Forum Discussion
The new Azure AD sign-in and “Keep me signed in” experiences rolling out now!
We're excited to announce that the general availability rollout of the new Azure AD sign-in and “Keep me signed in” experiences has started! These experiences should reach all users globally by the e...
Hi everyone,
our recommendation to bypass the additional "Pick an account" prompt and redirect automatically to on-prem IdPs (eg. ADFS) for auth is to enable SharePoint auto-acceleration: https://support.office.com/en-us/article/enable-or-disable-auto-acceleration-for-your-sharepoint-online-tenancy-74985ebf-39e1-4c59-a74a-dcdfd678ef83
Please take note of the call out on how this might not work if you have users that are external to your organization (guest users) access your SharePoint site.
If SharePoint auto-acceleration does not work for your environment, you can consider setting up ADFS to return the Persistent SSO claim with every sign in. That will cause Azure AD to drop a persistent token which will bypass the "Pick an account" screen.
our recommendation to bypass the additional "Pick an account" prompt and redirect automatically to on-prem IdPs (eg. ADFS) for auth is to enable SharePoint auto-acceleration: https://support.office.com/en-us/article/enable-or-disable-auto-acceleration-for-your-sharepoint-online-tenancy-74985ebf-39e1-4c59-a74a-dcdfd678ef83
Please take note of the call out on how this might not work if you have users that are external to your organization (guest users) access your SharePoint site.
If SharePoint auto-acceleration does not work for your environment, you can consider setting up ADFS to return the Persistent SSO claim with every sign in. That will cause Azure AD to drop a persistent token which will bypass the "Pick an account" screen.
Kelvin Xia I think the last few complaints are about the WebDAV/mapped drives experience. Previously, we were able to make this persistent by making sure the "LoginOptions" parameter is passed via the smart links used. In the new experience, this seems to no longer be the case, thus the session expire more often and break the user experience.
- Indeed, the KMSI screen does not show up after authentication against ADFS for our internal users. As a result, WebDAV/mapped drives are just not working anymore.
While I can understand this is legacy tech, it should still be supported until a replacement solution is delivered. I'm thinking along the lines of the OneDrive files-on-demand with the possibility to keep the synced files only in the cloud and not have them synced locally whenever one is opened (we don't have the storage for this / don't want to support this scenario).- To support SharePoint mapped drives with ADFS, we recommend setting up PSSO which will result in the same logic as a user manually checking the old KMSI checkbox.
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings#enable-psso-for-office-365-users-to-access-sharepoint-online
Kelvin Xia wrote:
To support SharePoint mapped drives with ADFS, we recommend setting up PSSO which will result in the same logic as a user manually checking the old KMSI checkbox.
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings#enable-psso-for-office-365-users-to-access-sharepoint-onlineThat claim did not work for me and my customers (tried it with two different setups), but MS support supplied the following claim rule, that works just perfectly:
c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"] => issue(Type = "http://schemas.microsoft.com/2014/03/psso", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
Using this rule gets rid of the username prompt "Pick an account". For my customer that is the solution to the problem.
Kelvin Xia: I'd be pleased to keep on working on the "Pick an account" prompt to get it working as designed.
