Hi there. I have an enterprise app which uses Entra single sign-on and have observed some inconsistent behaviour when signing into the app either on the company network or when signing in from home (off-network) which I can't account for. When signing in on the company network, the end user is prompted by KMSI, but when they are off-network they are not.

The app login behaviour is such that it asks for credentials every time the user wishes to log in. Compare that with other apps which use the persistent browser session to log in without challenge for credentials. KMSI is only displayed when on the company network. This is actually quite annoying, because staff have to interact with the prompt to no avail every time they log into the app, which is multiple times a day - I would go so far as to say that it is deeply undesirable behaviour - but I believe this is expected behaviour for an app which doesn't use the persistent cookie.

On the other hand, when accessing from home, a user is prompted for credentials only - KMSI does not appear. This is ideal from an end user point of view, and my aim is to replicate this behaviour within the company network too, once I understand the problem a bit better.

If I jump on the VPN, I'm challenged by KMSI again. This is true for both Windows and MacOS.

First thing to say is that the option to show KMSI is turned on in Azure User Settings.

I didn't configure the enterprise app, but I do have access to the config, and it looks OK to my eyes. I certainly can't see anything in the config that governs how it behaves depending on whether it's being accessed from within or outside the company network, if that's even possible. As I said, the app does not seem to use the persistent browser session, and when clicking log out in the enterprise app I assume it destroys the persistent cookie (if it even creates it). This is supposition on my part, because I don't know how to check this, but based on that assumption I believe the on-network behaviour is 'correct' (albeit undesirable).

One thing we do have is a conditional access policy that applies only outside the company network. I'm aware that the 'persistent browser' setting might override the global 'show KMSI' setting - in our case this is set to 'yes', but I'm not sure if it's part of the issue because I don't believe the enterprise app makes use of the persistent browser session.

My question is - is the on-network behaviour expected in this scenario?

And secondly, how would I go about troubleshooting the off-network behaviour? I've checked the logs and can see that for every login attempt from within the company network there is a preceding log with status 'Interrupted', corresponding to the KMSI prompt. There are simply missing when logging in from home.

Regards,

Robert