claim%2C%20we%20will%20not%20show%20the%20prompt.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133514%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133514%22%20slang%3D%22en-US%22%3EHi%20Bernd%2C%3CBR%20%2F%3E%3CBR%20%2F%3Esorry%20for%20the%20delay%20in%20replying%20here.%20Can%20you%20please%20DM%20me%20so%20I%20can%20get%20more%20details%20from%20you%3F%20Thanks.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133513%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133513%22%20slang%3D%22en-US%22%3EHi%20Kelvin%2C%20thank%20you%20for%20quick%20response.%20Its%20still%20the%20issue%20for%20us.%20Should%20we%20perform%20any%20steps%20to%20speed%20up%20the%20change%20to%20our%20tenant%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133512%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133512%22%20slang%3D%22en-US%22%3EIs%20your%20ADFS%20set%20up%20to%20send%20the%20PSSO%20claim%2C%20or%20do%20you%20have%20Windows%20SSO%20set%20up%3F%20If%20it%20is%2C%20we're%20automatically%20dropping%20the%20persistent%20auth%20cookie%20(which%20the%20%22Stay%20signed-in%22%20prompt%20does%20when%20the%20user%20selects%20%22Yes%22).%20We%20have%20a%20few%20bugs%20a%20few%20weeks%20ago%20when%20we%20did%20not%20do%20that%2C%20which%20could%20explain%20the%20difference%20in%20behavior%20you're%20seeing%20now%20vs%20then.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133511%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133511%22%20slang%3D%22en-US%22%3ESorry%20about%20that.%20We%20pushed%20out%20a%20fix%20for%20that%20mid-last%20week.%20It%20should%20work%20now.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133484%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133484%22%20slang%3D%22en-US%22%3EDoes%20anyone%20has%20issues%20with%20%22Stay%20Signed-in%22%20prompt%20that%20shows%20after%20successful%20authentication%20with%20ADFS%3F%20Our%20tenant%20is%20not%20presenting%20the%20prompt%20(as%20described%20here%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%3C%2FA%3E%20)as%20it%20did%20couple%20of%20weeks%20ago.%20The%20option%20to%20keep%20the%20user%20signed%20in%20has%20been%20enabled%20in%20our%20Company%20Branding%20settings.%20Any%20thoughts%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-132067%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-132067%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20seeing%20unexpected%20behavior%20when%20we%20choose%20%22don't%20show%20me%20this%20again%22%20and%20click%20No.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEvery%20time%20we%20login%20again%20it%20gives%20the%20prompt%20again.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EShouldn't%20%22don't%20show%20me...%22%20respect%20a%20yes%20or%20no%20answer%20and%20go%20away%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131250%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131250%22%20slang%3D%22en-US%22%3E%3CP%3EAm%20I%20the%20only%20one%20not%20seeing%20the%20KMSI%20at%20all%20now%3F%20Cloud%20account%2C%20no%20federation.%20I%20tried%20deleting%20cookies%2C%20private%20sessions%20and%20different%20browsers%2C%20I%20don't%20ever%20see%20KMSI%20now.%20I%20thought%20the%20changes%20are%20supposed%20to%20only%20effect%20federated%20scenarios%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130322%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130322%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3EI%20did%20some%20additional%20tests%20on%20the%20SSO%20experience.%20When%20I%20delete%20my%20cookies%20and%20open%20a%20mapped%20sharepoint%20webdav%20connection%20I%20cannot%20load%20it%20which%20is%20expected%20(cookie%20is%20removed).%20When%20I%20open%20the%20sharepoint%20tenant%20url%20I%20get%20logged%20in%20through%20SSO%20and%20most%20of%20the%20time%20the%20magical%20cookie%20is%20created.%26nbsp%3BWhen%20the%20cookie%20is%20created%20I'm%26nbsp%3Bable%20to%20open%20the%20webdav%20connection.%20For%20other%20users%20(same%20permission%20etc)%20they%26nbsp%3Bget%20a%20sign%20in%20screen%20where%20they%20need%20to%20enter%20there%20username.%20then%20they%20are%20redirected%20to%20the%20homepage%20but%20they%20are%20not%20able%20to%20open%20the%20webdav%20connection.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9956%22%20target%3D%22_blank%22%3E%40Eddy%20Verbeemen%3C%2FA%3E%26nbsp%3Bplease%20correct%20me%20if%20I'm%20wrong%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bfew%20years%20ago%20we%20used%20the%20smartlinks%20to%20enforce%20the%20'keep%20me%20signed%20in'.%20At%20a%20certain%20moment%20this%20was%20not%20longer%20working%20and%20we%20went%20back%20to%20the%20default%20login%20where%20we%20could%20choose%20to%20'keep%20me%20signed%20in'.%3CBR%20%2F%3EIt%20seems%20that%20there%20is%20a%20different%20between%20SSO%20where%20a%20prompt%20is%20shown%20for%20a%20username%20and%20no%20prompt%20is%20shown...%3CBR%20%2F%3ECheers%3CBR%20%2F%3EBernd%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130258%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130258%22%20slang%3D%22en-US%22%3EThe%20KMSI%20setting%20in%20Company%20Branding%20doesn't%20allow%20that.%20You%20might%20want%20to%20look%20up%20Conditional%20Access%20which%20might%20get%20you%20what%20you%20want.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130250%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130250%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8293%22%20target%3D%22_blank%22%3E%40Bernd%20Verhofstadt%3C%2FA%3E%26nbsp%3BJust%20curious%2C%20are%20you%20using%20smart%20links%20and%20passing%20the%20LoginOptions%20parameter%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%40Kelvin%2C%20that's%20one%20of%20the%20use%20cases%20I%20warned%20you%20about%20-%20mapped%20drives%20rely%20on%20this%20functionality%2C%20and%20the%20LoginOptions%20parameter%20was%20a%20nice%20and%20easy%20way%20to%20handle%20this%20in%20federated%20setups.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130249%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130249%22%20slang%3D%22en-US%22%3EHi%20Bernd%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ehow%20did%20%22Keep%20me%20signed%20in%22%20work%20for%20your%20users%20before%3F%20If%20you%20had%20SSO%20turned%20on%20they%20wouldn't%20have%20seen%20the%20login%20screen%20nor%20the%20%22Keep%20me%20signed%20in%22%20checkbox%20in%20the%20old%20experience.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130193%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130193%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20had%20Microsoft%20turn%20ours%20off%20at%20the%20tenant%20level%20until%20a%20better%20plan%20could%20be%20put%20in%20place.%26nbsp%3B%20The%20problem%20with%20Company%20branding%20is%3A%201.)%20It's%20a%20global%20setting%202.)%20It%20can%20affect%20Sharepoint%20Online%20users%20and%20Office%202010%20users%20(and%20we%20had%20just%20moved%20over%2030K%20sharepoint%20sites%20to%20Sharepoint%20Online%2C%20so%20I%20didn't%20want%20to%20interrupt%20their%20experience%20for%20my%20experience%20with%20Power%20BI%20to%20work%2C%203.)%20Even%20as%20a%20global%20admin%2C%20we%20could%20not%20delete%20the%20company%20branding.%20The%20delete%20button%20would%20not%20highlight%20and%20we%20verified%20our%20permissions.%26nbsp%3B%20We%20could%20turn%20it%20on%20or%20off%20for%20KMSI%2C%20but%20we%20could%20not%20delete%20company%20branding%204.)%20We%20found%20the%20KMSI%20box%20%22Don't%20ask%20me%20again%20doesn't%20work%22%20either.%26nbsp%3B%20It%20only%20stays%20for%20the%20session%2C%20so%20to%20the%20user%20they%20think%20they%20should%20never%20have%20to%20see%20it%20again.%205.)%20We%20were%20told%20we%20could%20add%20a%20parameter%20to%20the%20Web%20app%20to%20turn%20this%20off%20in%20the%20code%2C%20so%20we%20are%20pursuing%20this%20now%20as%20our%20permanent%20solution%2C%20but%20for%20now%20our%20customers%20can%20function%20again%20with%20KMSI.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130161%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130161%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20of%20our%20users%20have%20set%20a%20site%2C%20library%20or%20folder%20as%20favorites%20in%20File%20Explorer%20which%20connects%20through%20webdav(%3F)%20to%20SharePoint.%20As%20we%20are%20using%20SSO%2C%20users%20don't%20get%20the%20option%20'keep%20me%20signed%20in'%20anymore.%20This%20causes%20a%20permission%20denied%20when%20opening%20the%20folder%20or%20library%20in%20file%20explorer%20-%26gt%3B%20no%20cookie%20is%20saved.%20Is%20there%20a%26nbsp%3Bworkaround%20to%20have%20the%20cookie%20or%20'Keep%20me%20signed%20in'%20back%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3EBernd%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130155%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130155%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3Ewhile%20I%20do%20see%20some%20benefit%20on%20the%20KMSI%20feature%20for%20regular%20users%2C%20I%20would%20prefer%20to%20have%20privileged%20admin%20accounts%20be%20prompted%20for%20MFA%20Login%20in%20their%20browser%20profiles%20every%20time.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHow%20can%20I%20achieve%20this%20without%20turning%20the%20feature%20off%20for%20everyone%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3EKarsten%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129550%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129550%22%20slang%3D%22en-US%22%3E%3CP%3ELet%20me%20see%20what%20I%20can%20do%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129445%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129445%22%20slang%3D%22en-US%22%3E%3CP%3E%40Kelvin%20I%20see%20your%20point%2C%20but%20if%20we%20had%20proper%20documentation%20on%20what's%20supported%20and%20not%20and%20how%20the%20different%20flow%20works%2C%20I'm%20sure%20that%20would%20decrease%20the%20number%20of%20escalations%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESmart%20links%20are%20still%20required%20for%20true%2C%20seamless%20SSO%20experience%20in%20some%20cases%2C%20and%20there%20is%20definitely%20demand%20for%20such%20from%20the%20enterprise%20customers.%20If%20you%20can%20publish%20some%20guidelines%20and%20recommendations%2C%20I%20think%20it%20will%20benefit%20all%20sides.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%2C%20I'll%20stop%20with%20the%20offtopic%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129201%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129201%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20makes%20me%20feel%20better.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMay%20I%20suggest%20stating%20that%20in%20more%20places%3F%26nbsp%3B%20Like%20the%20announcements%2C%20relevant%20blog%20posts%2C%20or%20other%20places%20that%20admins%20will%20see%20before%20they%20start%20to%20flip%20out%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129197%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129197%22%20slang%3D%22en-US%22%3EHi%20Matt%2C%20we%20have%20a%20best-effort%20algorithm%20that%20prevents%20the%20new%20%22Stay%20signed%20in%22%20dialog%20from%20showing%20if%20we%20detect%20that%20the%20login%20is%20happening%20on%20a%20shared%20machine.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20essentially%20looks%20to%20see%20if%20a%20different%20account%20than%20what%20is%20currently%20being%20used%20to%20login%20was%20used%20on%20the%20machine%20in%20the%20last%203%20days.%20If%20so%2C%20we%20won't%20show%20the%20dialog.%20We%20also%20use%20our%20adaptive%20protection%20logic%20to%20hide%20the%20dialog%20if%20we%20detect%20that%20the%20login%20is%20risky.%20Note%20that%20this%20logic%20is%20subject%20to%20change%20as%20we%20iterate%20on%20the%20logic%20to%20increase%20confidence%20that%20we%20only%20show%20this%20dialog%20on%20personal%20devices.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129190%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129190%22%20slang%3D%22en-US%22%3EHi%20Michael%2C%20you%20can%20turn%20this%20off%20by%20setting%20%22Show%20option%20to%20remain%20signed%20in%22%20in%20Company%20Branding%20to%20%22No%22.%20Here's%20the%20help%20article%20for%20that%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcustomize-branding%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcustomize-branding%3C%2FA%3E%20%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129169%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129169%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20want%20this%20turned%20off%2C%20anyone%20know%20how%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129163%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129163%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20using%20Power%20BI%20with%20a%20Web%20app%20and%20this%20web%20app%20is%20embedded%20reports%20in%20Salesforce.%26nbsp%3B%20As%20soon%20as%20this%20was%20implemented%2C%20we%20started%20getting%20these%20dialog%20boxes%2C%20so%20the%20reports%20would%20not%20come%20through.%26nbsp%3B%20HOw%20can%20we%20turn%20these%20off%20so%20they%20have%20a%20smoother%20experience.%26nbsp%3B%20Currently%20Salesforce%20won't%20allow%20that%20dialog%20at%20all%2C%20so%20they%20get%20blank%20pages%20as%20a%20result%20of%20this.%26nbsp%3B%20If%20they%20go%20through%20the%20web%20app%20directly%20in%20a%20url%2C%20and%20answer%20the%20dialog%2C%20the%20dashboard%20reports%20render%20fine.%26nbsp%3B%20But%20this%20dialog%20caused%20our%20field%20to%20lose%20a%20week's%20worth%20of%20work%20so%20far.%26nbsp%3B%20I%20finally%20found%20this%20so%20I%20am%20hoping%20someone%20can%20tell%20me%20how%20to%20turn%20it%20off...for%20good%3F%26nbsp%3B%20We%20have%20a%20critical%20case%20open%20with%20MSFT%20right%20now%20as%20a%20result.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129153%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129153%22%20slang%3D%22en-US%22%3E%3CP%3EOkay%2C%20but%20what%20if%20that%20is%20entirely%20undesirable%20behavior%20in%20half%20of%20your%20use%20cases%3F%26nbsp%3B%20When%20my%20users%20are%20on%20their%20personal%20computers%2C%20this%20is%20a%20good%20thing.%26nbsp%3B%20When%20they%20are%20using%20one%20of%20our%20many%20shared%20workstations%2C%20the%20last%20thing%20I%20want%20is%20for%20them%20to%20be%20encouraged%20to%20%22Stay%20signed%20in%22.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20I%20prevent%20it%20from%20being%20offered%20on%20office%20computers%20without%20preventing%20it%20on%20their%20personal%20devices%3F%26nbsp%3B%20Most%2C%20though%20not%20all%2C%20of%20our%20offices%20are%20AD%20joined%2C%20so%20if%20there's%20a%20GPO%20I%20can%20push%20out%20please%20indicate%20that%20in%20some%20way.%3C%2FP%3E%3CP%3EIf%20the%20classic%20login%20screen%20can%20be%20%3CEM%3Epermanently%3C%2FEM%3E%20forced%20per-domain%20(per%20tenant%20may%20not%20work%20for%20our%20parent%20company)%2C%20that%20would%20also%20be%20acceptable.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBecause%20as%20it%20stands%2C%20this%20is%20a%20horrible%20idea.%26nbsp%3B%20I'm%20going%20to%20have%20realtors%20reading%20each%20other's%20emails%20after%20we%20told%20them%20we%20were%20setting%20them%20up%20with%20MFA%20to%20keep%20anyone%20else%20from%20getting%20into%20their%20email.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129139%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129139%22%20slang%3D%22en-US%22%3EThat's%20because%20we%20don't%20officially%20support%20them%20%3A).%20%3CBR%20%2F%3E%3CBR%20%2F%3EWe've%20seen%20multiple%20issues%20and%20escalations%20caused%20by%20customers%20creating%20links%20that%20jump%20straight%20into%20the%20middle%20of%20our%20flows%20in%20a%20way%20that%20they%20weren't%20designed%20for.%20That%20makes%20things%20very%20fragile%20as%20those%20customizations%20break%20when%20we%20push%20new%20features%20or%20updates.%20%3CBR%20%2F%3E%3CBR%20%2F%3EI'll%20take%20an%20action%20to%20see%20if%20we%20can%20get%20out%20an%20official%20message%20regarding%20use%20of%20smartlinks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129123%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129123%22%20slang%3D%22en-US%22%3EYes%2C%20that%20might%20have%20been%20caused%20by%20Chrome%20SSO.%20Everything%20we%20do%20in%20the%20new%20sign%20in%20experience%20and%20stay%20signed%20in%20experience%20are%20cookie-based%2C%20and%20cookies%20are%20not%20shared%20across%20regular%20and%20in-private%20sessions.%3CBR%20%2F%3E%3CBR%20%2F%3ERegarding%20the%20other%20two%20issues%20you%20reported%3A%3CBR%20%2F%3E1.%20Translation%20issue%20-%20thanks%20for%20reporting%20this.%20I'll%20work%20with%20our%20localization%20team%20to%20get%20that%20fixed.%3CBR%20%2F%3E2.%20Checkbox%20-%20the%20checkbox%20is%20essentially%20a%20no-op%20when%20you%20say%20Yes%20since%20saying%20Yes%20means%20that%20you%20won't%20have%20to%20interactively%20sign%20in%20again%20in%20the%20future.%20It%20only%20applies%20when%20you%20say%20No%20so%20we%20don't%20nag%20you.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129035%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129035%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BI%20tried%20Chrome%2C%20we%20are%20federated%20and%20are%20using%20WIA%20indeed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20now%20removed%20SSO%26nbsp%3Bfor%20Chrome%20in%20our%20ADFS.%20It%20is%26nbsp%3Bprobably%20not%20related%20to%20the%20new%20sign-in%2C%20Chrome%20was%20added%20as%20SSO%20browser%20to%20our%20ADFS%20a%20few%20days%20ago.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128956%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128956%22%20slang%3D%22en-US%22%3E%3CP%3E%40Kelvin%2C%20I'm%20not%20a%20programmer%20so%20I%20will%20trust%20you%20on%20the%20Private%20session%20thingy%2C%20although%20I've%20seen%20some%20JS%20samples%20that%20supposedly%20to%20just%20that.%20In%20all%20fairness%2C%20the%20previous%20experience%20wasn't%20detecting%20private%20sessions%20either.%20It's%20just%20that%20the%20KMSI%20is%20a%20separate%20step%20now%2C%20thus%20more%20visible%2C%20and%20can%20be%20a%20bit%20irritating%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20on%20a%20related%20topic%2C%20can%20you%20folks%20please%20publish%20an%20official%20statement%20on%20what's%20supported%20in%20terms%20of%20smartlinks%20now%3F%20Just%20the%20other%20day%20you%20published%20an%20article%20mentioning%2046%25%20of%20all%20auths%20are%20AD%20FS%2C%20and%20I'm%20certain%20many%20of%20these%20do%20take%20advantage%20of%20smart%20links.%20Yet%2C%20there%20is%20zero%20documentation%20on%20them%20from%20Microsoft.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128946%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128946%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20browser%20are%20using%20Bart%3F%20What%20you%20are%20describing%20in%20scenario%203%20shouldn't%20be%20happening%2C%20unless%20maybe%20in%20federated%20environment%20with%20WIA%20autologin.%26nbsp%3BKelvin%20can%20correct%20me%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128945%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128945%22%20slang%3D%22en-US%22%3E%3CP%3EThree%20remarks%20on%20the%20new%20experience%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Spelling%20mistake%20(in%20Dutch%20translation%2C%20a%20period%26nbsp%3Bin%20the%20middle%20of%20a%20sentence)%3C%2FP%3E%3CP%3E2.%20The%20checkbox%20in%20the%20KMSI%20dialog%20is%20confusing%20(don't%20show%20this%20again).%20Does%20it%20make%20me%20stay%20logged%20in%20even%20longer%20when%20I%20select%20Yes%20and%26nbsp%3Bthick%20the%20checbox%3F%3C%2FP%3E%3CP%3E3.%20When%20I%20choose%20%22Yes%22%20in%26nbsp%3Bmy%20regular%20browser%26nbsp%3Bsession%2C%20open%20a%20private%20session%2C%20enter%20a%20different%20account%20in%20the%20private%20session.%26nbsp%3BI%20get%20logged%20in%20with%20the%20account%20of%20the%20regular%20session%20anyway%2C%20no%20matter%20the%20account%20I%20filled%20in.%20Is%20this%20by%20design%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBart%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20371px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F24352i058D2A2CA961CDE1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22kmsi.png%22%20title%3D%22kmsi.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128830%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128830%22%20slang%3D%22en-US%22%3EIt's%20actually%20more%20than%20the%20KMSI%20checkbox%20-%20doing%20a%20full%20page%20redirect%20when%20a%20user%20doesn't%20expect%20it%20causes%20usability%20issues.%20It's%20also%20not%20a%20standard%20interaction%20model%20anywhere%20on%20the%20web%2C%20causing%20user%20confusion%20and%20frustration.%20%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20are%20correct%2C%20showing%20KMSI%20in%20private%20sessions%20doesn't%20really%20do%20very%20much.%20However%2C%20there's%20no%20deterministic%20way%20for%20us%20to%20determine%20that%20we're%20in%20a%20private%20browser%20session.%3CBR%20%2F%3E%3CBR%20%2F%3ERegarding%20LoginOptions%2C%20I%20believe%20we%20have%20discussed%20this%20before.%20We%20don't%20officially%20support%20the%20use%20of%20LoginOptions%20-%20it's%20an%20internal%20parameter%20used%20to%20pass%20information%20across%20our%20pages.%20We%20did%20not%20change%20how%20it%20is%20used%20with%20the%20new%20experiences%2C%20though%20we%20cannot%20guarantee%20that%20it%20won't%20happen%20in%20a%20future%20change.%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128756%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128756%22%20slang%3D%22en-US%22%3E%3CP%3EKelvin%2C%20correct%20me%20if%20I'm%20wrong%2C%20but%20most%20of%20the%20complaint%20about%20the%20auto-redirect%20with%20just%20filling%20in%20the%20UPN%20were%20because%20it%20didn't%20allow%20users%20to%20select%20the%20KSMI%20checkbox.%20Now%20that%20that's%20a%20separate%20step%2C%20this%20issue%20no%20longer%20applies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20Private%20session%20thingy%2C%20does%20KMSI%20even%20work%20with%20Private%20sessions%3F%20It%20writes%20a%20cookie%2C%20no%3F%20Which%20is%20*not*%20saved%20if%2Fwhen%20I'm%20using%20a%20Private%20session.%20So%20displaying%20the%20KMSI%20step%20is%20pointless%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20one%20other%20thing%20comes%20to%20mind%20after%20seeing%20the%20comments%20made%20by%20other%20folks%20here%20-%20are%20you%20guys%20respecting%20the%20%22LoginOptions%22%20parameter%20for%20federated%20logins%2Fsmart%20links%3F%20The%20idea%20being%20that%20it%20automatically%20ticked%20the%20KMSI%20checkbox%20in%20the%20old%20experience...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128677%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128677%22%20slang%3D%22en-US%22%3EHey%20Vasil%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20the%20feedback.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20%231%3A%20This%20is%20by%20design%20in%20the%20new%20experience.%20We%20had%20a%20lot%20of%20strong%20feedback%20about%20the%20old%20design%20where%20we%20initiated%20the%20redirect%20when%20focus%20was%20lost%20on%20the%20username%20field.%20Most%20users%20thought%20that%20it%20was%20unexpected%20and%20jarring%20and%20did%20not%20give%20them%20the%20opportunity%20to%20go%20back%20and%20correct%20typos.%20We%20decided%20to%20wait%20to%20redirect%20only%20after%20the%20user%20clicks%20the%20Next%20button.%20This%20experience%20is%20consistent%20with%20almost%20all%20other%20identity%20systems.%3CBR%20%2F%3E%3CBR%20%2F%3E%232%3A%20Can%20you%20help%20me%20understand%20your%20scenario%20where%20you%20don't%20want%20KMSI%20to%20show%20up%20in%20private%20sessions%20and%20why%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128666%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128666%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20also%20experiencing%20this%20issue%20where%20the%20KMSI%20dialog%20is%20being%20displayed%20for%20all%20of%20our%20internal%20ADFS%20sign%20ins%20when%20previously%20it%20was%20automatic.%20For%20now%2C%20we%20have%20disabled%20the%20feature.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20there%20is%20a%20fix%20for%20this%2C%20please%20let%20me%20know.%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128447%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128447%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20support%20answered%20it%20for%20me.%20Turn%20it%20off%20in%20Company%20branding%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128410%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128410%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20we%20are%20using%20a%20Federated%20domain%20With%20local%20ADFS.%20Before%20this%20change%2C%20single%20signon%20worked%20without%20any%20questions%20when%20we%20are%20logged%20into%20the%20local%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20after%20this%20New%20%22experience%22%2C%20Our%20users%20must%20click%20on%20a%20Choice%20on%20the%20keep%20me%20logged%20in%20or%20not%20page.%20This%20is%20an%20anucence%20for%20Our%20users.%20We%20use%20Azure%20AD%20for%20authentication%20to%20Our%20intranet%20in%20the%20cloud.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20setting%20on%20an%20Application%20or%20Azure%20AD%20Directory%2C%20or%20a%20URL%20parameter%20or%20similar%20that%20can%20be%20used%20to%20disable%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128398%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128398%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%26nbsp%3Btwo%20minor%20issues%20still%20remain%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20When%20using%20federated%20account%2C%20I%20have%20to%20press%20the%20Next%20button%20in%20order%20to%20be%20taken%20to%20the%20AD%20FS%20login%20page.%20In%20the%20previous%20experience%20this%20was%20automatic%2C%20simply%20pressing%20Tab%20for%20example%20did%20the%20trick.%3C%2FP%3E%3CP%3E2)%20Why%20am%20I%20being%20prompted%20for%20the%26nbsp%3BKMSI%20experience%20when%20using%20Private%20sessions%3F%20Maybe%20you%20should%20implement%20a%20check%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128306%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128306%22%20slang%3D%22en-US%22%3EHey%20Jeremy%2C%20the%20web%20theme%20can%20be%20found%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FadfsWebCustomization%2Ftree%2Fmaster%2FcenteredUi%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoft%2FadfsWebCustomization%2Ftree%2Fmaster%2FcenteredUi%3C%2FA%3E%20%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128275%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128275%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41707%22%20target%3D%22_blank%22%3E%40Eric%20Starker%3C%2FA%3E%26nbsp%3BDo%20you%20have%20any%20information%20on%20the%20ADFS%20web%20theme%20to%20allow%20on-premises%20ADFS%20look%20and%20feel%20to%20match%20the%20new%20sign%20in%20experience%3F%26nbsp%3B%20We%20saw%20some%20information%20during%20the%20original%20preview%20announcement%20that%20this%20would%20be%20coming%20but%20are%20unable%20to%20find%20any%20info.%26nbsp%3B%20We%20have%20our%20TAM%20also%20checking%20for%20information%20but%20thought%20I'd%20check%20here%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138940%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138940%22%20slang%3D%22en-US%22%3EHi%20Srikanth%2C%20I'll%20reach%20out%20to%20you%20via%20DM%20to%20get%20more%20information%20so%20we%20can%20look%20into%20this.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138943%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138943%22%20slang%3D%22en-US%22%3EHi%20Unnie%2C%20thanks%20for%20the%20breakdown.%20%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20are%20you%20trying%20to%20achieve%20with%20persistent%20cookies%3F%20If%20you%20have%20seamless%20SSO%20set%20up%2C%20every%20time%20your%20user%20goes%20to%20the%20Sharepoint%20site%20they%20will%20SSO%20automatically%2C%20which%20makes%20the%20need%20for%20a%20persistent%20cookie%20unnecessary.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138947%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138947%22%20slang%3D%22en-US%22%3EHey%20Vasil%2C%20the%20shared%20machine%20logic%20essentially%20stops%20showing%20the%20KMSI%20prompt%20if%20a%20different%20account%20has%20been%20used%20on%20the%20same%20browser.%20That%20logic%20will%20reset%20(and%20KMSI%20will%20show%20again)%20if%20you%20clear%20browser%20cookies%2C%20or%20if%20you%20continue%20to%20only%20sign%20in%20with%20that%20one%20account%20for%20a%20few%20days.%20%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20the%20other%20user%20that's%20getting%20the%20prompt%2C%20are%20you%20using%20the%20same%20browser%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138978%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138978%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Kelvin.%20I%20did%20clear%20cookies%2C%20but%20that%20doesn't%20seem%20to%20had%20any%20effect.%20And%20if%20it's%20cookie%20based%2C%20doesn't%20explain%20why%20I%20don't%20see%20the%20prompt%20in%20Private%20session%20or%20when%20using%20other%20browsers%20on%20the%20same%20machine%3F%20Is%20there%20perhaps%20any%20%22server-side%22%20component%20to%20it%3F%20Same%20machine%2C%20same%20browsers%2C%20same%20O365%20tenant%26nbsp%3B-%20one%20user%20gets%20the%20prompt%20in%20Private%20session%2C%20the%20other%20one%20does%20not.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-139003%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-139003%22%20slang%3D%22en-US%22%3EIt's%20the%20performance%20.%20Our%20home%20page%20for%20IE%20is%20SPO%20based%20intranet%20and%20it%20loads%20slowly%20because%20of%20the%20authentication%20hops%20from%20the%20site%20--%26gt%3B%20Microsoft%20login%20--%26gt%3B%20on-prem%20ADFS%20and%20then%20the%20journey%20back.%20The%20user%20can%20see%20the%20urls%20changing%20and%20it%20takes%20a%20good%208-10%20secs%20every%20time%20the%20browser%20is%20opened.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-139663%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-139663%22%20slang%3D%22en-US%22%3EThanks%20for%20verifying.%20We%20also%20take%20into%20account%20a%20risk%20score%20provided%20by%20our%20Identity%20mechanisms.%20We've%20had%20isolated%20reports%20that%20it%20is%20kicking%20in%20a%20tad%20bit%20too%20aggressively%2C%20but%20we%20don't%20have%20confirmation%20yet.%20%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20you%20please%20DM%20me%20the%20following%3A%3CBR%20%2F%3E1.%20UPN%20of%20the%20account%20you%20used%20where%20KMSI%20doesn't%20show%20and%20also%20the%20one%20where%20KMSI%20does%20show.%3CBR%20%2F%3E2.%20Co-relation%20id%20of%20the%20request%20when%20logging%20in%20on%20the%20account%20where%20KMSI%20doesn't%20show.%20You%20can%20get%20this%20by%20clicking%20on%20the%20three%20dots%20at%20the%20bottom%20right%20corner%20of%20the%20page%20when%20you're%20on%20the%20password%20screen.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-139665%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-139665%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20details.%20We're%20going%20to%20take%20a%20look%20into%20this%20early%20next%20year%20once%20the%20team%20gets%20back%20into%20the%20office%20after%20the%20holidays.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-140338%22%20slang%3D%22en-US%22%3ERE%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-140338%22%20slang%3D%22en-US%22%3EHi%2C%20MS%20admin%20for%20years%2C%20new%20here.%20Just%20saw%20this%2C%20perhaps%20it%20can%20help%20us.%20Our%20call%20to%20Microsoft%20(before%20this%20change)%20had%20no%20immediate%20fix.%20Our%208k%2B%20users%20to%20o365%2FSPO%20need%20access%20to%20SP%20sites.%20We%20would%20like%20to%20use%20this%20...%22Keep%20me%20singed%20in%22%20for%20most%20users.%20Others%20with%20Generic%20IDs%20which%20would%20only%20prompt%20for%20a%20password%20to%20get%20to%20secure%20content%20on%20SPO%20sites.%20Is%20this%20possible%20to%20do%20both%3F%20Details%20would%20be%20golden!!!%20Thanks%2C%20Joe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-140833%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-140833%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20experiencing%20the%20same%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%2C%20no%20KMSI%20prompt%20after%20successful%20sign-in%20in%20IE11%20or%20Chrome.%20And%20every%20time%20browser%20is%20started%20a%20sign-in%20prompt%20(password)%20is%20shown.%20Also%20sign-in%20prompt%20is%20shown%20every%20time%20I%20open%20locally%20installed%20Outlook%20client.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141011%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141011%22%20slang%3D%22en-US%22%3EHi%20Teemu%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ewould%20you%20mind%20private%20messaging%20me%20your%20email%20address%3F%20I'll%20need%20some%20additional%20info%20(eg.%20traces)%20to%20investigate%20this.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EKelvin%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141013%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141013%22%20slang%3D%22en-US%22%3EHi%20Joe%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ecan%20you%20please%20clarify%20what%20you're%20trying%20to%20achieve%3F%20Is%20this%20an%20issue%20that%20has%20occurred%20with%20the%20new%20sign-in%20experience%20or%20is%20this%20just%20new%20functionality%20you%20want%20enabled%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141069%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141069%22%20slang%3D%22en-US%22%3EHi%20Unnie%2C%20you%20can%20configure%20ADFS%20to%20pass%20the%20Persistent%20SSO%20(PSSO)%20claim%20so%20that%20Azure%20AD%20will%20automatically%20drop%20persistent%20cookies.%20That%20should%20get%20you%20what%20you%20need.%20You%20can%20find%20more%20information%20about%20PSSO%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141130%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141130%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3Eat%20one%20of%20my%20customers%20I%20have%20exactly%20the%20same%20problem%20like%20Srikanth%20Komirishetty.%20Every%20time%20the%20browser%20is%20closed%20and%20reopend%20the%20Account%20Picking%20window%20is%20showing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141364%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141364%22%20slang%3D%22en-US%22%3EHi%20Johannes%2C%20can%20you%20please%20private%20message%20me%20your%20email%20address%20and%20I'll%20reach%20out%20to%20you%20to%20get%20more%20information.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142147%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142147%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%2C%20Thank%20you%20for%20the%20response.%20The%20old%20sign%20in%20page%20has%20%22keep%20me%20signed%20in%22%20check%20box%20that%20helps%20the%20user%20not%20be%20prompted%20to%20pick%20account%20or%20see%20login%20prompt%20the%20next%20time%20they%20re-launch%20the%20browser%20and%20access%20SharePoint%20site.%20The%20new%20UI%20has%20no%20such%20option%20any%20more.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20new%20ADFS%20version%20on%20Windows%202012%20seems%20to%20have%20an%20option%20to%20create%20custom%20claim%20rules%20to%20issue%20PSSO%20claims%20that%20avoids%20%22pick%20an%20account%22%20prompt%20as%20shared%20by%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20you%20recommended%2C%20I%20researched%20and%26nbsp%3BI%20was%20able%20to%20create%20a%20SMART%20link%26nbsp%3Bwhich%20does%20the%20same%20job%20as%20%22keep%20me%20signed%20in%22%20check%20box.%20The%20user%20has%20to%20browse%20this%20link%20once%2C%20interestingly%20it%20won't%20even%20prompt%20for%20UPN%20(password%20not%26nbsp%3Brequired%20as%20we%20are%20SSO)%26nbsp%3Band%20process%20sets%20the%20persistent%20cookie%20on%20the%20machine%20and%20he%2Fshe%20never%20needs%20to%20pick%20account%20going%20forward.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20question%20I%20have%20now%20is%2C%20Our%20organization%20would%20like%20to%20enable%20PSSO%20but%20we%20are%20on%20ADFS%202.0%20and%20Windows%202008%20R2.%26nbsp%3BThe%20article%20on%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Elink%3C%2FA%3E%26nbsp%3Bdescribes%20how%20to%20configure%20ADFS%20to%20issue%20PSSO%20claims%20but%20not%20sure%20if%20this%20applies%20to%20Windows%202008%20R2.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142149%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142149%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20think%20so%2C%20it%20will%20most%20likely%20not%20recognize%20the%20claim.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142190%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142190%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20use%26nbsp%3BSAML%20SSO%20with%20several%20vendors%20using%26nbsp%3BADFS%20as%20our%20iDp.%26nbsp%3BOur%20ADFS%20server%20is%20under%20a%20different%20domain%20so%20we%20have%20a%20Claims%20Provider%20Trust%20setup%20with%20our%20AAD.%26nbsp%3BWe%20have%20an%20issue%20with%20the%20new%20sign-in%20experience.%20When%20a%20user%20initially%20signs%20in%20they%20get%20presented%20with%20the%20%22Stay%20signed%20in%3F%22%20prompt.%20If%20they%20say%20Yes%20a%20persistent%20cookie%20is%20set%20and%20things%20work%20like%20they%20should.%20However%2C%20if%20they%20were%20to%20go%20back%20to%20the%20iDp%20initiated%20signon%20page%20and%20log%20out%20for%20whatever%20reason%2C%20when%20they%20go%20to%20sign-in%20again%20they%20won't%20get%20the%20%22Stay%20signed%20in%3F%22%20prompt%20so%20it%20just%20sets%20a%20session%20cookie%20that%20is%20terminated%20if%20they%20close%20their%20browser.%20If%26nbsp%3Bthey%20choose%20to%20go%20back%20to%20the%20old%20sign-in%20experience%20the%20%22Keep%20me%20signed%20in%22%20checkbox%20will%20be%20there%20so%20they%20once%20again%20can%20set%20a%20persistent%20cookie.%20Is%20this%20a%20known%20issue%3F%20Is%20there%20a%20fix%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142741%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142741%22%20slang%3D%22en-US%22%3EHi%20Andy%2C%20yes%2C%20this%20is%20a%20known%20issue%20where%20if%20the%20user%20first%20says%20%22Yes%22%20to%20the%20prompt%2C%20then%20explicitly%20signs%20out%2C%20they%20would%20not%20see%20the%20prompt%20again%20on%20subsequent%20sign%20ins%20for%203%20days.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20something%20we're%20looking%20into%20fixing.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-143450%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143450%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20utilise%20WebDAV%20to%20map%20SharePoint%20Online%20drives%20for%20all%20of%20our%20365%20clients%2C%20and%20the%20new%20sign%20in%20has%20a%26nbsp%3B%20critical%20flaw.%20After%20the%20initial%20sign%20in%20using%20IE%20the%20option%20to%20stay%20signed%20in%20is%20not%20presented%2C%20meaning%20that%20the%20mapped%20WebDAV%20drives%20do%20not%20reconnect.%20Returning%20to%20the%20old%20sign%20in%20and%20ticking%20the%20%22Keep%20me%20signed%20in%22%20still%20works%20fine%20however.%20If%20we%20log%20in%20to%20an%20inprivate%20browser%20the%20stay%20signed%20in%20option%20returns%2C%20however%20this%20is%20no%20good%20to%20us%20as%20it%20will%20not%20map%20a%20drive%20this%20way.%20Resetting%20IE%20also%20returns%20the%26nbsp%3B%3C%2FP%3E%0A%3CP%3Estay%20signed%20in%20prompt%2C%20however%20again%20this%20disappears%20after%20the%20initial%20sign%20in.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-143454%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143454%22%20slang%3D%22en-US%22%3EWe're%20also%20not%20seeing%20it%20after%20the%20initial%20sign%20in%2C%20meaning%20that%20mapped%20drives%20no%20longer%20work.%20Very%20unhelpful.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-144732%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144732%22%20slang%3D%22en-US%22%3EHi%20Greg%2C%20we%20just%20checked%20in%20a%20tweak%20to%20the%20prompt%20logic%20that%20should%20make%20the%20prompt%20show%20up%20a%20lot%20more%20consistently.%20Please%20look%20for%20it%20to%20release%20in%20a%20week%20or%20so.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148033%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148033%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20Office%20365%20MFA%20enabled.%20When%20the%20%22Keep%20me%20signed%20in%22%20experience%20rolled%20out%20in%20December%20I%20saw%20it.%20I%20clicked%20on%20Keep%20me%20signed%20in%20did%20not%20require%20authentication%20when%20I%20logged%20into%20Office%20365%20from%20any%20browser.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20some%20point%20in%20early%26nbsp%3BJanuary%2C%20I%20believe%20this%20changed.%20Now%20when%20I%20log%20in%20I%20get%20taken%20straight%20to%20my%20organization's%20login%20page%2C%20enter%20my%20credentials%20and%20I'm%20in.%20I%20have%20to%20log%20into%20Office%20365%20from%20my%20browser%20every%20day.%20The%20experience%20is%20the%20same%20across%20all%20my%20devices.%20I%20have%20not%20seen%20the%20%22Keep%20me%20signed%20in%22%20feature%20since.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHelp%20please%3F!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148036%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148036%22%20slang%3D%22en-US%22%3ETry%20clearing%20browser%20cookies%20and%20signing%20in%20again.%20Let%20me%20know%20if%20you%20see%20the%20%22Keep%20me%20signed%20in%22%20prompt%20then.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148046%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148046%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20did%20not%20work.%20I%20get%20taken%20to%20my%20organizations%20SSO%20page%2C%20get%20prompted%20for%20MFA%20accept%20prompt%26nbsp%3Band%20then%20go%20straight%20to%20Office%20365.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148047%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148047%22%20slang%3D%22en-US%22%3EWhen%20you%20say%20%22accept%20prompt%22%20what%20prompt%20do%20you%20refer%20to%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148078%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148078%22%20slang%3D%22en-US%22%3E%3CP%3EI%20mean%20accept%20the%20push%20notification%20to%20my%20smartphone%20from%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148937%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148937%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20would%20really%20appreciate%20some%20insight%20into%20this%20issue%2C%20we'd%20really%20like%20to%20communicate%20to%20our%20users%20about%20this%20change.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148967%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148967%22%20slang%3D%22en-US%22%3ECan%20you%20please%20send%20me%20a%20fiddler%20trace%20of%20your%20login%20via%20private%20message%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148974%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148974%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20please%20send%20me%20instructions%20on%20how%20to%20run%20the%20Fiddler%20trace.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148991%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148991%22%20slang%3D%22en-US%22%3EPlease%20send%20me%20a%20private%20message%20with%20your%20email%20address%20and%20I'll%20send%20instructions%20via%20email.%20It'll%20be%20a%20lot%20easier%20that%20way.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152594%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152594%22%20slang%3D%22en-US%22%3E%3CP%3ETrying%20to%20understand%20exact%20implications%20of%20hiding%20the%20KMSI%20option.%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcustomize-branding%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EThis%20link%3C%2FA%3E%20states%2C%20%22Some%20features%20of%20SharePoint%20Online%20and%20Office%202010%20depend%20on%20users%20being%20able%20to%20choose%20to%20remain%20signed%20in.%20If%20you%20set%20this%20option%20to%20No%2C%20your%20users%20may%20see%20additional%20and%20unexpected%20prompts%20to%20sign-in.%22%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20list%20of%20the%20features%2Ffunctionality%20that%20may%20be%20impacted%20when%20hiding%20this%20option%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153102%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153102%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20one%20user%20who%20is%20having%20an%20issue%20of%20%22looping.%22%26nbsp%3B%20They%20sign%20into%20SharePoint%20via%20the%20SSO%20and%20then%20the%20page%20refreshes%20and%20says%20%22you%20are%20already%20signed%20in%22%20and%20just%20keeps%20spinning%20like%20it%20is%20trying%20to%20load%20the%20page.%26nbsp%3B%20However%2C%20it%20never%20moves%20past%20the%20log%20in%20page.%26nbsp%3B%20The%20only%20way%20we%20can%20move%20past%20is%20to%20log%20in%20again%20as%20another%20user.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153293%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153293%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20spent%20about%20a%20day%20figuring%20out%20the%20same%20%22keep%20me%20signed%20in%22%20issue%2C%20as%20discussed%20here.%20The%20problem%20seems%20to%20be%20related%20to%20ADFS%20and%20WIA.%20I%20can%20provide%20some%20details%20on%20my%20customers%20setup%20and%20how%20to%20reproduce%20the%20problem%20(got%20a%20workaround%2C%20too)%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20a%20federated%20O365%20domain%2C%20ADFS%20on%20prem%20for%20authentication%20and%20WIA%20%2F%20IE%20trusted%20zones%20setup%20internally%2C%20so%20that%20no%20logon%20prompt%20used%20to%20display%20when%20accessing%20O365%20resources%20(tested%20access%20to%20OneDrive%20in%20browser).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EInternal%20behavior%3A%3C%2FSTRONG%3E%20With%20the%20new%20login%20experience%2C%20user%20name%20needs%20to%20be%20provided%2C%20redirect%20to%20ADFS%20and%20automatic%20logon%20succeed%2C%20then%20you%20are%20returned%20to%20your%20desired%20destination%20in%20your%20browser%20--%26gt%3B%20No%20prompt%20for%20%22keep%20me%20signed%20in%22.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EExternal%20behavior%3A%3C%2FSTRONG%3E%20User%20name%20needs%20to%20be%20provided%2C%20redirect%20to%20ADFS%20shows%20ADFS%20login%20page.%20Password%20must%20be%20entered%20there%2C%20redirect%20to%20MS%20happens%20(eventually%20MFA%20thereafter)%2C%20then%20%22keep%20me%20signed%20in%22%20appears%2C%20can%20be%20set%20and%20works%20correctly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20I%20already%20did%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ERemoved%20the%20corresponding%20WIA%20agents%20from%20ADFS%20config%20to%20have%20the%20ADFS%20login%20page%20experience%20from%20internal%20clients.%20KMSI%20dialog%20from%20MS%20is%26nbsp%3B%3CSTRONG%3Enot%3C%2FSTRONG%3E%20displayed.%3C%2FLI%3E%0A%3CLI%3EEnabled%20KMSI%20in%20ADFS%20properties%20and%20added%20claim%20rules%20to%20pass%20through%20PSSO%20claim.%20Now%20on%20the%20ADFS%20website%2C%20there%20is%20a%20keep%20me%20signed%20in%20checkbox%2C%20which%20does%20place%20a%20permanent%20cookie%2C%20so%20that%20subsequent%20logins%20(after%20closing%20and%20reopening%20the%20browser)%20are%26nbsp%3B%3CSTRONG%3Enot%20required%3C%2FSTRONG%3E.%20The%20KMSI%20dialog%20from%20MS%20is%26nbsp%3B%3CSTRONG%3Enot%26nbsp%3B%3C%2FSTRONG%3Edisplayed.%20%3CSTRONG%3EThis%20is%20my%20current%20workaround%2C%20but%20not%20the%20desired%20state.%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EI%20think%2C%20the%20problem%20is%20the%20combination%20of%20ADFS%20and%20WIA-enabled%20authentication%20from%20inside%20the%20coorp%20network.%20The%20exactly%20same%20setup%20works%20as%20expected%20from%20external%20locations%2C%20but%20not%20from%20internal%20ones.%20This%20used%20to%20work%20in%20the%20%22old%20style%22.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20would%20gladly%20help%20getting%20this%20thing%20done%2C%20if%20you%20need%20more%20input.%20Just%20get%20in%20touch%20with%20me.%20Already%20checked%20this%20issue%20with%20a%20second%20setup%2C%20same%20behavior%20there%20...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153841%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153841%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3Eo%20my%20team%20and%20I%20sat%20down%20in%20a%20room%20to%20compare%20our%26nbsp%3Bdifferent%20experiences.%20We%20found%20that%20each%20browser%26nbsp%3Bhas%20settings%20that%20delete%20cookies%26nbsp%3B%20In%20Chrome%20I%20had%20this%20setting%20%22%3C%2FSPAN%3E%3CSPAN%3EKeep%20local%20data%20only%20until%20you%20quit%20your%20browser%22%20turned%20on.%20When%20I%20turned%20this%20off%20I%20was%20presented%20with%20the%20%22Stay%20Signed%20In%22%20option%20and%20was%20able%20to%20stay%20logged%20in%20once%20I%20had%20authenticated%20and%20verified%20with%20MFA.%20I%20have%20not%20had%20to%20reauthenticate.%20This%20is%20a%20per%20browser%20setting.%20Each%20browser%20has%20different%20settings%20of%20course.%26nbsp%3B%20We%20think%20Macs%20have%20a%20privacy%20setting%20Website%20Tracking%20Prevent%20cross-site-tracking%20and%20if%20this%20is%20checked%20this%20will%20prevent%20the%20Stay%20Signed%20in%20feature%20to%20work.%20I%20haven't%20confirmed%20yet%20but%20will%20update%20this%20post%20once%20we%20do.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160329%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160329%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3EMay%20I%20know%20why%20you%20want%20to%20see%20the%20prompt%20even%20when%20SSO%20happens%3F%20By%20definition%2C%20when%20SSO'ed%20your%20user%20should%20just%20always%20automatically%20sign%20in%20without%20any%20interactive%20prompts.%20So%2C%20asking%20the%20user%20if%20they%20want%20to%20remain%20signed%20in%20doesn't%20really%20mean%20anything%20when%20SSO%20happens.%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EThere%20is%20one%20case%20where%20it%20would%20be%20really%20useful%20to%20have%20KMSI%20available%20when%20using%20SSO%20and%20that%20is%20when%20Azure%20MFA%20is%20enabled%2C%20to%20allow%20to%20remain%20signed%20in%20without%20getting%20prompted%20for%20the%20MFA%20code%20each%20time%20the%20browser%20is%20launched.%20When%20outside%20the%20LAN%20the%20KMSI%20appears%20(since%20then%20SSO%20is%20not%20active)%2C%20so%20no%20reason%20not%20to%20show%20KMSI%20when%20on%20the%20LAN.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20there%20any%20thought%20to%20allow%20this%3F%20Thanks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160384%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160384%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3EMay%20I%20know%20why%20you%20want%20to%20see%20the%20prompt%20even%20when%20SSO%20happens%3F%20By%20definition%2C%20when%20SSO'ed%20your%20user%20should%20just%20always%20automatically%20sign%20in%20without%20any%20interactive%20prompts.%20So%2C%20asking%20the%20user%20if%20they%20want%20to%20remain%20signed%20in%20doesn't%20really%20mean%20anything%20when%20SSO%20happens.%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EThat's%20almost%20right%2C%20but%3A%20For%20SSO%20to%20work%2C%20you%20need%20to%20provide%20the%20username%20%2F%20email%20address%20%2F%20UPN%20(which%20may%20be%20saved%2C%20but%20has%20to%20be%20confirmed%20by%20clicking%20it)%26nbsp%3B%3CSTRONG%3Ebefore%3C%2FSTRONG%3E%20SSO%20kicks%20in.%20This%20is%20the%20issue%20in%20our%20case.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EImagine%20the%20following%20(real-world)%20scenario%3A%20Customer%20is%20using%20a%20SharePoint%20Online%20document%20library%20to%20store%20attachments%20for%20his%20Navision%20users.%20So%20when%20clicking%20on%20a%20link%20in%20Navision%20to%20open%20such%20an%20attachment%20(mostly%20PDF%20documents)%2C%20you%20would%20expect%20your%20PDF%20viewer%20to%20open.%20In%20the%20current%20situation%2C%20your%20browser%20opens%20asking%20for%20your%20login%20(which%20perhaps%20was%20saved%20before)%2C%20you%20confirm%20it%2C%20SSO%20happens%20and%20the%20PDF%20opens.%20After%20doing%20whatever%20with%20the%20document%2C%20the%20user%20closes%20the%20PDF%20and%20the%20browser%20window.%20After%20that%2C%20he%20clicks%20the%20next%20link%20in%20Navision%20and%20the%20same%20happens%20...%20browser%2C%20confirm%20username%2C%20SSO%2C%20PDF.%20Only%20by%20leaving%20open%20the%20browser%20(as%20a%20workaround)%2C%20the%20annoying%20clicking%20and%20waiting%20can%20be%20bypassed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20behavior%20most%20likely%20applies%20to%20any%20SharePoint%20related%20content%20storage%20...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20using%20the%20persistent%20session%20token%2C%20a%20true%20SSO%20experience%20(as%20seen%20in%20the%20old%20version)%20could%20be%20setup%26nbsp%3B%3CSTRONG%3Eagain%3C%2FSTRONG%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162263%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162263%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20facing%20the%20same%20problem.%20External%20users%20get%20the%20KMSI%20dialog%2C%20internal%20users%20do%20not%20(both%20after%20authentication%20against%20ADFS).%20As%20a%20result%20SharePoint%20Online%20WebDAV%20is%20not%20working%20anymore.%20Have%20you%20found%20a%20solution%20to%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162288%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162288%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20organization%20is%20experiencing%20the%20same%20problems.%20We%20use%20ADFS%20for%20authentication.%20KMSI%20dialog%20is%20shown%20externally%2C%20but%20not%20internally.%20SPO%20WebDAV%20doesn't%20work%20anymore%20and%20users%20have%20to%20choose%20their%20UPN%20every%20time%20they%20launch%20the%20browser.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162437%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162437%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20experiencing%20this%20issue%20as%20well.%26nbsp%3B%20Has%20there%20been%20any%20resolution%20identified%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162606%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162606%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F75442%22%20target%3D%22_blank%22%3E%40Jeroen%20Lammens%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20facing%20the%20same%20problem.%20External%20users%20get%20the%20KMSI%20dialog%2C%20internal%20users%20do%20not%20(both%20after%20authentication%20against%20ADFS).%20As%20a%20result%20SharePoint%20Online%20WebDAV%20is%20not%20working%20anymore.%20Have%20you%20found%20a%20solution%20to%20this%3F%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EWe%20have%20opened%20a%20MS%20call%20and%20we%20are%20currently%20working%20on%20it.%20Until%20now%2C%20we%20have%20made%20no%20progress%20as%20MS%20(or%20at%20least%20the%20technician%20dealing%20with%20the%20ticket)%20claims%20this%20to%20be%20the%20way%20it%20is%20intended%20to%20work.%3C%2FP%3E%0A%3CP%3EI'll%20report%20back%20as%20soon%20as%20I%20got%20news.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162621%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162621%22%20slang%3D%22en-US%22%3EHi%20everyone%2C%3CBR%20%2F%3E%3CBR%20%2F%3Eour%20recommendation%20to%20bypass%20the%20additional%20%22Pick%20an%20account%22%20prompt%20and%20redirect%20automatically%20to%20on-prem%20IdPs%20(eg.%20ADFS)%20for%20auth%20is%20to%20enable%20SharePoint%20auto-acceleration%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fenable-or-disable-auto-acceleration-for-your-sharepoint-online-tenancy-74985ebf-39e1-4c59-a74a-dcdfd678ef83%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fenable-or-disable-auto-acceleration-for-your-sharepoint-online-tenancy-74985ebf-39e1-4c59-a74a-dcdfd678ef83%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20take%20note%20of%20the%20call%20out%20on%20how%20this%20might%20not%20work%20if%20you%20have%20users%20that%20are%20external%20to%20your%20organization%20(guest%20users)%20access%20your%20SharePoint%20site.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20SharePoint%20auto-acceleration%20does%20not%20work%20for%20your%20environment%2C%20you%20can%20consider%20setting%20up%20ADFS%20to%20return%20the%20Persistent%20SSO%20claim%20with%20every%20sign%20in.%20That%20will%20cause%20Azure%20AD%20to%20drop%20a%20persistent%20token%20which%20will%20bypass%20the%20%22Pick%20an%20account%22%20screen.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162735%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162735%22%20slang%3D%22en-US%22%3E%3CP%3E-ERR%3AREF-NOT-FOUND-%40Kelvin%20Xia%26nbsp%3BI%20think%20the%20last%20few%20complaints%20are%20about%20the%20WebDAV%2Fmapped%20drives%20experience.%20Previously%2C%20we%20were%20able%20to%20make%20this%20persistent%20by%20making%20sure%20the%20%22LoginOptions%22%20parameter%20is%20passed%20via%20the%20smart%20links%20used.%20In%20the%20new%20experience%2C%20this%20seems%20to%20no%20longer%20be%20the%20case%2C%20thus%20the%20session%20expire%20more%20often%20and%20break%20the%20user%20experience.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-163677%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163677%22%20slang%3D%22en-US%22%3EIndeed%2C%20the%20KMSI%20screen%20does%20not%20show%20up%20after%20authentication%20against%20ADFS%20for%20our%20internal%20users.%20As%20a%20result%2C%20WebDAV%2Fmapped%20drives%20are%20just%20not%20working%20anymore.%20%3CBR%20%2F%3E%3CBR%20%2F%3EWhile%20I%20can%20understand%20this%20is%20legacy%20tech%2C%20it%20should%20still%20be%20supported%20until%20a%20replacement%20solution%20is%20delivered.%20I'm%20thinking%20along%20the%20lines%20of%20the%20OneDrive%20files-on-demand%20with%20the%20possibility%20to%20keep%20the%20synced%20files%20only%20in%20the%20cloud%20and%20not%20have%20them%20synced%20locally%20whenever%20one%20is%20opened%20(we%20don't%20have%20the%20storage%20for%20this%20%2F%20don't%20want%20to%20support%20this%20scenario).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-164002%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-164002%22%20slang%3D%22en-US%22%3ETo%20support%20SharePoint%20mapped%20drives%20with%20ADFS%2C%20we%20recommend%20setting%20up%20PSSO%20which%20will%20result%20in%20the%20same%20logic%20as%20a%20user%20manually%20checking%20the%20old%20KMSI%20checkbox.%3CBR%20%2F%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%23enable-psso-for-office-365-users-to-access-sharepoint-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%23enable-psso-for-office-365-users-to-access-sharepoint-online%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-164006%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-164006%22%20slang%3D%22en-US%22%3EHi%20Marc%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20the%20screen%20where%20your%20user%20has%20to%20click%20on%20a%20username%20the%20%22Pick%20an%20account%22%20screen%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20that%20what%20you're%20seeing%20is%20caused%20by%20a%20different%20change%20in%20our%20code.%20Can%20you%20please%20send%20me%20a%20Fiddler%20trace%20of%20a%20user%20running%20through%20the%20scenario%20you%20mentioned%20and%20seeing%20the%20%22Pick%20an%20account%22%20prompt%3F%20Please%20DM%20me%20the%20trace%20so%20we%20can%20look%20into%20it.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EKelvin%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165097%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165097%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B-ERR%3AREF-NOT-FOUND-%40Daniel%20Billington%26nbsp%3B-%20we%20have%20exactly%20this%20issue%20since%20we%20enabled%20Azure%20MFA.%20Did%20you%20find%20any%20solution%20yet%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-ERR%3AREF-NOT-FOUND-%40Kelvin%20Xia%26nbsp%3Bthis%20is%20really%20a%20big%20annoyance%20for%20anyone%20using%20Seamless%20SSO%20and%20MFA.%20The%20KMSI%20dialogue%20does%20not%20show%20up%20if%20Seamless%20SSO%20ist%20enabled%2C%20which%20results%20in%20repeated%20MFA%20requests%20every%20time%26nbsp%3Bthe%20browser%20is%20restarted.%26nbsp%3BOnce%20we%20disable%20Seamless%20SSO%20on%20the%20client%20side%20(Browser%20Intranet%20Zone)%2C%20users%26nbsp%3Bsee%20the%20KMSI%20and%20are%20able%20to%20stay%20signed%20in...%20no%20unnecessary%20MFA%20requests%20anymore.%20We%20still%20want%20to%20use%20both%3A%20Seamless%20SSO%20and%20MFA%2C%20but%20at%20the%20current%20state%20this%20is%20not%20possible.%26nbsp%3BWhats%20the%20best%20practice%20if%20we%20want%20to%20combine%20both%20methods%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEDIT%3A%20we%20are%20not%20using%20AD%20FS%2C%20instead%20we%20are%20relying%20on%20Azure%20AD%20Connect.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165209%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165209%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20is%20the%20recommendation%20where%20SPO%20acceleration%20is%20not%20an%20option%20e.g.%20due%20to%20large%20numbers%20of%20heavily%20utilised%20externally%20shared%20sites.%20In%20this%20scenario%20internal%20users%20will%20still%20get%20the%20%22username%22%20prompt%20(required%20to%20support%20the%20external%20users%20authentication%20flow%20to%20their%20IDP).%20Presumably%20as%20there%20is%20a%20%22flag%22%20set%20on%20the%20site%20to%20say%20it%20is%20externally%20shared%20and%20therefore%20should%20not%20support%20honour%20the%20accelerated%20redirect%20to%20ADFS.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20in%20addition%20where%20persistent%20SSO%20is%20not%20an%20option%20due%20to%20the%20security%20risks%20e.g.%20Persistent%20cookie%20coupled%20with%20insidecorporatenetwork%20claims%20result%20in%20users%20being%20issued%20a%20persistent%20cookie%20that%20can%20then%20be%20used%20when%20they%20travel%20off%20the%20corporate%20network.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIdeally%20it%20would%26nbsp%3Bseem%20better%20and%20easier%20if%20the%20accelerated%20feature%20differentiated%20between%20the%20corporate%20users%20(based%20on%20UPN%20suffix%3F%3F)%20%26nbsp%3Band%20redirected%20the%20authentication%20to%20ADFS%20but%20allowed%20the%20redirection%20to%20the%20login.microsoftonline.com%20for%20the%20external%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20pointers%20on%20a%20supported%20solution%20or%20indication%20on%20when%20a%20fix%20for%20externally%20shared%20sites%20might%20become%20available%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165271%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165271%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E-ERR%3AREF-NOT-FOUND-%40Kelvin%20Xia%20wrote%3A%3CBR%20%2F%3EHi%20Marc%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20the%20screen%20where%20your%20user%20has%20to%20click%20on%20a%20username%20the%20%22Pick%20an%20account%22%20screen%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20that%20what%20you're%20seeing%20is%20caused%20by%20a%20different%20change%20in%20our%20code.%20Can%20you%20please%20send%20me%20a%20Fiddler%20trace%20of%20a%20user%20running%20through%20the%20scenario%20you%20mentioned%20and%20seeing%20the%20%22Pick%20an%20account%22%20prompt%3F%20Please%20DM%20me%20the%20trace%20so%20we%20can%20look%20into%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EKelvin%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3Eyes%2C%20it%20is%20the%20%22Pick%20an%20account%22%20screen%2C%20that%20is%20displayed.%20I'll%20send%20the%20trace%20asap.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMarc%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165285%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165285%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E-ERR%3AREF-NOT-FOUND-%40Kelvin%20Xia%20wrote%3A%3CBR%20%2F%3ETo%20support%20SharePoint%20mapped%20drives%20with%20ADFS%2C%20we%20recommend%20setting%20up%20PSSO%20which%20will%20result%20in%20the%20same%20logic%20as%20a%20user%20manually%20checking%20the%20old%20KMSI%20checkbox.%3CBR%20%2F%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%23enable-psso-for-office-365-users-to-access-sharepoint-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%23enable-psso-for-office-365-users-to-access-sharepoint-online%3C%2FA%3E%3CBR%20%2F%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EThat%20claim%20did%20not%20work%20for%20me%20and%20my%20customers%20(tried%20it%20with%20two%20different%20setups)%2C%20but%20MS%20support%20supplied%20the%20following%20claim%20rule%2C%20that%20works%20just%20perfectly%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3Ec%3A%5BType%20%3D%3D%20%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2012%2F01%2Finsidecorporatenetwork%22%5D%0A%20%3D%26gt%3B%20issue(Type%20%3D%20%22http%3A%2F%2Fschemas.microsoft.com%2F2014%2F03%2Fpsso%22%2C%20Issuer%20%3D%20c.Issuer%2C%20OriginalIssuer%20%3D%20c.OriginalIssuer%2C%20Value%20%3D%20c.Value%2C%20ValueType%20%3D%20c.ValueType)%3B%0A%3C%2FPRE%3E%0A%3CP%3EUsing%20this%20rule%20gets%20rid%20of%20the%20username%20prompt%20%22Pick%20an%20account%22.%20For%20my%20customer%26nbsp%3B%3CSTRONG%3Ethat%20is%20the%20solution%20to%20the%20problem%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-ERR%3AREF-NOT-FOUND-%40Kelvin%20Xia%3A%20I'd%20be%20pleased%20to%20keep%20on%20working%20on%20the%20%22Pick%20an%20account%22%20prompt%20to%20get%20it%20working%20as%20designed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165441%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165441%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20new%20rule%20has%20worked%20for%20us%20so%20far!%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165511%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165511%22%20slang%3D%22en-US%22%3EHi%20Andy%2C%20a%20quick%20clarification%20-%20are%20you%20reporting%20that%20the%20%22Pick%20an%20account%22%20screen%20is%20showing%20up%20for%20you%20now%20but%20it%20didn't%20before%3F%20If%20so%2C%20can%20when%20did%20it%20start%20showing%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165627%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165627%22%20slang%3D%22en-US%22%3EHi%20Kelvin%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYes%20the%20pick%20account%20screen%20is%20appearing%20this%20started%20showing%20in%20the%20last%202%20weeks%20or%20so%20according%20to%20the%20users.%20The%20main%20issue%20is%20this%20appears%20each%20time%20an%20office%202010%20user%20opens%20an%20office%20document%20from%20SPO.%20A%20workaround%20is%20to%20visit%20the%20old%20login%20page%20and%20check%20the%20KMSI%20option%20but%20this%20is%20far%20from%20ideal.%20When%20opening%20a%20document%20the%20pick%20an%20account%20screen%20appears%2C%20if%20users%20click%20the%20page%20they%20are%20authenticated%20to%20ADFS%20and%20the%20document%20opens%2C%20but%20this%20occurs%20each%20time%20a%20document%20is%20opened.%20There%20is%20no%20issue%20with%20office%202016%20but%20we%20have%20thousands%20of%20office%202010%20users%20who%20are%20not%20updated%20to%202016%20yet.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165891%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165891%22%20slang%3D%22en-US%22%3EOne%20more%20question%20-%20With%20the%20old%20login%20page%2C%20if%20your%20users%20did%20*not*%20check%20the%20KMSI%20option%2C%20were%20they%20also%20prompted%20to%20click%20on%20their%20username%20each%20time%3F%20Did%20you%20train%20all%20your%20users%20to%20always%20check%20the%20KMSI%20option%20on%20the%20old%20login%20experience%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166166%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166166%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E-ERR%3AREF-NOT-FOUND-%40Jeroen%20Lammens%20wrote%3A%3CBR%20%2F%3E-ERR%3AREF-NOT-FOUND-%40Marc%20Debold%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20facing%20the%20same%20problem.%20External%20users%20get%20the%20KMSI%20dialog%2C%20internal%20users%20do%20not%20(both%20after%20authentication%20against%20ADFS).%20As%20a%20result%20SharePoint%20Online%20WebDAV%20is%20not%20working%20anymore.%20Have%20you%20found%20a%20solution%20to%20this%3F%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3ERight%2C%20and%20I%20found%20a%20solution%20(together%20with%20MS%20support).%20Use%20the%20claim%20rule%20provided%20in%20-ERR%3AREF-NOT-FOUND-this%20answer%2C%20that%20worked%20for%20me%20very%20well.%20Still%20I%20cannot%20say%2C%20if%20that%20helps%20with%20your%20WebDAV%20problem.%20But%20would%20be%20worth%20a%20try%2C%20as%20it%20doesn't%20break%20anything.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166740%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166740%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20didn't%20%22train%22%20the%20users%20directly%2C%20they%20just%20found%20that%20by%20clicking%20the%20KMSI%20check%20box%20they%20needed%20to%20log%20in%20less%20so%20they%20just%20did%20it.%20Even%20with%20the%20new%20experience%20whilst%20the%20option%20was%20available%20to%20revert%20to%20the%20old%20experience%20they%20did%20that.%20Now%20that%20option%20has%20disappeared%20they%20cannot%20do%20it%20(without%20visiting%20the%20old%20portal%20directly).%20The%20users%20are%20indicating%20that%20the%20Office%202010%26nbsp%3BHRD%20popup%26nbsp%3Bonly%20started%20occurring%20recently%20but%20they%20cannot%20be%20100%25%20sure%2C%26nbsp%3Bas%20it%20may%20have%20been%20occurring%20since%20the%20new%26nbsp%3Bsignin%20experience%20rollout%26nbsp%3Bbut%20probably%20they%20have%20noticed%20more%20as%20they%20can%20no%20longer%20can%20set%20the%20KMSI%20option%20to%20supress%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166997%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166997%22%20slang%3D%22en-US%22%3EHi%20Marco%2C%3CBR%20%2F%3E%3CBR%20%2F%3Esorry%20for%20the%20delay.%20I%20had%20to%20sync%20with%20the%20Seamless%20SSO%20team%20to%20understand%20what's%20going%20on.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20correct%20way%20to%20ensure%20the%20user%20isn't%20always%20prompted%20with%20MFA%20when%20Seamless%20SSO%20is%20set%20up%20is%20for%20the%20user%20to%20check%20the%20%22Don't%20ask%20me%20again%20for%20%3CX%3E%20days%22%20checkbox%20on%20the%20MFA%20screen.%20This%20suppresses%20MFA%20for%20the%20duration%20called%20out.%20Note%20that%20%3CX%3E%20can%20be%20configured%20on%20MFA.%3CBR%20%2F%3E%3C%2FX%3E%3C%2FX%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167106%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167106%22%20slang%3D%22en-US%22%3EHi%20Marc%2C%20We're%20trying%20it%20out.%20Many%20thanks!%3C%2FLINGO-BODY%3E
Highlighted
Community Manager

We're excited to announce that the general availability rollout of the new Azure AD sign-in and “Keep me signed in” experiences has started! These experiences should reach all users globally by the end of the week. Users who go to our sign-in page will start to see the new experiences by default, but a link allowing users to go back to the old experiences will be available until early December to give you some extra time to make the transition.

 

We'd like to take this opportunity to acknowledge the delays we have had with these features and thank you all for your patience. When we released these experiences in preview, we received a lot of great feedback from you and it was pretty clear we needed to take a little extra time to ensure the new experiences worked well with all the scenarios Azure AD sign-in is used for.

 

Slide1.PNG

 

Read about it in the Enterprise Mobility & Security blog.

121 Replies
Highlighted
Hi Matt, we have a best-effort algorithm that prevents the new "Stay signed in" dialog from showing if we detect that the login is happening on a shared machine.

It essentially looks to see if a different account than what is currently being used to login was used on the machine in the last 3 days. If so, we won't show the dialog. We also use our adaptive protection logic to hide the dialog if we detect that the login is risky. Note that this logic is subject to change as we iterate on the logic to increase confidence that we only show this dialog on personal devices.
Highlighted

That makes me feel better.

 

May I suggest stating that in more places?  Like the announcements, relevant blog posts, or other places that admins will see before they start to flip out?

Highlighted

@Kelvin I see your point, but if we had proper documentation on what's supported and not and how the different flow works, I'm sure that would decrease the number of escalations :)

 

Smart links are still required for true, seamless SSO experience in some cases, and there is definitely demand for such from the enterprise customers. If you can publish some guidelines and recommendations, I think it will benefit all sides.

 

Anyway, I'll stop with the offtopic :)

Highlighted
Highlighted

Hi,

while I do see some benefit on the KMSI feature for regular users, I would prefer to have privileged admin accounts be prompted for MFA Login in their browser profiles every time.

 

How can I achieve this without turning the feature off for everyone?

 

Regards,

Karsten

Highlighted

Hi, 

Many of our users have set a site, library or folder as favorites in File Explorer which connects through webdav(?) to SharePoint. As we are using SSO, users don't get the option 'keep me signed in' anymore. This causes a permission denied when opening the folder or library in file explorer -> no cookie is saved. Is there a workaround to have the cookie or 'Keep me signed in' back? 

 

Thanks

Bernd

Highlighted

We had Microsoft turn ours off at the tenant level until a better plan could be put in place.  The problem with Company branding is: 1.) It's a global setting 2.) It can affect Sharepoint Online users and Office 2010 users (and we had just moved over 30K sharepoint sites to Sharepoint Online, so I didn't want to interrupt their experience for my experience with Power BI to work, 3.) Even as a global admin, we could not delete the company branding. The delete button would not highlight and we verified our permissions.  We could turn it on or off for KMSI, but we could not delete company branding 4.) We found the KMSI box "Don't ask me again doesn't work" either.  It only stays for the session, so to the user they think they should never have to see it again. 5.) We were told we could add a parameter to the Web app to turn this off in the code, so we are pursuing this now as our permanent solution, but for now our customers can function again with KMSI.

Highlighted
Hi Bernd,

how did "Keep me signed in" work for your users before? If you had SSO turned on they wouldn't have seen the login screen nor the "Keep me signed in" checkbox in the old experience.
Highlighted

@Bernd Verhofstadt Just curious, are you using smart links and passing the LoginOptions parameter?

 

@Kelvin, that's one of the use cases I warned you about - mapped drives rely on this functionality, and the LoginOptions parameter was a nice and easy way to handle this in federated setups.

Highlighted
The KMSI setting in Company Branding doesn't allow that. You might want to look up Conditional Access which might get you what you want.
Highlighted

Hi @Kelvin Xia,

I did some additional tests on the SSO experience. When I delete my cookies and open a mapped sharepoint webdav connection I cannot load it which is expected (cookie is removed). When I open the sharepoint tenant url I get logged in through SSO and most of the time the magical cookie is created. When the cookie is created I'm able to open the webdav connection. For other users (same permission etc) they get a sign in screen where they need to enter there username. then they are redirected to the homepage but they are not able to open the webdav connection.

@Eddy Verbeemen please correct me if I'm wrong :) 

@Vasil Michev few years ago we used the smartlinks to enforce the 'keep me signed in'. At a certain moment this was not longer working and we went back to the default login where we could choose to 'keep me signed in'.
It seems that there is a different between SSO where a prompt is shown for a username and no prompt is shown...
Cheers
Bernd

Highlighted

Am I the only one not seeing the KMSI at all now? Cloud account, no federation. I tried deleting cookies, private sessions and different browsers, I don't ever see KMSI now. I thought the changes are supposed to only effect federated scenarios?

Highlighted

 

We are seeing unexpected behavior when we choose "don't show me this again" and click No.

 

Every time we login again it gives the prompt again.


Shouldn't "don't show me..." respect a yes or no answer and go away?

Highlighted
Does anyone has issues with "Stay Signed-in" prompt that shows after successful authentication with ADFS? Our tenant is not presenting the prompt (as described here https://cloudblogs.microsoft.com/enterprisemobility/2017/09/19/fewer-login-prompts-the-new-keep-me-s... )as it did couple of weeks ago. The option to keep the user signed in has been enabled in our Company Branding settings. Any thoughts?
Highlighted
Sorry about that. We pushed out a fix for that mid-last week. It should work now.
Highlighted
Is your ADFS set up to send the PSSO claim, or do you have Windows SSO set up? If it is, we're automatically dropping the persistent auth cookie (which the "Stay signed-in" prompt does when the user selects "Yes"). We have a few bugs a few weeks ago when we did not do that, which could explain the difference in behavior you're seeing now vs then.
Highlighted
Hi Kelvin, thank you for quick response. Its still the issue for us. Should we perform any steps to speed up the change to our tenant?
Highlighted
Hi Bernd,

sorry for the delay in replying here. Can you please DM me so I can get more details from you? Thanks.
The fix is rolled out already. To clarify what I was saying, if your ADFS is set to pass the PSSO claim, we will not show the prompt.
Highlighted

Thanks for that detail Kelvin. But I need to request yet another documentation update here - the only place I've seen the PSSO claim detailed so far is the claims rules added by AAD Connect. As some organizations might not be using AAD Connect (or at least not managing the AD FS farm with it), can you please post a detailed article on how the claim should look like and so on?