Azure ad/office365 with managed identity NO adfs and chrome

Brass Contributor

Not sure if I can describe this but here goes!

Remember no ADFS using managed identity and using MFA.

 

So we have chrome users that when they are onprem with a domain joined device they do not get the option to select keep me signed in (KMSI),  oddly enough if they are on a less trusted device like a kiosk somewhere they get the prompt and can KMSI..  Seems strange to me.  We've added the remember my device (RMD)  for the chrome users for now but I don't like doing that.  Also doing RMD messes up the modern app clients since they are forced to re auth once the RMD time expires.

What am I doing wrong?

 

Hopefully this makes sense.

thanks

4 Replies

@Kelvin Xia might be able to help here.

Hey Tony,

 

the "Stay signed in?" prompt does not show when any sort of SSO is set up. In your case, it might either be Browser SSO (if the managed Azure AD account is added to Windows) or Seamless SSO. We don't show the prompt in SSO cases as throwing a prompt breaks the promise of SSO.

 

If the kiosk devices do not have SSO enabled (which I assume is the case since they are shared), we'll show the "Stay signed in" prompt on login but will suppress that prompt if we detect that more than 1 account has been used in the browser.

 

If you want to completely disable the prompt, use the 'Show option to remain signed in' setting in Company Branding:

https://docs.microsoft.com/en-us/azure/active-directory/customize-branding

So this all goes back to true sso vs managed identity, which would you choose if you have many 3rd party RP/SP's, currently we use both azure ad and adfs to handle this and we use the entire o365 suite with AAD connect? Seems like adfs checks more boxes then aad connect and would enable true sso, correct? So confused.
We also use published applications which utilize managed service identities (msi) which I think are not compatible with ADFS, correct?