Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

The new Azure AD sign-in and “Keep me signed in” experiences rolling out now!

Community Manager

We're excited to announce that the general availability rollout of the new Azure AD sign-in and “Keep me signed in” experiences has started! These experiences should reach all users globally by the end of the week. Users who go to our sign-in page will start to see the new experiences by default, but a link allowing users to go back to the old experiences will be available until early December to give you some extra time to make the transition.

 

We'd like to take this opportunity to acknowledge the delays we have had with these features and thank you all for your patience. When we released these experiences in preview, we received a lot of great feedback from you and it was pretty clear we needed to take a little extra time to ensure the new experiences worked well with all the scenarios Azure AD sign-in is used for.

 

Slide1.PNG

 

Read about it in the Enterprise Mobility & Security blog.

121 Replies
Hi Joe,

can you please clarify what you're trying to achieve? Is this an issue that has occurred with the new sign-in experience or is this just new functionality you want enabled?
Hi Unnie, you can configure ADFS to pass the Persistent SSO (PSSO) claim so that Azure AD will automatically drop persistent cookies. That should get you what you need. You can find more information about PSSO here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-setti...

Hi,

at one of my customers I have exactly the same problem like Srikanth Komirishetty. Every time the browser is closed and reopend the Account Picking window is showing.

Hi Johannes, can you please private message me your email address and I'll reach out to you to get more information.

Hi @Vasil Michev, Thank you for the response. The old sign in page has "keep me signed in" check box that helps the user not be prompted to pick account or see login prompt the next time they re-launch the browser and access SharePoint site. The new UI has no such option any more.

 

The new ADFS version on Windows 2012 seems to have an option to create custom claim rules to issue PSSO claims that avoids "pick an account" prompt as shared by @Kelvin Xia.

 

As you recommended, I researched and I was able to create a SMART link which does the same job as "keep me signed in" check box. The user has to browse this link once, interestingly it won't even prompt for UPN (password not required as we are SSO) and process sets the persistent cookie on the machine and he/she never needs to pick account going forward.

 

The question I have now is, Our organization would like to enable PSSO but we are on ADFS 2.0 and Windows 2008 R2. The article on this link describes how to configure ADFS to issue PSSO claims but not sure if this applies to Windows 2008 R2.

I don't think so, it will most likely not recognize the claim.

We use SAML SSO with several vendors using ADFS as our iDp. Our ADFS server is under a different domain so we have a Claims Provider Trust setup with our AAD. We have an issue with the new sign-in experience. When a user initially signs in they get presented with the "Stay signed in?" prompt. If they say Yes a persistent cookie is set and things work like they should. However, if they were to go back to the iDp initiated signon page and log out for whatever reason, when they go to sign-in again they won't get the "Stay signed in?" prompt so it just sets a session cookie that is terminated if they close their browser. If they choose to go back to the old sign-in experience the "Keep me signed in" checkbox will be there so they once again can set a persistent cookie. Is this a known issue? Is there a fix for this?

Hi Andy, yes, this is a known issue where if the user first says "Yes" to the prompt, then explicitly signs out, they would not see the prompt again on subsequent sign ins for 3 days.

This is something we're looking into fixing.

We utilise WebDAV to map SharePoint Online drives for all of our 365 clients, and the new sign in has a  critical flaw. After the initial sign in using IE the option to stay signed in is not presented, meaning that the mapped WebDAV drives do not reconnect. Returning to the old sign in and ticking the "Keep me signed in" still works fine however. If we log in to an inprivate browser the stay signed in option returns, however this is no good to us as it will not map a drive this way. Resetting IE also returns the 

stay signed in prompt, however again this disappears after the initial sign in.

We're also not seeing it after the initial sign in, meaning that mapped drives no longer work. Very unhelpful.
Hi Greg, we just checked in a tweak to the prompt logic that should make the prompt show up a lot more consistently. Please look for it to release in a week or so.

I have Office 365 MFA enabled. When the "Keep me signed in" experience rolled out in December I saw it. I clicked on Keep me signed in did not require authentication when I logged into Office 365 from any browser.

 

At some point in early January, I believe this changed. Now when I log in I get taken straight to my organization's login page, enter my credentials and I'm in. I have to log into Office 365 from my browser every day. The experience is the same across all my devices. I have not seen the "Keep me signed in" feature since.

 

Help please?!

 

 

Try clearing browser cookies and signing in again. Let me know if you see the "Keep me signed in" prompt then.

Hi Kelvin,

 

This did not work. I get taken to my organizations SSO page, get prompted for MFA accept prompt and then go straight to Office 365. 

When you say "accept prompt" what prompt do you refer to?

I mean accept the push notification to my smartphone from MFA.

Hi Kelvin,

 

I would really appreciate some insight into this issue, we'd really like to communicate to our users about this change.

Can you please send me a fiddler trace of your login via private message?

Can you please send me instructions on how to run the Fiddler trace. 

Please send me a private message with your email address and I'll send instructions via email. It'll be a lot easier that way.