Home

The new Azure AD sign-in and “Keep me signed in” experiences rolling out now!

%3CLINGO-SUB%20id%3D%22lingo-sub-128267%22%20slang%3D%22en-US%22%3EThe%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128267%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20excited%20to%20announce%20that%20the%20general%20availability%20rollout%20of%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F08%2F02%2Fthe-new-azure-ad-signin-experience-is-now-in-public-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Enew%20Azure%20AD%20sign-in%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%3C%2FA%3E%26nbsp%3Bexperiences%20has%20started!%20These%20experiences%20should%20reach%20all%20users%20globally%20by%20the%20end%20of%20the%20week.%20Users%20who%20go%20to%20our%20sign-in%20page%20will%20start%20to%20see%20the%20new%20experiences%20by%20default%2C%20but%20a%20link%20allowing%20users%20to%20go%20back%20to%20the%20old%20experiences%20will%20be%20available%20until%20early%20December%20to%20give%20you%20some%20extra%20time%20to%20make%20the%20transition.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3EWe'd%20like%20to%20take%20this%20opportunity%20to%20acknowledge%20the%20delays%20we%20have%20had%20with%20these%20features%20and%20thank%20you%20all%20for%20your%20patience.%20When%20we%20released%20these%20experiences%20in%20preview%2C%20we%20received%20a%20lot%20of%20great%20feedback%20from%20you%20and%20it%20was%20pretty%20clear%20we%20needed%20to%20take%20a%20little%20extra%20time%20to%20ensure%20the%20new%20experiences%20worked%20well%20with%20all%20the%20scenarios%20Azure%20AD%20sign-in%20is%20used%20for.%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F24211i77B31C28F5B44656%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Slide1.PNG%22%20title%3D%22Slide1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3ERead%20about%20it%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F11%2F15%2Fthe-new-azure-ad-sign-in-and-keep-me-signed-in-experiences-rolling-out-now%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEnterprise%20Mobility%20%26amp%3B%20Security%20blog%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-128267%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391865%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391865%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F311683%22%20target%3D%22_blank%22%3E%40HarishMenda%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20make%20the%20psso%20claim%20work%20with%20my%20non-ADFS%20IdP%2C%20I%20had%20to%20add%20a%20claim%26nbsp%3Bnamed%20psso%20with%20name%20format%20%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2F2014%2F03%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2F2014%2F03%3C%2FA%3E%2C%20and%20set%20it%20to%20a%20value%20of%20%22yes%22.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391738%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391738%22%20slang%3D%22en-US%22%3EWhat%20is%20the%20parameter%20you%20added%2C%20to%20make%20this%20change%20at%20tenant%20app%20level%20rather%20than%20global%20company%20branding%20level.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391728%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391728%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F96132%22%20target%3D%22_blank%22%3E%40Michael%20Kostuch%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20get%20permanent%20solution%20for%20this%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20could%20you%20please%20let%20us%20know%20the%20steps%20to%20get%20this%20change%20done%20at%20tenant%20app%20level%20from%20Microsoft.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391723%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391723%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F96132%22%20target%3D%22_blank%22%3E%40Michael%20Kostuch%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EDid%20you%20get%20any%20permanent%20solution%20for%20this%3F%20Meanwhile%20could%20you%20please%20explain%20the%20process%20of%20make%20this%20turn%20off%20at%20tenant%20app%20level.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253211%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253211%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78060%22%20target%3D%22_blank%22%3E%40Daniel%20Park%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%26nbsp%3Bdoes%20this%20new%20claim%20rule%20replace%20both%20the%20insidecorporatenetwork%20claim%20and%20the%20psso%20claim%20or%20is%20it%20in%20addition%20to%20them%3F%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EI%20can't%20really%20remember%20(should%20have%20blogged%20it%2C%20darn!)%2C%20but%20I%20suppose%2C%20it%20was%20a%20replacement%2C%20as%20it%20issues%20the%20PSSO%20when%20inside%20network%20condition%20is%20met.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-234478%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-234478%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%26nbsp%3Bdoes%20this%20new%20claim%20rule%20replace%20both%20the%20insidecorporatenetwork%20claim%20and%20the%20psso%20claim%20or%20is%20it%20in%20addition%20to%20them%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181874%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181874%22%20slang%3D%22en-US%22%3E%3CP%3ESorry%20I'm%20a%20little%20late%20to%20the%20party%2C%20but%20I%20just%20didn't%20have%20time%20back%20when%20the%20thread%20started%20and%20I%20kind%20of%20forgot%20about%20it.%20But%20now%20that%20I've%20read%20through%20all%20the%203%20pages%20I'm%20chiming%20in%20with%20my%20issues%3A%3CBR%20%2F%3EOur%20SSO%20with%20Chrome%20and%20IE%20worked%20fine%20somewhere%20last%20year.%20Probably%20due%20to%20these%20changes%20it%20stopped%20working%20flawlessly%2C%20but%20not%20completely.%3CBR%20%2F%3EMy%20setup%20consisted%20of%20configured%20Trusted%20Zones%2C%20ADFS%20on%202012R2%20(I%20remember%20doing%20something%20to%20get%20this%20working%20for%20Chrome%20on%20ADFS%202%20years%20ago)%2C%20MFA%20exemption%20for%20onPrem%20IP%20Range%2C%20AAD-Connect%20and%20some%20URL%20tricks%2C%20like%20using%20the%20WHR%20parameter%20(%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F%3Fwhr%3Dmycustomdomain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%3Fwhr%3Dmycustomdomain.com%3C%2FA%3E)%3CBR%20%2F%3E%3CBR%20%2F%3EThen%20it%20stopped%20working%20flawlessly%2C%20and%20degraded%20to%20having%20to%20click%20the%20pre-populated%20UPN%20and%20getting%20automatically%20signed%20in%20again%20after%20every%20browser%20closure.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20to%20have%20improved%20the%20experience%2C%20by%20dropping%20the%20WHR%20parameter%2C%20after%20which%20the%20users%20only%20had%20to%20click%20the%20pre-populated%20UPN%20about%20once%20a%20day.%3CBR%20%2F%3EThis%20is%20also%20my%20current%20status%2C%20as%20far%20as%20I%20remember.%20I've%20noticed%20that%20when%20I%20leave%20my%20computer%20running%20over%20night%20(no%20standby)%20and%20return%20in%20the%20morning%2C%20I'm%20signed%20out%20of%20office.com%20or%20other%20pages.%20There%20is%20a%20sign%20in%20button%20on%20that%20office.com%20sign%20out%20portal%20and%20when%20I%20click%20it%2C%20I'm%20automatically%20signed%20in%20again%20after%20a%20few%20redirects%20without%20further%20input.%20A%20negative%20side%20effect%20of%20all%20this%20is%2C%20that%20on%20the%20first%20browser%20open%20any%20additional%20Sharepoint%20sites%20are%20not%20opened%20automatically%2C%20since%20the%20first%20site%20hasn't%20fully%20authenticated%20yet.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ESSO%20seems%20wo%20work%20with%20no%20issues%20on%20my%20home%20computer%20(Mac%2FSafari)%20where%20I%20get%20all%20the%20KMSI%20and%20MFA%20prompts%20and%20I%20stay%20signed%20for%20multiple%20weeks.%3CBR%20%2F%3E%3CBR%20%2F%3EBy%20reading%20through%20everything%20here%20I'll%20start%20digging%20in%20into%20the%20ADFS%20configuration%20(and%20this%20article%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%3C%2FA%3E)%2C%20but%20I'll%20appreciate%20any%20shortcuts%20you%20guys%20have%20to%20offer%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181795%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181795%22%20slang%3D%22en-US%22%3EFrom%20your%20description%2C%20it%20doesn't%20sound%20like%20PSSO%20is%20set%20up%20correctly%2C%20or%20it%20could%20be%20due%20to%20an%20interaction%20with%20some%20external%20site%20settings%20(as%20you%20pointed%20out).%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20not%20familiar%20with%20how%20SharePoint%20handles%20internal%20vs%20external%20sites.%20I%20would%20recommend%20that%20you%20contact%20Office%20365%20or%20SharePoint%20support%20to%20help%20you%20with%20that.%20They%20would%20be%20the%20best%20resource%20to%20help%20you%20here.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-179783%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-179783%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFollowing%20on%20from%20my%20former%20posts%20it%20seems%20now%20that%20the%20biggest%20issue%20now%26nbsp%3Bis%20the%20number%20of%20times%20internal%20users%20are%20prompted%20for%20authentication%20whilst%20accessing%20%26nbsp%3Ba%20site%20within%20our%20tenant%20that%20is%20shared%20externally.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20sites%20that%20are%20not%20shared%26nbsp%3Bexternally%26nbsp%3Bthe%20experience%20is%20that%20you%20can%20access%20a%20site%20authenticate%20and%20then%20close%20and%20reopen%20the%20browser%20several%20times%20without%20being%20authenticated%20again.%20(no%20KMSI%20option%20it%20just%20works)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20for%20sites%20that%20are%20shared%20externally%20every%20time%20the%20browser%20is%20closed%20the%20user%20needs%20to%20choose%20the%20%22account%20pick%22%20screen%20when%20re-accessing%20the%20site.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20two%20questions%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Are%20the%20settings%20handled%20differently%20for%20externally%20shared%20sites%20rather%20than%20sites%20with%20only%20internal%20user%20access%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20Is%20there%20another%20option%20other%20than%20enabling%20PSSO%20(if%20this%20even%20works)%20as%20we%20have%20security%20concerns%20about%20issuing%20a%20PSSO%20token..%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAndy%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-179076%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-179076%22%20slang%3D%22en-US%22%3ETo%20be%20accurate%3A%20Sending%20the%20PSSO%20claim%20will%20suppress%20the%20KMSI%20prompt%20(since%20it's%20not%20needed%20as%20PSSO%20essentially%20says%20%22Yes%22%20to%20that%20question)%2C%20and%20drops%20a%20persistent%20Azure%20AD%20token%20in%20your%20browser.%20SPO%20will%20use%20that%20persistent%20token.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-178865%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-178865%22%20slang%3D%22en-US%22%3ETo%20make%20sure%20I%20understand%2C%20sending%20the%20PSSO%20claim%20should%20suppress%20the%20%22Keep%20Me%20Logged%20In%22%20question%20from%20SharePoint%20Online%20and%20drop%20the%20persistent%20SPO%20cookies%20in%20my%20browser%20automatically%2C%20correct%3F%20MS%20Support%20seems%20stymied%20for%20the%20moment%20on%20this%20one.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-178604%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-178604%22%20slang%3D%22en-US%22%3EAzure%20AD%20does%20respect%20the%20PSSO%20claim%20even%20when%20it%20comes%20from%20a%20source%20besides%20ADFS.%20So%2C%20it%20should%20work%20in%20your%20case.%20I%20would%20recommend%20that%20you%20contact%20Microsoft%20support%20to%20take%20a%20look%20at%20what's%20going%20on.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177403%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177403%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20having%20a%20slightly%20different%20issue.%26nbsp%3B%20We%20don't%20use%20ADFS%20for%20our%20IdP%2C%20(we%20use%20PingFederate%20instead)%2C%20and%20I've%20configured%20it%20to%20pass%20%22true%22%20for%20both%20the%20psso%20and%20insidecorporatenetwork%20claims%20when%20a%20user%20authenticates%20through%20our%20SSO.%26nbsp%3B%20While%20I%20can%20see%20the%20SamlAttributes%20appear%20in%20the%20conversation%20with%20Azure%2C%20it%20doesn't%20seem%20to%20affect%20anything%3A%20I%20still%20get%20prompted%20for%20%22keep%20me%20signed%20in%22%20if%20I%20clear%20my%20cookies%20first%2C%20and%20no%20persistent%20cookies%20are%20ever%20dropped%20on%20my%20computer.%26nbsp%3B%20Does%20Microsoft%20have%20any%20guidance%20for%20those%20of%20us%20not%20using%20ADFS%20but%20still%20wanting%20those%20persistent%20cookies%20placed%3F%26nbsp%3B%20We%20also%20have%20users%20that%20claim%20the%20KMSI%26nbsp%3Bprompt%20never%20appears%2C%20so%20having%20the%20SSO%20system%20do%20it%20for%20them%20is%20ideal.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167294%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167294%22%20slang%3D%22en-US%22%3E%3CP%3ESetting%20up%20this%20option%20seems%20to%20have%20resolved%20our%20issues.%20To%20be%20confirmed%20over%20the%20next%20week%2C%20but%20initial%20testing%20on%20premise%2C%20with%20Seamless%20SSO%20enabled%2C%20on%20W10%20in%20Chrome%2C%20Firefox%2C%20IE%20and%20Edge%20looks%20positive.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20anyone%20needs%20the%20instructions%20to%20enable%26nbsp%3B%22Allow%20users%20to%20remember%20multi-factor%20authentication%20on%20devices%20they%20trust%22%20they%20are%20here%3A%20%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23remember-multi-factor-authentication-for-trusted-devices%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23remember-multi-factor-authentication-for-trusted-devices%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23remember-multi-factor-authentication-for-trusted-devices%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167106%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167106%22%20slang%3D%22en-US%22%3EHi%20Marc%2C%20We're%20trying%20it%20out.%20Many%20thanks!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166997%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166997%22%20slang%3D%22en-US%22%3EHi%20Marco%2C%3CBR%20%2F%3E%3CBR%20%2F%3Esorry%20for%20the%20delay.%20I%20had%20to%20sync%20with%20the%20Seamless%20SSO%20team%20to%20understand%20what's%20going%20on.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20correct%20way%20to%20ensure%20the%20user%20isn't%20always%20prompted%20with%20MFA%20when%20Seamless%20SSO%20is%20set%20up%20is%20for%20the%20user%20to%20check%20the%20%22Don't%20ask%20me%20again%20for%20%3CX%3E%20days%22%20checkbox%20on%20the%20MFA%20screen.%20This%20suppresses%20MFA%20for%20the%20duration%20called%20out.%20Note%20that%20%3CX%3E%20can%20be%20configured%20on%20MFA.%3CBR%20%2F%3E%3C%2FX%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166740%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166740%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20didn't%20%22train%22%20the%20users%20directly%2C%20they%20just%20found%20that%20by%20clicking%20the%20KMSI%20check%20box%20they%20needed%20to%20log%20in%20less%20so%20they%20just%20did%20it.%20Even%20with%20the%20new%20experience%20whilst%20the%20option%20was%20available%20to%20revert%20to%20the%20old%20experience%20they%20did%20that.%20Now%20that%20option%20has%20disappeared%20they%20cannot%20do%20it%20(without%20visiting%20the%20old%20portal%20directly).%20The%20users%20are%20indicating%20that%20the%20Office%202010%26nbsp%3BHRD%20popup%26nbsp%3Bonly%20started%20occurring%20recently%20but%20they%20cannot%20be%20100%25%20sure%2C%26nbsp%3Bas%20it%20may%20have%20been%20occurring%20since%20the%20new%26nbsp%3Bsignin%20experience%20rollout%26nbsp%3Bbut%20probably%20they%20have%20noticed%20more%20as%20they%20can%20no%20longer%20can%20set%20the%20KMSI%20option%20to%20supress%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166166%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166166%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F75442%22%20target%3D%22_blank%22%3E%40Jeroen%20Lammens%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20facing%20the%20same%20problem.%20External%20users%20get%20the%20KMSI%20dialog%2C%20internal%20users%20do%20not%20(both%20after%20authentication%20against%20ADFS).%20As%20a%20result%20SharePoint%20Online%20WebDAV%20is%20not%20working%20anymore.%20Have%20you%20found%20a%20solution%20to%20this%3F%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3ERight%2C%20and%20I%20found%20a%20solution%20(together%20with%20MS%20support).%20Use%20the%20claim%20rule%20provided%20in%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory%2FThe-new-Azure-AD-sign-in-and-Keep-me-signed-in-experiences%2Fm-p%2F165285%2Fhighlight%2Ftrue%23M1386%22%20target%3D%22_blank%22%3Ethis%20answer%3C%2FA%3E%2C%20that%20worked%20for%20me%20very%20well.%20Still%20I%20cannot%20say%2C%20if%20that%20helps%20with%20your%20WebDAV%20problem.%20But%20would%20be%20worth%20a%20try%2C%20as%20it%20doesn't%20break%20anything.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165891%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165891%22%20slang%3D%22en-US%22%3EOne%20more%20question%20-%20With%20the%20old%20login%20page%2C%20if%20your%20users%20did%20*not*%20check%20the%20KMSI%20option%2C%20were%20they%20also%20prompted%20to%20click%20on%20their%20username%20each%20time%3F%20Did%20you%20train%20all%20your%20users%20to%20always%20check%20the%20KMSI%20option%20on%20the%20old%20login%20experience%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165627%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165627%22%20slang%3D%22en-US%22%3EHi%20Kelvin%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYes%20the%20pick%20account%20screen%20is%20appearing%20this%20started%20showing%20in%20the%20last%202%20weeks%20or%20so%20according%20to%20the%20users.%20The%20main%20issue%20is%20this%20appears%20each%20time%20an%20office%202010%20user%20opens%20an%20office%20document%20from%20SPO.%20A%20workaround%20is%20to%20visit%20the%20old%20login%20page%20and%20check%20the%20KMSI%20option%20but%20this%20is%20far%20from%20ideal.%20When%20opening%20a%20document%20the%20pick%20an%20account%20screen%20appears%2C%20if%20users%20click%20the%20page%20they%20are%20authenticated%20to%20ADFS%20and%20the%20document%20opens%2C%20but%20this%20occurs%20each%20time%20a%20document%20is%20opened.%20There%20is%20no%20issue%20with%20office%202016%20but%20we%20have%20thousands%20of%20office%202010%20users%20who%20are%20not%20updated%20to%202016%20yet.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165511%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165511%22%20slang%3D%22en-US%22%3EHi%20Andy%2C%20a%20quick%20clarification%20-%20are%20you%20reporting%20that%20the%20%22Pick%20an%20account%22%20screen%20is%20showing%20up%20for%20you%20now%20but%20it%20didn't%20before%3F%20If%20so%2C%20can%20when%20did%20it%20start%20showing%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165441%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165441%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20new%20rule%20has%20worked%20for%20us%20so%20far!%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165285%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165285%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3ETo%20support%20SharePoint%20mapped%20drives%20with%20ADFS%2C%20we%20recommend%20setting%20up%20PSSO%20which%20will%20result%20in%20the%20same%20logic%20as%20a%20user%20manually%20checking%20the%20old%20KMSI%20checkbox.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%23enable-psso-for-office-365-users-to-access-sharepoint-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%23enable-psso-for-office-365-users-to-access-sharepoint-online%3C%2FA%3E%3CBR%20%2F%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EThat%20claim%20did%20not%20work%20for%20me%20and%20my%20customers%20(tried%20it%20with%20two%20different%20setups)%2C%20but%20MS%20support%20supplied%20the%20following%20claim%20rule%2C%20that%20works%20just%20perfectly%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3Ec%3A%5BType%20%3D%3D%20%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2012%2F01%2Finsidecorporatenetwork%22%5D%0A%20%3D%26gt%3B%20issue(Type%20%3D%20%22http%3A%2F%2Fschemas.microsoft.com%2F2014%2F03%2Fpsso%22%2C%20Issuer%20%3D%20c.Issuer%2C%20OriginalIssuer%20%3D%20c.OriginalIssuer%2C%20Value%20%3D%20c.Value%2C%20ValueType%20%3D%20c.ValueType)%3B%0A%3C%2FPRE%3E%0A%3CP%3EUsing%20this%20rule%20gets%20rid%20of%20the%20username%20prompt%20%22Pick%20an%20account%22.%20For%20my%20customer%26nbsp%3B%3CSTRONG%3Ethat%20is%20the%20solution%20to%20the%20problem%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%3A%20I'd%20be%20pleased%20to%20keep%20on%20working%20on%20the%20%22Pick%20an%20account%22%20prompt%20to%20get%20it%20working%20as%20designed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165271%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165271%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3EHi%20Marc%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20the%20screen%20where%20your%20user%20has%20to%20click%20on%20a%20username%20the%20%22Pick%20an%20account%22%20screen%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20that%20what%20you're%20seeing%20is%20caused%20by%20a%20different%20change%20in%20our%20code.%20Can%20you%20please%20send%20me%20a%20Fiddler%20trace%20of%20a%20user%20running%20through%20the%20scenario%20you%20mentioned%20and%20seeing%20the%20%22Pick%20an%20account%22%20prompt%3F%20Please%20DM%20me%20the%20trace%20so%20we%20can%20look%20into%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EKelvin%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3Eyes%2C%20it%20is%20the%20%22Pick%20an%20account%22%20screen%2C%20that%20is%20displayed.%20I'll%20send%20the%20trace%20asap.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMarc%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165209%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165209%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20is%20the%20recommendation%20where%20SPO%20acceleration%20is%20not%20an%20option%20e.g.%20due%20to%20large%20numbers%20of%20heavily%20utilised%20externally%20shared%20sites.%20In%20this%20scenario%20internal%20users%20will%20still%20get%20the%20%22username%22%20prompt%20(required%20to%20support%20the%20external%20users%20authentication%20flow%20to%20their%20IDP).%20Presumably%20as%20there%20is%20a%20%22flag%22%20set%20on%20the%20site%20to%20say%20it%20is%20externally%20shared%20and%20therefore%20should%20not%20support%20honour%20the%20accelerated%20redirect%20to%20ADFS.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20in%20addition%20where%20persistent%20SSO%20is%20not%20an%20option%20due%20to%20the%20security%20risks%20e.g.%20Persistent%20cookie%20coupled%20with%20insidecorporatenetwork%20claims%20result%20in%20users%20being%20issued%20a%20persistent%20cookie%20that%20can%20then%20be%20used%20when%20they%20travel%20off%20the%20corporate%20network.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIdeally%20it%20would%26nbsp%3Bseem%20better%20and%20easier%20if%20the%20accelerated%20feature%20differentiated%20between%20the%20corporate%20users%20(based%20on%20UPN%20suffix%3F%3F)%20%26nbsp%3Band%20redirected%20the%20authentication%20to%20ADFS%20but%20allowed%20the%20redirection%20to%20the%20login.microsoftonline.com%20for%20the%20external%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20pointers%20on%20a%20supported%20solution%20or%20indication%20on%20when%20a%20fix%20for%20externally%20shared%20sites%20might%20become%20available%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165097%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165097%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F12882%22%20target%3D%22_blank%22%3E%40Daniel%20Billington%3C%2FA%3E%26nbsp%3B-%20we%20have%20exactly%20this%20issue%20since%20we%20enabled%20Azure%20MFA.%20Did%20you%20find%20any%20solution%20yet%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%26nbsp%3Bthis%20is%20really%20a%20big%20annoyance%20for%20anyone%20using%20Seamless%20SSO%20and%20MFA.%20The%20KMSI%20dialogue%20does%20not%20show%20up%20if%20Seamless%20SSO%20ist%20enabled%2C%20which%20results%20in%20repeated%20MFA%20requests%20every%20time%26nbsp%3Bthe%20browser%20is%20restarted.%26nbsp%3BOnce%20we%20disable%20Seamless%20SSO%20on%20the%20client%20side%20(Browser%20Intranet%20Zone)%2C%20users%26nbsp%3Bsee%20the%20KMSI%20and%20are%20able%20to%20stay%20signed%20in...%20no%20unnecessary%20MFA%20requests%20anymore.%20We%20still%20want%20to%20use%20both%3A%20Seamless%20SSO%20and%20MFA%2C%20but%20at%20the%20current%20state%20this%20is%20not%20possible.%26nbsp%3BWhats%20the%20best%20practice%20if%20we%20want%20to%20combine%20both%20methods%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEDIT%3A%20we%20are%20not%20using%20AD%20FS%2C%20instead%20we%20are%20relying%20on%20Azure%20AD%20Connect.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-164006%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-164006%22%20slang%3D%22en-US%22%3EHi%20Marc%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20the%20screen%20where%20your%20user%20has%20to%20click%20on%20a%20username%20the%20%22Pick%20an%20account%22%20screen%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20that%20what%20you're%20seeing%20is%20caused%20by%20a%20different%20change%20in%20our%20code.%20Can%20you%20please%20send%20me%20a%20Fiddler%20trace%20of%20a%20user%20running%20through%20the%20scenario%20you%20mentioned%20and%20seeing%20the%20%22Pick%20an%20account%22%20prompt%3F%20Please%20DM%20me%20the%20trace%20so%20we%20can%20look%20into%20it.Thanks%2CKelvin%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-164002%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-164002%22%20slang%3D%22en-US%22%3ETo%20support%20SharePoint%20mapped%20drives%20with%20ADFS%2C%20we%20recommend%20setting%20up%20PSSO%20which%20will%20result%20in%20the%20same%20logic%20as%20a%20user%20manually%20checking%20the%20old%20KMSI%20checkbox.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%23enable-psso-for-office-365-users-to-access-sharepoint-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%23enable-psso-for-office-365-users-to-access-sharepoint-online%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-163677%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163677%22%20slang%3D%22en-US%22%3EIndeed%2C%20the%20KMSI%20screen%20does%20not%20show%20up%20after%20authentication%20against%20ADFS%20for%20our%20internal%20users.%20As%20a%20result%2C%20WebDAV%2Fmapped%20drives%20are%20just%20not%20working%20anymore.%20%3CBR%20%2F%3E%3CBR%20%2F%3EWhile%20I%20can%20understand%20this%20is%20legacy%20tech%2C%20it%20should%20still%20be%20supported%20until%20a%20replacement%20solution%20is%20delivered.%20I'm%20thinking%20along%20the%20lines%20of%20the%20OneDrive%20files-on-demand%20with%20the%20possibility%20to%20keep%20the%20synced%20files%20only%20in%20the%20cloud%20and%20not%20have%20them%20synced%20locally%20whenever%20one%20is%20opened%20(we%20don't%20have%20the%20storage%20for%20this%20%2F%20don't%20want%20to%20support%20this%20scenario).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162735%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162735%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%26nbsp%3BI%20think%20the%20last%20few%20complaints%20are%20about%20the%20WebDAV%2Fmapped%20drives%20experience.%20Previously%2C%20we%20were%20able%20to%20make%20this%20persistent%20by%20making%20sure%20the%20%22LoginOptions%22%20parameter%20is%20passed%20via%20the%20smart%20links%20used.%20In%20the%20new%20experience%2C%20this%20seems%20to%20no%20longer%20be%20the%20case%2C%20thus%20the%20session%20expire%20more%20often%20and%20break%20the%20user%20experience.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162621%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162621%22%20slang%3D%22en-US%22%3EHi%20everyone%2C%3CBR%20%2F%3E%3CBR%20%2F%3Eour%20recommendation%20to%20bypass%20the%20additional%20%22Pick%20an%20account%22%20prompt%20and%20redirect%20automatically%20to%20on-prem%20IdPs%20(eg.%20ADFS)%20for%20auth%20is%20to%20enable%20SharePoint%20auto-acceleration%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fenable-or-disable-auto-acceleration-for-your-sharepoint-online-tenancy-74985ebf-39e1-4c59-a74a-dcdfd678ef83%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fenable-or-disable-auto-acceleration-for-your-sharepoint-online-tenancy-74985ebf-39e1-4c59-a74a-dcdfd678ef83%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20take%20note%20of%20the%20call%20out%20on%20how%20this%20might%20not%20work%20if%20you%20have%20users%20that%20are%20external%20to%20your%20organization%20(guest%20users)%20access%20your%20SharePoint%20site.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20SharePoint%20auto-acceleration%20does%20not%20work%20for%20your%20environment%2C%20you%20can%20consider%20setting%20up%20ADFS%20to%20return%20the%20Persistent%20SSO%20claim%20with%20every%20sign%20in.%20That%20will%20cause%20Azure%20AD%20to%20drop%20a%20persistent%20token%20which%20will%20bypass%20the%20%22Pick%20an%20account%22%20screen.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162606%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162606%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F75442%22%20target%3D%22_blank%22%3E%40Jeroen%20Lammens%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20facing%20the%20same%20problem.%20External%20users%20get%20the%20KMSI%20dialog%2C%20internal%20users%20do%20not%20(both%20after%20authentication%20against%20ADFS).%20As%20a%20result%20SharePoint%20Online%20WebDAV%20is%20not%20working%20anymore.%20Have%20you%20found%20a%20solution%20to%20this%3F%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EWe%20have%20opened%20a%20MS%20call%20and%20we%20are%20currently%20working%20on%20it.%20Until%20now%2C%20we%20have%20made%20no%20progress%20as%20MS%20(or%20at%20least%20the%20technician%20dealing%20with%20the%20ticket)%20claims%20this%20to%20be%20the%20way%20it%20is%20intended%20to%20work.%3C%2FP%3E%0A%3CP%3EI'll%20report%20back%20as%20soon%20as%20I%20got%20news.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162437%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162437%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20experiencing%20this%20issue%20as%20well.%26nbsp%3B%20Has%20there%20been%20any%20resolution%20identified%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162288%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162288%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20organization%20is%20experiencing%20the%20same%20problems.%20We%20use%20ADFS%20for%20authentication.%20KMSI%20dialog%20is%20shown%20externally%2C%20but%20not%20internally.%20SPO%20WebDAV%20doesn't%20work%20anymore%20and%20users%20have%20to%20choose%20their%20UPN%20every%20time%20they%20launch%20the%20browser.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162263%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162263%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116476%22%20target%3D%22_blank%22%3E%40Marc%20Debold%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20facing%20the%20same%20problem.%20%20External%20users%20get%20the%20KMSI%20dialog%2C%20internal%20users%20do%20not%20(both%20after%20authentication%20against%20ADFS).%20As%20a%20result%20SharePoint%20Online%20WebDAV%20is%20not%20working%20anymore.%20Have%20you%20found%20a%20solution%20to%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160384%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160384%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3EMay%20I%20know%20why%20you%20want%20to%20see%20the%20prompt%20even%20when%20SSO%20happens%3F%20By%20definition%2C%20when%20SSO'ed%20your%20user%20should%20just%20always%20automatically%20sign%20in%20without%20any%20interactive%20prompts.%20So%2C%20asking%20the%20user%20if%20they%20want%20to%20remain%20signed%20in%20doesn't%20really%20mean%20anything%20when%20SSO%20happens.%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EThat's%20almost%20right%2C%20but%3A%20For%20SSO%20to%20work%2C%20you%20need%20to%20provide%20the%20username%20%2F%20email%20address%20%2F%20UPN%20(which%20may%20be%20saved%2C%20but%20has%20to%20be%20confirmed%20by%20clicking%20it)%26nbsp%3B%3CSTRONG%3Ebefore%3C%2FSTRONG%3E%20SSO%20kicks%20in.%20This%20is%20the%20issue%20in%20our%20case.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EImagine%20the%20following%20(real-world)%20scenario%3A%20Customer%20is%20using%20a%20SharePoint%20Online%20document%20library%20to%20store%20attachments%20for%20his%20Navision%20users.%20So%20when%20clicking%20on%20a%20link%20in%20Navision%20to%20open%20such%20an%20attachment%20(mostly%20PDF%20documents)%2C%20you%20would%20expect%20your%20PDF%20viewer%20to%20open.%20In%20the%20current%20situation%2C%20your%20browser%20opens%20asking%20for%20your%20login%20(which%20perhaps%20was%20saved%20before)%2C%20you%20confirm%20it%2C%20SSO%20happens%20and%20the%20PDF%20opens.%20After%20doing%20whatever%20with%20the%20document%2C%20the%20user%20closes%20the%20PDF%20and%20the%20browser%20window.%20After%20that%2C%20he%20clicks%20the%20next%20link%20in%20Navision%20and%20the%20same%20happens%20...%20browser%2C%20confirm%20username%2C%20SSO%2C%20PDF.%20Only%20by%20leaving%20open%20the%20browser%20(as%20a%20workaround)%2C%20the%20annoying%20clicking%20and%20waiting%20can%20be%20bypassed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20behavior%20most%20likely%20applies%20to%20any%20SharePoint%20related%20content%20storage%20...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20using%20the%20persistent%20session%20token%2C%20a%20true%20SSO%20experience%20(as%20seen%20in%20the%20old%20version)%20could%20be%20setup%26nbsp%3B%3CSTRONG%3Eagain%3C%2FSTRONG%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-160329%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-160329%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3EMay%20I%20know%20why%20you%20want%20to%20see%20the%20prompt%20even%20when%20SSO%20happens%3F%20By%20definition%2C%20when%20SSO'ed%20your%20user%20should%20just%20always%20automatically%20sign%20in%20without%20any%20interactive%20prompts.%20So%2C%20asking%20the%20user%20if%20they%20want%20to%20remain%20signed%20in%20doesn't%20really%20mean%20anything%20when%20SSO%20happens.%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EThere%20is%20one%20case%20where%20it%20would%20be%20really%20useful%20to%20have%20KMSI%20available%20when%20using%20SSO%20and%20that%20is%20when%20Azure%20MFA%20is%20enabled%2C%20to%20allow%20to%20remain%20signed%20in%20without%20getting%20prompted%20for%20the%20MFA%20code%20each%20time%20the%20browser%20is%20launched.%20When%20outside%20the%20LAN%20the%20KMSI%20appears%20(since%20then%20SSO%20is%20not%20active)%2C%20so%20no%20reason%20not%20to%20show%20KMSI%20when%20on%20the%20LAN.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20there%20any%20thought%20to%20allow%20this%3F%20Thanks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153841%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153841%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3Eo%20my%20team%20and%20I%20sat%20down%20in%20a%20room%20to%20compare%20our%26nbsp%3Bdifferent%20experiences.%20We%20found%20that%20each%20browser%26nbsp%3Bhas%20settings%20that%20delete%20cookies%26nbsp%3B%20In%20Chrome%20I%20had%20this%20setting%20%22%3C%2FSPAN%3E%3CSPAN%3EKeep%20local%20data%20only%20until%20you%20quit%20your%20browser%22%20turned%20on.%20When%20I%20turned%20this%20off%20I%20was%20presented%20with%20the%20%22Stay%20Signed%20In%22%20option%20and%20was%20able%20to%20stay%20logged%20in%20once%20I%20had%20authenticated%20and%20verified%20with%20MFA.%20I%20have%20not%20had%20to%20reauthenticate.%20This%20is%20a%20per%20browser%20setting.%20Each%20browser%20has%20different%20settings%20of%20course.%26nbsp%3B%20We%20think%20Macs%20have%20a%20privacy%20setting%20Website%20Tracking%20Prevent%20cross-site-tracking%20and%20if%20this%20is%20checked%20this%20will%20prevent%20the%20Stay%20Signed%20in%20feature%20to%20work.%20I%20haven't%20confirmed%20yet%20but%20will%20update%20this%20post%20once%20we%20do.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153293%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153293%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20spent%20about%20a%20day%20figuring%20out%20the%20same%20%22keep%20me%20signed%20in%22%20issue%2C%20as%20discussed%20here.%20The%20problem%20seems%20to%20be%20related%20to%20ADFS%20and%20WIA.%20I%20can%20provide%20some%20details%20on%20my%20customers%20setup%20and%20how%20to%20reproduce%20the%20problem%20(got%20a%20workaround%2C%20too)%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20a%20federated%20O365%20domain%2C%20ADFS%20on%20prem%20for%20authentication%20and%20WIA%20%2F%20IE%20trusted%20zones%20setup%20internally%2C%20so%20that%20no%20logon%20prompt%20used%20to%20display%20when%20accessing%20O365%20resources%20(tested%20access%20to%20OneDrive%20in%20browser).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EInternal%20behavior%3A%3C%2FSTRONG%3E%20With%20the%20new%20login%20experience%2C%20user%20name%20needs%20to%20be%20provided%2C%20redirect%20to%20ADFS%20and%20automatic%20logon%20succeed%2C%20then%20you%20are%20returned%20to%20your%20desired%20destination%20in%20your%20browser%20--%26gt%3B%20No%20prompt%20for%20%22keep%20me%20signed%20in%22.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EExternal%20behavior%3A%3C%2FSTRONG%3E%20User%20name%20needs%20to%20be%20provided%2C%20redirect%20to%20ADFS%20shows%20ADFS%20login%20page.%20Password%20must%20be%20entered%20there%2C%20redirect%20to%20MS%20happens%20(eventually%20MFA%20thereafter)%2C%20then%20%22keep%20me%20signed%20in%22%20appears%2C%20can%20be%20set%20and%20works%20correctly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20I%20already%20did%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ERemoved%20the%20corresponding%20WIA%20agents%20from%20ADFS%20config%20to%20have%20the%20ADFS%20login%20page%20experience%20from%20internal%20clients.%20KMSI%20dialog%20from%20MS%20is%26nbsp%3B%3CSTRONG%3Enot%3C%2FSTRONG%3E%20displayed.%3C%2FLI%3E%0A%3CLI%3EEnabled%20KMSI%20in%20ADFS%20properties%20and%20added%20claim%20rules%20to%20pass%20through%20PSSO%20claim.%20Now%20on%20the%20ADFS%20website%2C%20there%20is%20a%20keep%20me%20signed%20in%20checkbox%2C%20which%20does%20place%20a%20permanent%20cookie%2C%20so%20that%20subsequent%20logins%20(after%20closing%20and%20reopening%20the%20browser)%20are%26nbsp%3B%3CSTRONG%3Enot%20required%3C%2FSTRONG%3E.%20The%20KMSI%20dialog%20from%20MS%20is%26nbsp%3B%3CSTRONG%3Enot%26nbsp%3B%3C%2FSTRONG%3Edisplayed.%20%3CSTRONG%3EThis%20is%20my%20current%20workaround%2C%20but%20not%20the%20desired%20state.%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EI%20think%2C%20the%20problem%20is%20the%20combination%20of%20ADFS%20and%20WIA-enabled%20authentication%20from%20inside%20the%20coorp%20network.%20The%20exactly%20same%20setup%20works%20as%20expected%20from%20external%20locations%2C%20but%20not%20from%20internal%20ones.%20This%20used%20to%20work%20in%20the%20%22old%20style%22.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20would%20gladly%20help%20getting%20this%20thing%20done%2C%20if%20you%20need%20more%20input.%20Just%20get%20in%20touch%20with%20me.%20Already%20checked%20this%20issue%20with%20a%20second%20setup%2C%20same%20behavior%20there%20...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153102%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153102%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20one%20user%20who%20is%20having%20an%20issue%20of%20%22looping.%22%26nbsp%3B%20They%20sign%20into%20SharePoint%20via%20the%20SSO%20and%20then%20the%20page%20refreshes%20and%20says%20%22you%20are%20already%20signed%20in%22%20and%20just%20keeps%20spinning%20like%20it%20is%20trying%20to%20load%20the%20page.%26nbsp%3B%20However%2C%20it%20never%20moves%20past%20the%20log%20in%20page.%26nbsp%3B%20The%20only%20way%20we%20can%20move%20past%20is%20to%20log%20in%20again%20as%20another%20user.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152594%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152594%22%20slang%3D%22en-US%22%3E%3CP%3ETrying%20to%20understand%20exact%20implications%20of%20hiding%20the%20KMSI%20option.%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcustomize-branding%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EThis%20link%3C%2FA%3E%20states%2C%20%22Some%20features%20of%20SharePoint%20Online%20and%20Office%202010%20depend%20on%20users%20being%20able%20to%20choose%20to%20remain%20signed%20in.%20If%20you%20set%20this%20option%20to%20No%2C%20your%20users%20may%20see%20additional%20and%20unexpected%20prompts%20to%20sign-in.%22%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20list%20of%20the%20features%2Ffunctionality%20that%20may%20be%20impacted%20when%20hiding%20this%20option%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148991%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148991%22%20slang%3D%22en-US%22%3EPlease%20send%20me%20a%20private%20message%20with%20your%20email%20address%20and%20I'll%20send%20instructions%20via%20email.%20It'll%20be%20a%20lot%20easier%20that%20way.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148974%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148974%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20please%20send%20me%20instructions%20on%20how%20to%20run%20the%20Fiddler%20trace.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148967%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148967%22%20slang%3D%22en-US%22%3ECan%20you%20please%20send%20me%20a%20fiddler%20trace%20of%20your%20login%20via%20private%20message%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148937%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148937%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20would%20really%20appreciate%20some%20insight%20into%20this%20issue%2C%20we'd%20really%20like%20to%20communicate%20to%20our%20users%20about%20this%20change.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148078%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148078%22%20slang%3D%22en-US%22%3E%3CP%3EI%20mean%20accept%20the%20push%20notification%20to%20my%20smartphone%20from%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148047%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148047%22%20slang%3D%22en-US%22%3EWhen%20you%20say%20%22accept%20prompt%22%20what%20prompt%20do%20you%20refer%20to%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148046%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148046%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20did%20not%20work.%20I%20get%20taken%20to%20my%20organizations%20SSO%20page%2C%20get%20prompted%20for%20MFA%20accept%20prompt%26nbsp%3Band%20then%20go%20straight%20to%20Office%20365.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148036%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148036%22%20slang%3D%22en-US%22%3ETry%20clearing%20browser%20cookies%20and%20signing%20in%20again.%20Let%20me%20know%20if%20you%20see%20the%20%22Keep%20me%20signed%20in%22%20prompt%20then.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148033%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148033%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20Office%20365%20MFA%20enabled.%20When%20the%20%22Keep%20me%20signed%20in%22%20experience%20rolled%20out%20in%20December%20I%20saw%20it.%20I%20clicked%20on%20Keep%20me%20signed%20in%20did%20not%20require%20authentication%20when%20I%20logged%20into%20Office%20365%20from%20any%20browser.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20some%20point%20in%20early%26nbsp%3BJanuary%2C%20I%20believe%20this%20changed.%20Now%20when%20I%20log%20in%20I%20get%20taken%20straight%20to%20my%20organization's%20login%20page%2C%20enter%20my%20credentials%20and%20I'm%20in.%20I%20have%20to%20log%20into%20Office%20365%20from%20my%20browser%20every%20day.%20The%20experience%20is%20the%20same%20across%20all%20my%20devices.%20I%20have%20not%20seen%20the%20%22Keep%20me%20signed%20in%22%20feature%20since.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHelp%20please%3F!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-144732%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144732%22%20slang%3D%22en-US%22%3EHi%20Greg%2C%20we%20just%20checked%20in%20a%20tweak%20to%20the%20prompt%20logic%20that%20should%20make%20the%20prompt%20show%20up%20a%20lot%20more%20consistently.%20Please%20look%20for%20it%20to%20release%20in%20a%20week%20or%20so.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-143454%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143454%22%20slang%3D%22en-US%22%3EWe're%20also%20not%20seeing%20it%20after%20the%20initial%20sign%20in%2C%20meaning%20that%20mapped%20drives%20no%20longer%20work.%20Very%20unhelpful.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-143450%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143450%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20utilise%20WebDAV%20to%20map%20SharePoint%20Online%20drives%20for%20all%20of%20our%20365%20clients%2C%20and%20the%20new%20sign%20in%20has%20a%26nbsp%3B%20critical%20flaw.%20After%20the%20initial%20sign%20in%20using%20IE%20the%20option%20to%20stay%20signed%20in%20is%20not%20presented%2C%20meaning%20that%20the%20mapped%20WebDAV%20drives%20do%20not%20reconnect.%20Returning%20to%20the%20old%20sign%20in%20and%20ticking%20the%20%22Keep%20me%20signed%20in%22%20still%20works%20fine%20however.%20If%20we%20log%20in%20to%20an%20inprivate%20browser%20the%20stay%20signed%20in%20option%20returns%2C%20however%20this%20is%20no%20good%20to%20us%20as%20it%20will%20not%20map%20a%20drive%20this%20way.%20Resetting%20IE%20also%20returns%20the%26nbsp%3B%3C%2FP%3E%0A%3CP%3Estay%20signed%20in%20prompt%2C%20however%20again%20this%20disappears%20after%20the%20initial%20sign%20in.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142741%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142741%22%20slang%3D%22en-US%22%3EHi%20Andy%2C%20yes%2C%20this%20is%20a%20known%20issue%20where%20if%20the%20user%20first%20says%20%22Yes%22%20to%20the%20prompt%2C%20then%20explicitly%20signs%20out%2C%20they%20would%20not%20see%20the%20prompt%20again%20on%20subsequent%20sign%20ins%20for%203%20days.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20something%20we're%20looking%20into%20fixing.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142190%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142190%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20use%26nbsp%3BSAML%20SSO%20with%20several%20vendors%20using%26nbsp%3BADFS%20as%20our%20iDp.%26nbsp%3BOur%20ADFS%20server%20is%20under%20a%20different%20domain%20so%20we%20have%20a%20Claims%20Provider%20Trust%20setup%20with%20our%20AAD.%26nbsp%3BWe%20have%20an%20issue%20with%20the%20new%20sign-in%20experience.%20When%20a%20user%20initially%20signs%20in%20they%20get%20presented%20with%20the%20%22Stay%20signed%20in%3F%22%20prompt.%20If%20they%20say%20Yes%20a%20persistent%20cookie%20is%20set%20and%20things%20work%20like%20they%20should.%20However%2C%20if%20they%20were%20to%20go%20back%20to%20the%20iDp%20initiated%20signon%20page%20and%20log%20out%20for%20whatever%20reason%2C%20when%20they%20go%20to%20sign-in%20again%20they%20won't%20get%20the%20%22Stay%20signed%20in%3F%22%20prompt%20so%20it%20just%20sets%20a%20session%20cookie%20that%20is%20terminated%20if%20they%20close%20their%20browser.%20If%26nbsp%3Bthey%20choose%20to%20go%20back%20to%20the%20old%20sign-in%20experience%20the%20%22Keep%20me%20signed%20in%22%20checkbox%20will%20be%20there%20so%20they%20once%20again%20can%20set%20a%20persistent%20cookie.%20Is%20this%20a%20known%20issue%3F%20Is%20there%20a%20fix%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142149%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142149%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20think%20so%2C%20it%20will%20most%20likely%20not%20recognize%20the%20claim.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138800%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138800%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%3CU%3ECurrent%20set%20up%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E%26nbsp%3B%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWe%20have%20SharePoint%20Online%20site%20with%20auto%20acceleration%20enabled.%20Our%20Azure%20AD%20is%20federated%20with%20on-premise%20ADFS.%20We%20have%20seamless%20SSO%20working%20in%20IE%20where%20user%20does%20not%20need%20to%20type%20any%20username%20password.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EProblem%20statement%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20default%2C%20when%20the%20user%20logins%20in%20thru%20IE%2C%20only%20Session%20cookie%20is%20generated%2C%20so%20when%20the%20user%20closes%20the%20browser%20and%20reopens%20the%20user%20is%20authenticated%20again.%20Also%2C%20the%20new%20KMSI%20(Keep%20me%20signed%20In)%20screen%20is%20not%20displayed%20to%20the%20user%20during%20the%20login%20experience%20in%20IE%2C%20so%20there%20is%20no%20way%20for%20user%20to%20generate%20persistent%20cookie%20which%20works%20across%20multiple%20sessions.%20In%20chrome%2C%20user%20can%20see%20the%20KMSI%20screen%20and%20hence%20persistent%20cookies%20can%20be%20generated.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EQuestions%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3BIs%20there%20a%20way%20by%20which%20global%20admin%20can%20configure%20such%20that%20all%20users%20by%20default%20gets%20persistent%20cookies%20instead%20of%20session%20cookie%2C%20so%20that%20they%20don%E2%80%99t%20even%20need%20to%20click%20%E2%80%9Cyes%E2%80%9D%20in%20KMSI%20screen%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20saw%20below%20blog%20where%20it%20says%20to%20create%20custom%20claim%20rule%20in%20ADFS%20to%20issue%20Persistent%20SSO%20claim.%20But%20again%2C%20the%20last%20line%20of%20the%20blog%20says%20%E2%80%9CAs%20of%20right%20now%2C%20AAD%20does%20not%20support%20SAML%20based%20use%20of%20the%20Persistent%20Single%20Sign%20On%20Claim%20%2F%20SAML%20attribute.%E2%80%9D%20So%2C%20is%20this%20blog%20relevant%20now%3F%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsposupport%2F2017%2F09%2F16%2Fcookie-persistence-in-sharepoint-online%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fsposupport%2F2017%2F09%2F16%2Fcookie-persistence-in-sharepoint-online%2F%3C%2FA%3E%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138416%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138416%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F99582%22%20target%3D%22_blank%22%3E%40Srikanth%20Komirishetty%3C%2FA%3E%26nbsp%3Bdo%20you%20happen%20to%20be%20using%20Smart%20links%3F%20Even%20with%20the%20old%20experience%2C%20without%20smart%20links%20configured%20you%20have%20to%20enter%2Fselect%20the%20UPN%20before%20federation%20happens.%20But%20you%20can%20construct%20%22smart%20links%22%20(basically%20an%20URL%20with%20added%20parameter%20for%20the%20domain)%20to%20bypass%20this%20process%20and%20have%20you%20log%20in%20automatically.%20Perhaps%20those%20are%20not%20working%20with%20the%20new%20experience%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138314%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138314%22%20slang%3D%22en-US%22%3E%3CP%3EKelvin%2C%3C%2FP%3E%0A%3CP%3EThe%20reason%20I%20ask%20is%2C%26nbsp%3Bwe%20get%20this%20window%20every%20single%20time%20when%20we%20close%20the%20browser.%20I%20need%20not%20enter%20my%20password%20but%20I%20have%20to%20click%20on%20my%20account%20(I%20have%20to%20pick%20every%20single%20time%20I%20close%20the%20browser).%20If%20I%20switch%20to%20old%20sign%20in%20experience%2C%20I%20can%20check%20the%20box%20to%20keep%20me%20signed%20in%20and%20it%20will%20never%20ask%20me%20to%20pick%20the%20account.%20As%20the%20old%20sign%20in%20page%20is%20going%20away%2C%20we%20need%20to%20provide%20our%20users%20a%20way%20to%20avoid%20picking%20account%20each%20and%20every%20time%20the%20re-open%20the%20browser.%20The%20only%2C%20I%20saw%20is%20with%20the%20prompt%20and%20that%20is%20why%2C%20I'm%20reaching%20you%20to%20see%20if%20we%20can%20enable%20that%20prompt%20on%20SSO.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F25821i85C76C2100E7DC14%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Pick%20an%20account.PNG%22%20title%3D%22Pick%20an%20account.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138225%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138225%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%26nbsp%3Bwhat%20exactly%20does%20the%20%22shared%20machine%22%20logic%20cover%3F%20I%20stopped%20receiving%20the%20KMSI%20prompt%20on%20my%20personal%20PC%2C%20which%20is%20pretty%20much%20the%20most%20secure%20machine%20I%20use%20(even%20added%20as%20trusted%20IP)%2C%20and%20since%20I'm%20not%20using%20any%20form%20of%20SSO%20for%20said%20account%2C%20that%20only%20leaves%20the%20%22shared%20machine%22%20scenario%3F%20On%20the%20same%20machine%2C%20another%20user%20from%20the%20same%20tenant%20is%20getting%20the%20KMSI%20prompt...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138224%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138224%22%20slang%3D%22en-US%22%3EMay%20I%20know%20why%20you%20want%20to%20see%20the%20prompt%20even%20when%20SSO%20happens%3F%20By%20definition%2C%20when%20SSO'ed%20your%20user%20should%20just%20always%20automatically%20sign%20in%20without%20any%20interactive%20prompts.%20So%2C%20asking%20the%20user%20if%20they%20want%20to%20remain%20signed%20in%20doesn't%20really%20mean%20anything%20when%20SSO%20happens.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138142%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138142%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kelvin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20SSO%20set%20up%20and%20based%20on%20your%20statement%2C%20Microsoft%20has%20added%20logic%20not%20to%20show%20the%20prompt.%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20way%20we%20can%20show%20this%20prompt%20with%20SSO%20enabled%3F%20To%20your%20previous%20question%2C%20we%20have%20not%20set%20up%20ADFS%20to%20pass%20PSSO%20Claim%20for%20SharePoint.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAppreciate%20your%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137426%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137426%22%20slang%3D%22en-US%22%3EHi%20Paul%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20new%20KMSI%20experience%20is%20completely%20rolled%20out%20now%20for%20a%20few%20weeks.%20We%20added%20some%20logic%20to%20hide%20the%20prompt%20if%20we%20detect%20that%20the%20login%20session%20is%20risky%2C%20if%20it's%20a%20shared%20machine%20or%20if%20SSO%20is%20set%20up.%20Can%20you%20please%20try%20logging%20in%20on%20an%20in-private%2Fincognito%20browser%20and%20see%20if%20the%20prompt%20shows%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137424%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137424%22%20slang%3D%22en-US%22%3EHi%20Jason%2C%3CBR%20%2F%3E%3CBR%20%2F%3Eare%20you%20still%20seeing%20issues%2C%20if%20you%20are%2C%20can%20you%20please%20DM%20me%20your%20email%20address%20and%20I'll%20contact%20you%20to%20get%20more%20information%20to%20troubleshoot%20the%20problem.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137287%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137287%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20don't%26nbsp%3Buse%20ADFS%20but%20we%20have%20AD%20Connect%2C%20is%20there%20any%20reason%20why%20we%20are%20not%20seeing%20the%20new%20KMSI%20experience%3F%26nbsp%3B%20It%20is%20very%20hard%20to%20keep%20users%20informed%20IF%20we%20rely%20on%20the%20roll%20out%20dates%20suggested%20by%20Microsoft.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133960%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133960%22%20slang%3D%22en-US%22%3E%3CP%3EBernd%2C%3C%2FP%3E%0A%3CP%3EWe%20are%20seeing%20this%20issue%20as%20well%20when%20we%20try%20to%20map%20a%20users%20onedrive.%20%26nbsp%3BHave%20you%20found%20a%20fix%20yet%3F%3C%2FP%3E%0A%3CP%3EJason%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133585%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133585%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20that%20detail%20Kelvin.%20But%20I%20need%20to%20request%20yet%20another%20documentation%20update%20here%26nbsp%3B-%20the%20only%20place%20I've%20seen%20the%20PSSO%20claim%20detailed%20so%20far%20is%20the%20claims%20rules%20added%20by%20AAD%20Connect.%20As%20some%20organizations%20might%20not%20be%20using%20AAD%20Connect%20(or%20at%20least%20not%20managing%20the%20AD%20FS%20farm%20with%20it)%2C%20can%20you%20please%20post%20a%20detailed%20article%20on%20how%20the%20claim%20should%20look%20like%20and%20so%20on%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133515%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133515%22%20slang%3D%22en-US%22%3EThe%20fix%20is%20rolled%20out%20already.%20To%20clarify%20what%20I%20was%20saying%2C%20if%20your%20ADFS%20is%20set%20to%20pass%20the%20PSSO%20claim%2C%20we%20will%20not%20show%20the%20prompt.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133514%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133514%22%20slang%3D%22en-US%22%3EHi%20Bernd%2C%3CBR%20%2F%3E%3CBR%20%2F%3Esorry%20for%20the%20delay%20in%20replying%20here.%20Can%20you%20please%20DM%20me%20so%20I%20can%20get%20more%20details%20from%20you%3F%20Thanks.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133513%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133513%22%20slang%3D%22en-US%22%3EHi%20Kelvin%2C%20thank%20you%20for%20quick%20response.%20Its%20still%20the%20issue%20for%20us.%20Should%20we%20perform%20any%20steps%20to%20speed%20up%20the%20change%20to%20our%20tenant%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133512%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133512%22%20slang%3D%22en-US%22%3EIs%20your%20ADFS%20set%20up%20to%20send%20the%20PSSO%20claim%2C%20or%20do%20you%20have%20Windows%20SSO%20set%20up%3F%20If%20it%20is%2C%20we're%20automatically%20dropping%20the%20persistent%20auth%20cookie%20(which%20the%20%22Stay%20signed-in%22%20prompt%20does%20when%20the%20user%20selects%20%22Yes%22).%20We%20have%20a%20few%20bugs%20a%20few%20weeks%20ago%20when%20we%20did%20not%20do%20that%2C%20which%20could%20explain%20the%20difference%20in%20behavior%20you're%20seeing%20now%20vs%20then.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133511%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133511%22%20slang%3D%22en-US%22%3ESorry%20about%20that.%20We%20pushed%20out%20a%20fix%20for%20that%20mid-last%20week.%20It%20should%20work%20now.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133484%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133484%22%20slang%3D%22en-US%22%3EDoes%20anyone%20has%20issues%20with%20%22Stay%20Signed-in%22%20prompt%20that%20shows%20after%20successful%20authentication%20with%20ADFS%3F%20Our%20tenant%20is%20not%20presenting%20the%20prompt%20(as%20described%20here%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%3C%2FA%3E%20)as%20it%20did%20couple%20of%20weeks%20ago.%20The%20option%20to%20keep%20the%20user%20signed%20in%20has%20been%20enabled%20in%20our%20Company%20Branding%20settings.%20Any%20thoughts%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-132067%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-132067%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20seeing%20unexpected%20behavior%20when%20we%20choose%20%22don't%20show%20me%20this%20again%22%20and%20click%20No.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEvery%20time%20we%20login%20again%20it%20gives%20the%20prompt%20again.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EShouldn't%20%22don't%20show%20me...%22%20respect%20a%20yes%20or%20no%20answer%20and%20go%20away%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131250%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131250%22%20slang%3D%22en-US%22%3E%3CP%3EAm%20I%20the%20only%20one%20not%20seeing%20the%20KMSI%20at%20all%20now%3F%20Cloud%20account%2C%20no%20federation.%20I%20tried%20deleting%20cookies%2C%20private%20sessions%20and%20different%20browsers%2C%20I%20don't%20ever%20see%20KMSI%20now.%20I%20thought%20the%20changes%20are%20supposed%20to%20only%20effect%20federated%20scenarios%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130322%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130322%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3EI%20did%20some%20additional%20tests%20on%20the%20SSO%20experience.%20When%20I%20delete%20my%20cookies%20and%20open%20a%20mapped%20sharepoint%20webdav%20connection%20I%20cannot%20load%20it%20which%20is%20expected%20(cookie%20is%20removed).%20When%20I%20open%20the%20sharepoint%20tenant%20url%20I%20get%20logged%20in%20through%20SSO%20and%20most%20of%20the%20time%20the%20magical%20cookie%20is%20created.%26nbsp%3BWhen%20the%20cookie%20is%20created%20I'm%26nbsp%3Bable%20to%20open%20the%20webdav%20connection.%20For%20other%20users%20(same%20permission%20etc)%20they%26nbsp%3Bget%20a%20sign%20in%20screen%20where%20they%20need%20to%20enter%20there%20username.%20then%20they%20are%20redirected%20to%20the%20homepage%20but%20they%20are%20not%20able%20to%20open%20the%20webdav%20connection.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9956%22%20target%3D%22_blank%22%3E%40Eddy%20Verbeemen%3C%2FA%3E%26nbsp%3Bplease%20correct%20me%20if%20I'm%20wrong%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bfew%20years%20ago%20we%20used%20the%20smartlinks%20to%20enforce%20the%20'keep%20me%20signed%20in'.%20At%20a%20certain%20moment%20this%20was%20not%20longer%20working%20and%20we%20went%20back%20to%20the%20default%20login%20where%20we%20could%20choose%20to%20'keep%20me%20signed%20in'.%3CBR%20%2F%3EIt%20seems%20that%20there%20is%20a%20different%20between%20SSO%20where%20a%20prompt%20is%20shown%20for%20a%20username%20and%20no%20prompt%20is%20shown...%3CBR%20%2F%3ECheers%3CBR%20%2F%3EBernd%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130258%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130258%22%20slang%3D%22en-US%22%3EThe%20KMSI%20setting%20in%20Company%20Branding%20doesn't%20allow%20that.%20You%20might%20want%20to%20look%20up%20Conditional%20Access%20which%20might%20get%20you%20what%20you%20want.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130250%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130250%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8293%22%20target%3D%22_blank%22%3E%40Bernd%20Verhofstadt%3C%2FA%3E%26nbsp%3BJust%20curious%2C%20are%20you%20using%20smart%20links%20and%20passing%20the%20LoginOptions%20parameter%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%40Kelvin%2C%20that's%20one%20of%20the%20use%20cases%20I%20warned%20you%20about%20-%20mapped%20drives%20rely%20on%20this%20functionality%2C%20and%20the%20LoginOptions%20parameter%20was%20a%20nice%20and%20easy%20way%20to%20handle%20this%20in%20federated%20setups.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130249%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130249%22%20slang%3D%22en-US%22%3EHi%20Bernd%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ehow%20did%20%22Keep%20me%20signed%20in%22%20work%20for%20your%20users%20before%3F%20If%20you%20had%20SSO%20turned%20on%20they%20wouldn't%20have%20seen%20the%20login%20screen%20nor%20the%20%22Keep%20me%20signed%20in%22%20checkbox%20in%20the%20old%20experience.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130193%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130193%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20had%20Microsoft%20turn%20ours%20off%20at%20the%20tenant%20level%20until%20a%20better%20plan%20could%20be%20put%20in%20place.%26nbsp%3B%20The%20problem%20with%20Company%20branding%20is%3A%201.)%20It's%20a%20global%20setting%202.)%20It%20can%20affect%20Sharepoint%20Online%20users%20and%20Office%202010%20users%20(and%20we%20had%20just%20moved%20over%2030K%20sharepoint%20sites%20to%20Sharepoint%20Online%2C%20so%20I%20didn't%20want%20to%20interrupt%20their%20experience%20for%20my%20experience%20with%20Power%20BI%20to%20work%2C%203.)%20Even%20as%20a%20global%20admin%2C%20we%20could%20not%20delete%20the%20company%20branding.%20The%20delete%20button%20would%20not%20highlight%20and%20we%20verified%20our%20permissions.%26nbsp%3B%20We%20could%20turn%20it%20on%20or%20off%20for%20KMSI%2C%20but%20we%20could%20not%20delete%20company%20branding%204.)%20We%20found%20the%20KMSI%20box%20%22Don't%20ask%20me%20again%20doesn't%20work%22%20either.%26nbsp%3B%20It%20only%20stays%20for%20the%20session%2C%20so%20to%20the%20user%20they%20think%20they%20should%20never%20have%20to%20see%20it%20again.%205.)%20We%20were%20told%20we%20could%20add%20a%20parameter%20to%20the%20Web%20app%20to%20turn%20this%20off%20in%20the%20code%2C%20so%20we%20are%20pursuing%20this%20now%20as%20our%20permanent%20solution%2C%20but%20for%20now%20our%20customers%20can%20function%20again%20with%20KMSI.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130161%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130161%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20of%20our%20users%20have%20set%20a%20site%2C%20library%20or%20folder%20as%20favorites%20in%20File%20Explorer%20which%20connects%20through%20webdav(%3F)%20to%20SharePoint.%20As%20we%20are%20using%20SSO%2C%20users%20don't%20get%20the%20option%20'keep%20me%20signed%20in'%20anymore.%20This%20causes%20a%20permission%20denied%20when%20opening%20the%20folder%20or%20library%20in%20file%20explorer%20-%26gt%3B%20no%20cookie%20is%20saved.%20Is%20there%20a%26nbsp%3Bworkaround%20to%20have%20the%20cookie%20or%20'Keep%20me%20signed%20in'%20back%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3EBernd%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130155%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130155%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3Ewhile%20I%20do%20see%20some%20benefit%20on%20the%20KMSI%20feature%20for%20regular%20users%2C%20I%20would%20prefer%20to%20have%20privileged%20admin%20accounts%20be%20prompted%20for%20MFA%20Login%20in%20their%20browser%20profiles%20every%20time.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHow%20can%20I%20achieve%20this%20without%20turning%20the%20feature%20off%20for%20everyone%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3EKarsten%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129550%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129550%22%20slang%3D%22en-US%22%3E%3CP%3ELet%20me%20see%20what%20I%20can%20do%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129445%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129445%22%20slang%3D%22en-US%22%3E%3CP%3E%40Kelvin%20I%20see%20your%20point%2C%20but%20if%20we%20had%20proper%20documentation%20on%20what's%20supported%20and%20not%20and%20how%20the%20different%20flow%20works%2C%20I'm%20sure%20that%20would%20decrease%20the%20number%20of%20escalations%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESmart%20links%20are%20still%20required%20for%20true%2C%20seamless%20SSO%20experience%20in%20some%20cases%2C%20and%20there%20is%20definitely%20demand%20for%20such%20from%20the%20enterprise%20customers.%20If%20you%20can%20publish%20some%20guidelines%20and%20recommendations%2C%20I%20think%20it%20will%20benefit%20all%20sides.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%2C%20I'll%20stop%20with%20the%20offtopic%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129201%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129201%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20makes%20me%20feel%20better.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMay%20I%20suggest%20stating%20that%20in%20more%20places%3F%26nbsp%3B%20Like%20the%20announcements%2C%20relevant%20blog%20posts%2C%20or%20other%20places%20that%20admins%20will%20see%20before%20they%20start%20to%20flip%20out%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129197%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129197%22%20slang%3D%22en-US%22%3EHi%20Matt%2C%20we%20have%20a%20best-effort%20algorithm%20that%20prevents%20the%20new%20%22Stay%20signed%20in%22%20dialog%20from%20showing%20if%20we%20detect%20that%20the%20login%20is%20happening%20on%20a%20shared%20machine.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20essentially%20looks%20to%20see%20if%20a%20different%20account%20than%20what%20is%20currently%20being%20used%20to%20login%20was%20used%20on%20the%20machine%20in%20the%20last%203%20days.%20If%20so%2C%20we%20won't%20show%20the%20dialog.%20We%20also%20use%20our%20adaptive%20protection%20logic%20to%20hide%20the%20dialog%20if%20we%20detect%20that%20the%20login%20is%20risky.%20Note%20that%20this%20logic%20is%20subject%20to%20change%20as%20we%20iterate%20on%20the%20logic%20to%20increase%20confidence%20that%20we%20only%20show%20this%20dialog%20on%20personal%20devices.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129190%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129190%22%20slang%3D%22en-US%22%3EHi%20Michael%2C%20you%20can%20turn%20this%20off%20by%20setting%20%22Show%20option%20to%20remain%20signed%20in%22%20in%20Company%20Branding%20to%20%22No%22.%20Here's%20the%20help%20article%20for%20that%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcustomize-branding%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcustomize-branding%3C%2FA%3E%20%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129169%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129169%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20want%20this%20turned%20off%2C%20anyone%20know%20how%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129163%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129163%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20using%20Power%20BI%20with%20a%20Web%20app%20and%20this%20web%20app%20is%20embedded%20reports%20in%20Salesforce.%26nbsp%3B%20As%20soon%20as%20this%20was%20implemented%2C%20we%20started%20getting%20these%20dialog%20boxes%2C%20so%20the%20reports%20would%20not%20come%20through.%26nbsp%3B%20HOw%20can%20we%20turn%20these%20off%20so%20they%20have%20a%20smoother%20experience.%26nbsp%3B%20Currently%20Salesforce%20won't%20allow%20that%20dialog%20at%20all%2C%20so%20they%20get%20blank%20pages%20as%20a%20result%20of%20this.%26nbsp%3B%20If%20they%20go%20through%20the%20web%20app%20directly%20in%20a%20url%2C%20and%20answer%20the%20dialog%2C%20the%20dashboard%20reports%20render%20fine.%26nbsp%3B%20But%20this%20dialog%20caused%20our%20field%20to%20lose%20a%20week's%20worth%20of%20work%20so%20far.%26nbsp%3B%20I%20finally%20found%20this%20so%20I%20am%20hoping%20someone%20can%20tell%20me%20how%20to%20turn%20it%20off...for%20good%3F%26nbsp%3B%20We%20have%20a%20critical%20case%20open%20with%20MSFT%20right%20now%20as%20a%20result.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129153%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129153%22%20slang%3D%22en-US%22%3E%3CP%3EOkay%2C%20but%20what%20if%20that%20is%20entirely%20undesirable%20behavior%20in%20half%20of%20your%20use%20cases%3F%26nbsp%3B%20When%20my%20users%20are%20on%20their%20personal%20computers%2C%20this%20is%20a%20good%20thing.%26nbsp%3B%20When%20they%20are%20using%20one%20of%20our%20many%20shared%20workstations%2C%20the%20last%20thing%20I%20want%20is%20for%20them%20to%20be%20encouraged%20to%20%22Stay%20signed%20in%22.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20I%20prevent%20it%20from%20being%20offered%20on%20office%20computers%20without%20preventing%20it%20on%20their%20personal%20devices%3F%26nbsp%3B%20Most%2C%20though%20not%20all%2C%20of%20our%20offices%20are%20AD%20joined%2C%20so%20if%20there's%20a%20GPO%20I%20can%20push%20out%20please%20indicate%20that%20in%20some%20way.%3C%2FP%3E%3CP%3EIf%20the%20classic%20login%20screen%20can%20be%20%3CEM%3Epermanently%3C%2FEM%3E%20forced%20per-domain%20(per%20tenant%20may%20not%20work%20for%20our%20parent%20company)%2C%20that%20would%20also%20be%20acceptable.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBecause%20as%20it%20stands%2C%20this%20is%20a%20horrible%20idea.%26nbsp%3B%20I'm%20going%20to%20have%20realtors%20reading%20each%20other's%20emails%20after%20we%20told%20them%20we%20were%20setting%20them%20up%20with%20MFA%20to%20keep%20anyone%20else%20from%20getting%20into%20their%20email.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129139%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129139%22%20slang%3D%22en-US%22%3EThat's%20because%20we%20don't%20officially%20support%20them%20%3A).%20%3CBR%20%2F%3E%3CBR%20%2F%3EWe've%20seen%20multiple%20issues%20and%20escalations%20caused%20by%20customers%20creating%20links%20that%20jump%20straight%20into%20the%20middle%20of%20our%20flows%20in%20a%20way%20that%20they%20weren't%20designed%20for.%20That%20makes%20things%20very%20fragile%20as%20those%20customizations%20break%20when%20we%20push%20new%20features%20or%20updates.%20%3CBR%20%2F%3E%3CBR%20%2F%3EI'll%20take%20an%20action%20to%20see%20if%20we%20can%20get%20out%20an%20official%20message%20regarding%20use%20of%20smartlinks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129123%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129123%22%20slang%3D%22en-US%22%3EYes%2C%20that%20might%20have%20been%20caused%20by%20Chrome%20SSO.%20Everything%20we%20do%20in%20the%20new%20sign%20in%20experience%20and%20stay%20signed%20in%20experience%20are%20cookie-based%2C%20and%20cookies%20are%20not%20shared%20across%20regular%20and%20in-private%20sessions.%3CBR%20%2F%3E%3CBR%20%2F%3ERegarding%20the%20other%20two%20issues%20you%20reported%3A%3CBR%20%2F%3E1.%20Translation%20issue%20-%20thanks%20for%20reporting%20this.%20I'll%20work%20with%20our%20localization%20team%20to%20get%20that%20fixed.%3CBR%20%2F%3E2.%20Checkbox%20-%20the%20checkbox%20is%20essentially%20a%20no-op%20when%20you%20say%20Yes%20since%20saying%20Yes%20means%20that%20you%20won't%20have%20to%20interactively%20sign%20in%20again%20in%20the%20future.%20It%20only%20applies%20when%20you%20say%20No%20so%20we%20don't%20nag%20you.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129035%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129035%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BI%20tried%20Chrome%2C%20we%20are%20federated%20and%20are%20using%20WIA%20indeed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20now%20removed%20SSO%26nbsp%3Bfor%20Chrome%20in%20our%20ADFS.%20It%20is%26nbsp%3Bprobably%20not%20related%20to%20the%20new%20sign-in%2C%20Chrome%20was%20added%20as%20SSO%20browser%20to%20our%20ADFS%20a%20few%20days%20ago.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128956%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128956%22%20slang%3D%22en-US%22%3E%3CP%3E%40Kelvin%2C%20I'm%20not%20a%20programmer%20so%20I%20will%20trust%20you%20on%20the%20Private%20session%20thingy%2C%20although%20I've%20seen%20some%20JS%20samples%20that%20supposedly%20to%20just%20that.%20In%20all%20fairness%2C%20the%20previous%20experience%20wasn't%20detecting%20private%20sessions%20either.%20It's%20just%20that%20the%20KMSI%20is%20a%20separate%20step%20now%2C%20thus%20more%20visible%2C%20and%20can%20be%20a%20bit%20irritating%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20on%20a%20related%20topic%2C%20can%20you%20folks%20please%20publish%20an%20official%20statement%20on%20what's%20supported%20in%20terms%20of%20smartlinks%20now%3F%20Just%20the%20other%20day%20you%20published%20an%20article%20mentioning%2046%25%20of%20all%20auths%20are%20AD%20FS%2C%20and%20I'm%20certain%20many%20of%20these%20do%20take%20advantage%20of%20smart%20links.%20Yet%2C%20there%20is%20zero%20documentation%20on%20them%20from%20Microsoft.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128946%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128946%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20browser%20are%20using%20Bart%3F%20What%20you%20are%20describing%20in%20scenario%203%20shouldn't%20be%20happening%2C%20unless%20maybe%20in%20federated%20environment%20with%20WIA%20autologin.%26nbsp%3BKelvin%20can%20correct%20me%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128945%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128945%22%20slang%3D%22en-US%22%3E%3CP%3EThree%20remarks%20on%20the%20new%20experience%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Spelling%20mistake%20(in%20Dutch%20translation%2C%20a%20period%26nbsp%3Bin%20the%20middle%20of%20a%20sentence)%3C%2FP%3E%3CP%3E2.%20The%20checkbox%20in%20the%20KMSI%20dialog%20is%20confusing%20(don't%20show%20this%20again).%20Does%20it%20make%20me%20stay%20logged%20in%20even%20longer%20when%20I%20select%20Yes%20and%26nbsp%3Bthick%20the%20checbox%3F%3C%2FP%3E%3CP%3E3.%20When%20I%20choose%20%22Yes%22%20in%26nbsp%3Bmy%20regular%20browser%26nbsp%3Bsession%2C%20open%20a%20private%20session%2C%20enter%20a%20different%20account%20in%20the%20private%20session.%26nbsp%3BI%20get%20logged%20in%20with%20the%20account%20of%20the%20regular%20session%20anyway%2C%20no%20matter%20the%20account%20I%20filled%20in.%20Is%20this%20by%20design%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBart%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20371px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F24352i058D2A2CA961CDE1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22kmsi.png%22%20title%3D%22kmsi.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128830%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128830%22%20slang%3D%22en-US%22%3EIt's%20actually%20more%20than%20the%20KMSI%20checkbox%20-%20doing%20a%20full%20page%20redirect%20when%20a%20user%20doesn't%20expect%20it%20causes%20usability%20issues.%20It's%20also%20not%20a%20standard%20interaction%20model%20anywhere%20on%20the%20web%2C%20causing%20user%20confusion%20and%20frustration.%20%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20are%20correct%2C%20showing%20KMSI%20in%20private%20sessions%20doesn't%20really%20do%20very%20much.%20However%2C%20there's%20no%20deterministic%20way%20for%20us%20to%20determine%20that%20we're%20in%20a%20private%20browser%20session.%3CBR%20%2F%3E%3CBR%20%2F%3ERegarding%20LoginOptions%2C%20I%20believe%20we%20have%20discussed%20this%20before.%20We%20don't%20officially%20support%20the%20use%20of%20LoginOptions%20-%20it's%20an%20internal%20parameter%20used%20to%20pass%20information%20across%20our%20pages.%20We%20did%20not%20change%20how%20it%20is%20used%20with%20the%20new%20experiences%2C%20though%20we%20cannot%20guarantee%20that%20it%20won't%20happen%20in%20a%20future%20change.%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128756%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128756%22%20slang%3D%22en-US%22%3E%3CP%3EKelvin%2C%20correct%20me%20if%20I'm%20wrong%2C%20but%20most%20of%20the%20complaint%20about%20the%20auto-redirect%20with%20just%20filling%20in%20the%20UPN%20were%20because%20it%20didn't%20allow%20users%20to%20select%20the%20KSMI%20checkbox.%20Now%20that%20that's%20a%20separate%20step%2C%20this%20issue%20no%20longer%20applies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20Private%20session%20thingy%2C%20does%20KMSI%20even%20work%20with%20Private%20sessions%3F%20It%20writes%20a%20cookie%2C%20no%3F%20Which%20is%20*not*%20saved%20if%2Fwhen%20I'm%20using%20a%20Private%20session.%20So%20displaying%20the%20KMSI%20step%20is%20pointless%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20one%20other%20thing%20comes%20to%20mind%20after%20seeing%20the%20comments%20made%20by%20other%20folks%20here%20-%20are%20you%20guys%20respecting%20the%20%22LoginOptions%22%20parameter%20for%20federated%20logins%2Fsmart%20links%3F%20The%20idea%20being%20that%20it%20automatically%20ticked%20the%20KMSI%20checkbox%20in%20the%20old%20experience...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128677%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128677%22%20slang%3D%22en-US%22%3EHey%20Vasil%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20the%20feedback.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20%231%3A%20This%20is%20by%20design%20in%20the%20new%20experience.%20We%20had%20a%20lot%20of%20strong%20feedback%20about%20the%20old%20design%20where%20we%20initiated%20the%20redirect%20when%20focus%20was%20lost%20on%20the%20username%20field.%20Most%20users%20thought%20that%20it%20was%20unexpected%20and%20jarring%20and%20did%20not%20give%20them%20the%20opportunity%20to%20go%20back%20and%20correct%20typos.%20We%20decided%20to%20wait%20to%20redirect%20only%20after%20the%20user%20clicks%20the%20Next%20button.%20This%20experience%20is%20consistent%20with%20almost%20all%20other%20identity%20systems.%3CBR%20%2F%3E%3CBR%20%2F%3E%232%3A%20Can%20you%20help%20me%20understand%20your%20scenario%20where%20you%20don't%20want%20KMSI%20to%20show%20up%20in%20private%20sessions%20and%20why%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128666%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128666%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20also%20experiencing%20this%20issue%20where%20the%20KMSI%20dialog%20is%20being%20displayed%20for%20all%20of%20our%20internal%20ADFS%20sign%20ins%20when%20previously%20it%20was%20automatic.%20For%20now%2C%20we%20have%20disabled%20the%20feature.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20there%20is%20a%20fix%20for%20this%2C%20please%20let%20me%20know.%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128447%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128447%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20support%20answered%20it%20for%20me.%20Turn%20it%20off%20in%20Company%20branding%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F19%2Ffewer-login-prompts-the-new-keep-me-signed-in-experience-for-azure-ad-is-in-preview%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128410%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128410%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20we%20are%20using%20a%20Federated%20domain%20With%20local%20ADFS.%20Before%20this%20change%2C%20single%20signon%20worked%20without%20any%20questions%20when%20we%20are%20logged%20into%20the%20local%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20after%20this%20New%20%22experience%22%2C%20Our%20users%20must%20click%20on%20a%20Choice%20on%20the%20keep%20me%20logged%20in%20or%20not%20page.%20This%20is%20an%20anucence%20for%20Our%20users.%20We%20use%20Azure%20AD%20for%20authentication%20to%20Our%20intranet%20in%20the%20cloud.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20setting%20on%20an%20Application%20or%20Azure%20AD%20Directory%2C%20or%20a%20URL%20parameter%20or%20similar%20that%20can%20be%20used%20to%20disable%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128398%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128398%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E%26nbsp%3Btwo%20minor%20issues%20still%20remain%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20When%20using%20federated%20account%2C%20I%20have%20to%20press%20the%20Next%20button%20in%20order%20to%20be%20taken%20to%20the%20AD%20FS%20login%20page.%20In%20the%20previous%20experience%20this%20was%20automatic%2C%20simply%20pressing%20Tab%20for%20example%20did%20the%20trick.%3C%2FP%3E%3CP%3E2)%20Why%20am%20I%20being%20prompted%20for%20the%26nbsp%3BKMSI%20experience%20when%20using%20Private%20sessions%3F%20Maybe%20you%20should%20implement%20a%20check%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128306%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128306%22%20slang%3D%22en-US%22%3EHey%20Jeremy%2C%20the%20web%20theme%20can%20be%20found%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FadfsWebCustomization%2Ftree%2Fmaster%2FcenteredUi%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoft%2FadfsWebCustomization%2Ftree%2Fmaster%2FcenteredUi%3C%2FA%3E%20%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128275%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128275%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41707%22%20target%3D%22_blank%22%3E%40Eric%20Starker%3C%2FA%3E%26nbsp%3BDo%20you%20have%20any%20information%20on%20the%20ADFS%20web%20theme%20to%20allow%20on-premises%20ADFS%20look%20and%20feel%20to%20match%20the%20new%20sign%20in%20experience%3F%26nbsp%3B%20We%20saw%20some%20information%20during%20the%20original%20preview%20announcement%20that%20this%20would%20be%20coming%20but%20are%20unable%20to%20find%20any%20info.%26nbsp%3B%20We%20have%20our%20TAM%20also%20checking%20for%20information%20but%20thought%20I'd%20check%20here%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FX%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138940%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138940%22%20slang%3D%22en-US%22%3EHi%20Srikanth%2C%20I'll%20reach%20out%20to%20you%20via%20DM%20to%20get%20more%20information%20so%20we%20can%20look%20into%20this.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138943%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138943%22%20slang%3D%22en-US%22%3EHi%20Unnie%2C%20thanks%20for%20the%20breakdown.%20%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20are%20you%20trying%20to%20achieve%20with%20persistent%20cookies%3F%20If%20you%20have%20seamless%20SSO%20set%20up%2C%20every%20time%20your%20user%20goes%20to%20the%20Sharepoint%20site%20they%20will%20SSO%20automatically%2C%20which%20makes%20the%20need%20for%20a%20persistent%20cookie%20unnecessary.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138947%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138947%22%20slang%3D%22en-US%22%3EHey%20Vasil%2C%20the%20shared%20machine%20logic%20essentially%20stops%20showing%20the%20KMSI%20prompt%20if%20a%20different%20account%20has%20been%20used%20on%20the%20same%20browser.%20That%20logic%20will%20reset%20(and%20KMSI%20will%20show%20again)%20if%20you%20clear%20browser%20cookies%2C%20or%20if%20you%20continue%20to%20only%20sign%20in%20with%20that%20one%20account%20for%20a%20few%20days.%20%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20the%20other%20user%20that's%20getting%20the%20prompt%2C%20are%20you%20using%20the%20same%20browser%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138978%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138978%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Kelvin.%20I%20did%20clear%20cookies%2C%20but%20that%20doesn't%20seem%20to%20had%20any%20effect.%20And%20if%20it's%20cookie%20based%2C%20doesn't%20explain%20why%20I%20don't%20see%20the%20prompt%20in%20Private%20session%20or%20when%20using%20other%20browsers%20on%20the%20same%20machine%3F%20Is%20there%20perhaps%20any%20%22server-side%22%20component%20to%20it%3F%20Same%20machine%2C%20same%20browsers%2C%20same%20O365%20tenant%26nbsp%3B-%20one%20user%20gets%20the%20prompt%20in%20Private%20session%2C%20the%20other%20one%20does%20not.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-139003%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-139003%22%20slang%3D%22en-US%22%3EIt's%20the%20performance%20.%20Our%20home%20page%20for%20IE%20is%20SPO%20based%20intranet%20and%20it%20loads%20slowly%20because%20of%20the%20authentication%20hops%20from%20the%20site%20--%26gt%3B%20Microsoft%20login%20--%26gt%3B%20on-prem%20ADFS%20and%20then%20the%20journey%20back.%20The%20user%20can%20see%20the%20urls%20changing%20and%20it%20takes%20a%20good%208-10%20secs%20every%20time%20the%20browser%20is%20opened.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-139663%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-139663%22%20slang%3D%22en-US%22%3EThanks%20for%20verifying.%20We%20also%20take%20into%20account%20a%20risk%20score%20provided%20by%20our%20Identity%20mechanisms.%20We've%20had%20isolated%20reports%20that%20it%20is%20kicking%20in%20a%20tad%20bit%20too%20aggressively%2C%20but%20we%20don't%20have%20confirmation%20yet.%20%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20you%20please%20DM%20me%20the%20following%3A%3CBR%20%2F%3E1.%20UPN%20of%20the%20account%20you%20used%20where%20KMSI%20doesn't%20show%20and%20also%20the%20one%20where%20KMSI%20does%20show.%3CBR%20%2F%3E2.%20Co-relation%20id%20of%20the%20request%20when%20logging%20in%20on%20the%20account%20where%20KMSI%20doesn't%20show.%20You%20can%20get%20this%20by%20clicking%20on%20the%20three%20dots%20at%20the%20bottom%20right%20corner%20of%20the%20page%20when%20you're%20on%20the%20password%20screen.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-139665%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-139665%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20details.%20We're%20going%20to%20take%20a%20look%20into%20this%20early%20next%20year%20once%20the%20team%20gets%20back%20into%20the%20office%20after%20the%20holidays.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-140338%22%20slang%3D%22en-US%22%3ERE%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-140338%22%20slang%3D%22en-US%22%3EHi%2C%20MS%20admin%20for%20years%2C%20new%20here.%20Just%20saw%20this%2C%20perhaps%20it%20can%20help%20us.%20Our%20call%20to%20Microsoft%20(before%20this%20change)%20had%20no%20immediate%20fix.%20Our%208k%2B%20users%20to%20o365%2FSPO%20need%20access%20to%20SP%20sites.%20We%20would%20like%20to%20use%20this%20...%22Keep%20me%20singed%20in%22%20for%20most%20users.%20Others%20with%20Generic%20IDs%20which%20would%20only%20prompt%20for%20a%20password%20to%20get%20to%20secure%20content%20on%20SPO%20sites.%20Is%20this%20possible%20to%20do%20both%3F%20Details%20would%20be%20golden!!!%20Thanks%2C%20Joe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-140833%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-140833%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20experiencing%20the%20same%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%2C%20no%20KMSI%20prompt%20after%20successful%20sign-in%20in%20IE11%20or%20Chrome.%20And%20every%20time%20browser%20is%20started%20a%20sign-in%20prompt%20(password)%20is%20shown.%20Also%20sign-in%20prompt%20is%20shown%20every%20time%20I%20open%20locally%20installed%20Outlook%20client.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141011%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141011%22%20slang%3D%22en-US%22%3EHi%20Teemu%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ewould%20you%20mind%20private%20messaging%20me%20your%20email%20address%3F%20I'll%20need%20some%20additional%20info%20(eg.%20traces)%20to%20investigate%20this.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EKelvin%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141013%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141013%22%20slang%3D%22en-US%22%3EHi%20Joe%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ecan%20you%20please%20clarify%20what%20you're%20trying%20to%20achieve%3F%20Is%20this%20an%20issue%20that%20has%20occurred%20with%20the%20new%20sign-in%20experience%20or%20is%20this%20just%20new%20functionality%20you%20want%20enabled%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141069%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141069%22%20slang%3D%22en-US%22%3EHi%20Unnie%2C%20you%20can%20configure%20ADFS%20to%20pass%20the%20Persistent%20SSO%20(PSSO)%20claim%20so%20that%20Azure%20AD%20will%20automatically%20drop%20persistent%20cookies.%20That%20should%20get%20you%20what%20you%20need.%20You%20can%20find%20more%20information%20about%20PSSO%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141130%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141130%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3Eat%20one%20of%20my%20customers%20I%20have%20exactly%20the%20same%20problem%20like%20Srikanth%20Komirishetty.%20Every%20time%20the%20browser%20is%20closed%20and%20reopend%20the%20Account%20Picking%20window%20is%20showing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-141364%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141364%22%20slang%3D%22en-US%22%3EHi%20Johannes%2C%20can%20you%20please%20private%20message%20me%20your%20email%20address%20and%20I'll%20reach%20out%20to%20you%20to%20get%20more%20information.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142147%22%20slang%3D%22en-US%22%3ERe%3A%20The%20new%20Azure%20AD%20sign-in%20and%20%E2%80%9CKeep%20me%20signed%20in%E2%80%9D%20experiences%20rolling%20out%20now!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142147%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%2C%20Thank%20you%20for%20the%20response.%20The%20old%20sign%20in%20page%20has%20%22keep%20me%20signed%20in%22%20check%20box%20that%20helps%20the%20user%20not%20be%20prompted%20to%20pick%20account%20or%20see%20login%20prompt%20the%20next%20time%20they%20re-launch%20the%20browser%20and%20access%20SharePoint%20site.%20The%20new%20UI%20has%20no%20such%20option%20any%20more.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20new%20ADFS%20version%20on%20Windows%202012%20seems%20to%20have%20an%20option%20to%20create%20custom%20claim%20rules%20to%20issue%20PSSO%20claims%20that%20avoids%20%22pick%20an%20account%22%20prompt%20as%20shared%20by%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70095%22%20target%3D%22_blank%22%3E%40Kelvin%20Xia%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20you%20recommended%2C%20I%20researched%20and%26nbsp%3BI%20was%20able%20to%20create%20a%20SMART%20link%26nbsp%3Bwhich%20does%20the%20same%20job%20as%20%22keep%20me%20signed%20in%22%20check%20box.%20The%20user%20has%20to%20browse%20this%20link%20once%2C%20interestingly%20it%20won't%20even%20prompt%20for%20UPN%20(password%20not%26nbsp%3Brequired%20as%20we%20are%20SSO)%26nbsp%3Band%20process%20sets%20the%20persistent%20cookie%20on%20the%20machine%20and%20he%2Fshe%20never%20needs%20to%20pick%20account%20going%20forward.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20question%20I%20have%20now%20is%2C%20Our%20organization%20would%20like%20to%20enable%20PSSO%20but%20we%20are%20on%20ADFS%202.0%20and%20Windows%202008%20R2.%26nbsp%3BThe%20article%20on%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-single-sign-on-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Elink%3C%2FA%3E%26nbsp%3Bdescribes%20how%20to%20configure%20ADFS%20to%20issue%20PSSO%20claims%20but%20not%20sure%20if%20this%20applies%20to%20Windows%202008%20R2.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Hi Srikanth, I'll reach out to you via DM to get more information so we can look into this.
Hi Unnie, thanks for the breakdown.

What are you trying to achieve with persistent cookies? If you have seamless SSO set up, every time your user goes to the Sharepoint site they will SSO automatically, which makes the need for a persistent cookie unnecessary.
Hey Vasil, the shared machine logic essentially stops showing the KMSI prompt if a different account has been used on the same browser. That logic will reset (and KMSI will show again) if you clear browser cookies, or if you continue to only sign in with that one account for a few days.

For the other user that's getting the prompt, are you using the same browser?

Thanks Kelvin. I did clear cookies, but that doesn't seem to had any effect. And if it's cookie based, doesn't explain why I don't see the prompt in Private session or when using other browsers on the same machine? Is there perhaps any "server-side" component to it? Same machine, same browsers, same O365 tenant - one user gets the prompt in Private session, the other one does not.

It's the performance . Our home page for IE is SPO based intranet and it loads slowly because of the authentication hops from the site --> Microsoft login --> on-prem ADFS and then the journey back. The user can see the urls changing and it takes a good 8-10 secs every time the browser is opened.
Thanks for verifying. We also take into account a risk score provided by our Identity mechanisms. We've had isolated reports that it is kicking in a tad bit too aggressively, but we don't have confirmation yet.

Can you please DM me the following:
1. UPN of the account you used where KMSI doesn't show and also the one where KMSI does show.
2. Co-relation id of the request when logging in on the account where KMSI doesn't show. You can get this by clicking on the three dots at the bottom right corner of the page when you're on the password screen.
Thanks for the details. We're going to take a look into this early next year once the team gets back into the office after the holidays.
Hi, MS admin for years, new here. Just saw this, perhaps it can help us. Our call to Microsoft (before this change) had no immediate fix. Our 8k+ users to o365/SPO need access to SP sites. We would like to use this ..."Keep me singed in" for most users. Others with Generic IDs which would only prompt for a password to get to secure content on SPO sites. Is this possible to do both? Details would be golden!!! Thanks, Joe

We are experiencing the same as @Vasil Michev, no KMSI prompt after successful sign-in in IE11 or Chrome. And every time browser is started a sign-in prompt (password) is shown. Also sign-in prompt is shown every time I open locally installed Outlook client.

Hi Teemu,

would you mind private messaging me your email address? I'll need some additional info (eg. traces) to investigate this.

Thanks,
Kelvin
Hi Joe,

can you please clarify what you're trying to achieve? Is this an issue that has occurred with the new sign-in experience or is this just new functionality you want enabled?
Hi Unnie, you can configure ADFS to pass the Persistent SSO (PSSO) claim so that Azure AD will automatically drop persistent cookies. That should get you what you need. You can find more information about PSSO here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-setti...

Hi,

at one of my customers I have exactly the same problem like Srikanth Komirishetty. Every time the browser is closed and reopend the Account Picking window is showing.

Hi Johannes, can you please private message me your email address and I'll reach out to you to get more information.

Hi @Vasil Michev, Thank you for the response. The old sign in page has "keep me signed in" check box that helps the user not be prompted to pick account or see login prompt the next time they re-launch the browser and access SharePoint site. The new UI has no such option any more.

 

The new ADFS version on Windows 2012 seems to have an option to create custom claim rules to issue PSSO claims that avoids "pick an account" prompt as shared by @Kelvin Xia.

 

As you recommended, I researched and I was able to create a SMART link which does the same job as "keep me signed in" check box. The user has to browse this link once, interestingly it won't even prompt for UPN (password not required as we are SSO) and process sets the persistent cookie on the machine and he/she never needs to pick account going forward.

 

The question I have now is, Our organization would like to enable PSSO but we are on ADFS 2.0 and Windows 2008 R2. The article on this link describes how to configure ADFS to issue PSSO claims but not sure if this applies to Windows 2008 R2.

I don't think so, it will most likely not recognize the claim.

We use SAML SSO with several vendors using ADFS as our iDp. Our ADFS server is under a different domain so we have a Claims Provider Trust setup with our AAD. We have an issue with the new sign-in experience. When a user initially signs in they get presented with the "Stay signed in?" prompt. If they say Yes a persistent cookie is set and things work like they should. However, if they were to go back to the iDp initiated signon page and log out for whatever reason, when they go to sign-in again they won't get the "Stay signed in?" prompt so it just sets a session cookie that is terminated if they close their browser. If they choose to go back to the old sign-in experience the "Keep me signed in" checkbox will be there so they once again can set a persistent cookie. Is this a known issue? Is there a fix for this?

Hi Andy, yes, this is a known issue where if the user first says "Yes" to the prompt, then explicitly signs out, they would not see the prompt again on subsequent sign ins for 3 days.

This is something we're looking into fixing.

We utilise WebDAV to map SharePoint Online drives for all of our 365 clients, and the new sign in has a  critical flaw. After the initial sign in using IE the option to stay signed in is not presented, meaning that the mapped WebDAV drives do not reconnect. Returning to the old sign in and ticking the "Keep me signed in" still works fine however. If we log in to an inprivate browser the stay signed in option returns, however this is no good to us as it will not map a drive this way. Resetting IE also returns the 

stay signed in prompt, however again this disappears after the initial sign in.

We're also not seeing it after the initial sign in, meaning that mapped drives no longer work. Very unhelpful.
Hi Greg, we just checked in a tweak to the prompt logic that should make the prompt show up a lot more consistently. Please look for it to release in a week or so.

I have Office 365 MFA enabled. When the "Keep me signed in" experience rolled out in December I saw it. I clicked on Keep me signed in did not require authentication when I logged into Office 365 from any browser.

 

At some point in early January, I believe this changed. Now when I log in I get taken straight to my organization's login page, enter my credentials and I'm in. I have to log into Office 365 from my browser every day. The experience is the same across all my devices. I have not seen the "Keep me signed in" feature since.

 

Help please?!

 

 

Try clearing browser cookies and signing in again. Let me know if you see the "Keep me signed in" prompt then.

Hi Kelvin,

 

This did not work. I get taken to my organizations SSO page, get prompted for MFA accept prompt and then go straight to Office 365. 

When you say "accept prompt" what prompt do you refer to?

I mean accept the push notification to my smartphone from MFA.

Hi Kelvin,

 

I would really appreciate some insight into this issue, we'd really like to communicate to our users about this change.

Can you please send me a fiddler trace of your login via private message?

Can you please send me instructions on how to run the Fiddler trace. 

Please send me a private message with your email address and I'll send instructions via email. It'll be a lot easier that way.

Trying to understand exact implications of hiding the KMSI option.  This link states, "Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you set this option to No, your users may see additional and unexpected prompts to sign-in." 

 

Is there a list of the features/functionality that may be impacted when hiding this option?

Hello,

 

I have one user who is having an issue of "looping."  They sign into SharePoint via the SSO and then the page refreshes and says "you are already signed in" and just keeps spinning like it is trying to load the page.  However, it never moves past the log in page.  The only way we can move past is to log in again as another user. 

Just spent about a day figuring out the same "keep me signed in" issue, as discussed here. The problem seems to be related to ADFS and WIA. I can provide some details on my customers setup and how to reproduce the problem (got a workaround, too):

 

We have a federated O365 domain, ADFS on prem for authentication and WIA / IE trusted zones setup internally, so that no logon prompt used to display when accessing O365 resources (tested access to OneDrive in browser).

 

Internal behavior: With the new login experience, user name needs to be provided, redirect to ADFS and automatic logon succeed, then you are returned to your desired destination in your browser --> No prompt for "keep me signed in".

 

External behavior: User name needs to be provided, redirect to ADFS shows ADFS login page. Password must be entered there, redirect to MS happens (eventually MFA thereafter), then "keep me signed in" appears, can be set and works correctly.

 

What I already did:

  1. Removed the corresponding WIA agents from ADFS config to have the ADFS login page experience from internal clients. KMSI dialog from MS is not displayed.
  2. Enabled KMSI in ADFS properties and added claim rules to pass through PSSO claim. Now on the ADFS website, there is a keep me signed in checkbox, which does place a permanent cookie, so that subsequent logins (after closing and reopening the browser) are not required. The KMSI dialog from MS is not displayed. This is my current workaround, but not the desired state.

I think, the problem is the combination of ADFS and WIA-enabled authentication from inside the coorp network. The exactly same setup works as expected from external locations, but not from internal ones. This used to work in the "old style".

 

I would gladly help getting this thing done, if you need more input. Just get in touch with me. Already checked this issue with a second setup, same behavior there ...

o my team and I sat down in a room to compare our different experiences. We found that each browser has settings that delete cookies  In Chrome I had this setting "Keep local data only until you quit your browser" turned on. When I turned this off I was presented with the "Stay Signed In" option and was able to stay logged in once I had authenticated and verified with MFA. I have not had to reauthenticate. This is a per browser setting. Each browser has different settings of course.  We think Macs have a privacy setting Website Tracking Prevent cross-site-tracking and if this is checked this will prevent the Stay Signed in feature to work. I haven't confirmed yet but will update this post once we do. 

 


@Kelvin Xia wrote:
May I know why you want to see the prompt even when SSO happens? By definition, when SSO'ed your user should just always automatically sign in without any interactive prompts. So, asking the user if they want to remain signed in doesn't really mean anything when SSO happens.

There is one case where it would be really useful to have KMSI available when using SSO and that is when Azure MFA is enabled, to allow to remain signed in without getting prompted for the MFA code each time the browser is launched. When outside the LAN the KMSI appears (since then SSO is not active), so no reason not to show KMSI when on the LAN.

 

Is there any thought to allow this? Thanks

 


@Kelvin Xia wrote:
May I know why you want to see the prompt even when SSO happens? By definition, when SSO'ed your user should just always automatically sign in without any interactive prompts. So, asking the user if they want to remain signed in doesn't really mean anything when SSO happens.

That's almost right, but: For SSO to work, you need to provide the username / email address / UPN (which may be saved, but has to be confirmed by clicking it) before SSO kicks in. This is the issue in our case.

 

Imagine the following (real-world) scenario: Customer is using a SharePoint Online document library to store attachments for his Navision users. So when clicking on a link in Navision to open such an attachment (mostly PDF documents), you would expect your PDF viewer to open. In the current situation, your browser opens asking for your login (which perhaps was saved before), you confirm it, SSO happens and the PDF opens. After doing whatever with the document, the user closes the PDF and the browser window. After that, he clicks the next link in Navision and the same happens ... browser, confirm username, SSO, PDF. Only by leaving open the browser (as a workaround), the annoying clicking and waiting can be bypassed.

 

This behavior most likely applies to any SharePoint related content storage ...

 

By using the persistent session token, a true SSO experience (as seen in the old version) could be setup again.

@Marc Debold

We are facing the same problem. External users get the KMSI dialog, internal users do not (both after authentication against ADFS). As a result SharePoint Online WebDAV is not working anymore. Have you found a solution to this?

Our organization is experiencing the same problems. We use ADFS for authentication. KMSI dialog is shown externally, but not internally. SPO WebDAV doesn't work anymore and users have to choose their UPN every time they launch the browser.

We are experiencing this issue as well.  Has there been any resolution identified?


@Jeroen Lammens wrote:
@Marc Debold

We are facing the same problem. External users get the KMSI dialog, internal users do not (both after authentication against ADFS). As a result SharePoint Online WebDAV is not working anymore. Have you found a solution to this?

We have opened a MS call and we are currently working on it. Until now, we have made no progress as MS (or at least the technician dealing with the ticket) claims this to be the way it is intended to work.

I'll report back as soon as I got news.

Hi everyone,

our recommendation to bypass the additional "Pick an account" prompt and redirect automatically to on-prem IdPs (eg. ADFS) for auth is to enable SharePoint auto-acceleration: https://support.office.com/en-us/article/enable-or-disable-auto-acceleration-for-your-sharepoint-onl...

Please take note of the call out on how this might not work if you have users that are external to your organization (guest users) access your SharePoint site.

If SharePoint auto-acceleration does not work for your environment, you can consider setting up ADFS to return the Persistent SSO claim with every sign in. That will cause Azure AD to drop a persistent token which will bypass the "Pick an account" screen.

@Kelvin Xia I think the last few complaints are about the WebDAV/mapped drives experience. Previously, we were able to make this persistent by making sure the "LoginOptions" parameter is passed via the smart links used. In the new experience, this seems to no longer be the case, thus the session expire more often and break the user experience.

Indeed, the KMSI screen does not show up after authentication against ADFS for our internal users. As a result, WebDAV/mapped drives are just not working anymore.

While I can understand this is legacy tech, it should still be supported until a replacement solution is delivered. I'm thinking along the lines of the OneDrive files-on-demand with the possibility to keep the synced files only in the cloud and not have them synced locally whenever one is opened (we don't have the storage for this / don't want to support this scenario).
To support SharePoint mapped drives with ADFS, we recommend setting up PSSO which will result in the same logic as a user manually checking the old KMSI checkbox.
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-setti...
Hi Marc,

Is the screen where your user has to click on a username the "Pick an account" screen?

I believe that what you're seeing is caused by a different change in our code. Can you please send me a Fiddler trace of a user running through the scenario you mentioned and seeing the "Pick an account" prompt? Please DM me the trace so we can look into it.

Thanks,
Kelvin

Hi @Daniel Billington - we have exactly this issue since we enabled Azure MFA. Did you find any solution yet?

 

@Kelvin Xia this is really a big annoyance for anyone using Seamless SSO and MFA. The KMSI dialogue does not show up if Seamless SSO ist enabled, which results in repeated MFA requests every time the browser is restarted. Once we disable Seamless SSO on the client side (Browser Intranet Zone), users see the KMSI and are able to stay signed in... no unnecessary MFA requests anymore. We still want to use both: Seamless SSO and MFA, but at the current state this is not possible. Whats the best practice if we want to combine both methods?

 

EDIT: we are not using AD FS, instead we are relying on Azure AD Connect.

Hi Kelvin,

 

What is the recommendation where SPO acceleration is not an option e.g. due to large numbers of heavily utilised externally shared sites. In this scenario internal users will still get the "username" prompt (required to support the external users authentication flow to their IDP). Presumably as there is a "flag" set on the site to say it is externally shared and therefore should not support honour the accelerated redirect to ADFS.

 

And in addition where persistent SSO is not an option due to the security risks e.g. Persistent cookie coupled with insidecorporatenetwork claims result in users being issued a persistent cookie that can then be used when they travel off the corporate network.

 

Ideally it would seem better and easier if the accelerated feature differentiated between the corporate users (based on UPN suffix??)  and redirected the authentication to ADFS but allowed the redirection to the login.microsoftonline.com for the external users.

 

Any pointers on a supported solution or indication on when a fix for externally shared sites might become available?

 

Thanks


@Kelvin Xia wrote:
Hi Marc,

Is the screen where your user has to click on a username the "Pick an account" screen?

I believe that what you're seeing is caused by a different change in our code. Can you please send me a Fiddler trace of a user running through the scenario you mentioned and seeing the "Pick an account" prompt? Please DM me the trace so we can look into it.

Thanks,
Kelvin

Hi Kelvin,

yes, it is the "Pick an account" screen, that is displayed. I'll send the trace asap.

 

Marc


@Kelvin Xia wrote:
To support SharePoint mapped drives with ADFS, we recommend setting up PSSO which will result in the same logic as a user manually checking the old KMSI checkbox.
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-setti...

That claim did not work for me and my customers (tried it with two different setups), but MS support supplied the following claim rule, that works just perfectly:

 

c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"]
 => issue(Type = "http://schemas.microsoft.com/2014/03/psso", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

Using this rule gets rid of the username prompt "Pick an account". For my customer that is the solution to the problem.

 

@Kelvin Xia: I'd be pleased to keep on working on the "Pick an account" prompt to get it working as designed.

This new rule has worked for us so far! Thanks.

Related Conversations
Calendar not available for older AD accounts
_jancis in Microsoft Teams on
0 Replies
Azure Files with adfs
Stephane KLOIS in Azure on
0 Replies
What is a native non-object synchronised Azure AD instance?
Pn1995 in Azure on
0 Replies