The new Azure AD sign-in and “Keep me signed in” experiences rolling out now!

Hi, 

Many of our users have set a site, library or folder as favorites in File Explorer which connects through webdav(?) to SharePoint. As we are using SSO, users don't get the option 'keep me signed in' anymore. This causes a permission denied when opening the folder or library in file explorer -> no cookie is saved. Is there a workaround to have the cookie or 'Keep me signed in' back? 

Thanks

Bernd

We utilise WebDAV to map SharePoint Online drives for all of our 365 clients, and the new sign in has a  critical flaw. After the initial sign in using IE the option to stay signed in is not presented, meaning that the mapped WebDAV drives do not reconnect. Returning to the old sign in and ticking the "Keep me signed in" still works fine however. If we log in to an inprivate browser the stay signed in option returns, however this is no good to us as it will not map a drive this way. Resetting IE also returns the 

stay signed in prompt, however again this disappears after the initial sign in.

Just spent about a day figuring out the same "keep me signed in" issue, as discussed here. The problem seems to be related to ADFS and WIA. I can provide some details on my customers setup and how to reproduce the problem (got a workaround, too):

We have a federated O365 domain, ADFS on prem for authentication and WIA / IE trusted zones setup internally, so that no logon prompt used to display when accessing O365 resources (tested access to OneDrive in browser).

Internal behavior: With the new login experience, user name needs to be provided, redirect to ADFS and automatic logon succeed, then you are returned to your desired destination in your browser --> No prompt for "keep me signed in".

External behavior: User name needs to be provided, redirect to ADFS shows ADFS login page. Password must be entered there, redirect to MS happens (eventually MFA thereafter), then "keep me signed in" appears, can be set and works correctly.

What I already did:

1. Removed the corresponding WIA agents from ADFS config to have the ADFS login page experience from internal clients. KMSI dialog from MS is not displayed.
2. Enabled KMSI in ADFS properties and added claim rules to pass through PSSO claim. Now on the ADFS website, there is a keep me signed in checkbox, which does place a permanent cookie, so that subsequent logins (after closing and reopening the browser) are not required. The KMSI dialog from MS is not displayed. This is my current workaround, but not the desired state.

I think, the problem is the combination of ADFS and WIA-enabled authentication from inside the coorp network. The exactly same setup works as expected from external locations, but not from internal ones. This used to work in the "old style".

I would gladly help getting this thing done, if you need more input. Just get in touch with me. Already checked this issue with a second setup, same behavior there ...

Hi, we are using a Federated domain With local ADFS. Before this change, single signon worked without any questions when we are logged into the local domain.

Now, after this New "experience", Our users must click on a Choice on the keep me logged in or not page. This is an anucence for Our users. We use Azure AD for authentication to Our intranet in the cloud.

Is there a setting on an Application or Azure AD Directory, or a URL parameter or similar that can be used to disable this?

Hi,

while I do see some benefit on the KMSI feature for regular users, I would prefer to have privileged admin accounts be prompted for MFA Login in their browser profiles every time.

How can I achieve this without turning the feature off for everyone?

Regards,

Karsten

Current set up

We have SharePoint Online site with auto acceleration enabled. Our Azure AD is federated with on-premise ADFS. We have seamless SSO working in IE where user does not need to type any username password.

Problem statement:

By default, when the user logins in thru IE, only Session cookie is generated, so when the user closes the browser and reopens the user is authenticated again. Also, the new KMSI (Keep me signed In) screen is not displayed to the user during the login experience in IE, so there is no way for user to generate persistent cookie which works across multiple sessions. In chrome, user can see the KMSI screen and hence persistent cookies can be generated.

Questions:

 Is there a way by which global admin can configure such that all users by default gets persistent cookies instead of session cookie, so that they don’t even need to click “yes” in KMSI screen?

I saw below blog where it says to create custom claim rule in ADFS to issue Persistent SSO claim. But again, the last line of the blog says “As of right now, AAD does not support SAML based use of the Persistent Single Sign On Claim / SAML attribute.” So, is this blog relevant now?

https://blogs.technet.microsoft.com/sposupport/2017/09/16/cookie-persistence-in-sharepoint-online/   

I have Office 365 MFA enabled. When the "Keep me signed in" experience rolled out in December I saw it. I clicked on Keep me signed in did not require authentication when I logged into Office 365 from any browser.

At some point in early January, I believe this changed. Now when I log in I get taken straight to my organization's login page, enter my credentials and I'm in. I have to log into Office 365 from my browser every day. The experience is the same across all my devices. I have not seen the "Keep me signed in" feature since.

Help please?!

Trying to understand exact implications of hiding the KMSI option.  This link states, "Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you set this option to No, your users may see additional and unexpected prompts to sign-in." 

Is there a list of the features/functionality that may be impacted when hiding this option?

EricStarker Do you have any information on the ADFS web theme to allow on-premises ADFS look and feel to match the new sign in experience?  We saw some information during the original preview announcement that this would be coming but are unable to find any info.  We have our TAM also checking for information but thought I'd check here as well.

Okay, but what if that is entirely undesirable behavior in half of your use cases?  When my users are on their personal computers, this is a good thing.  When they are using one of our many shared workstations, the last thing I want is for them to be encouraged to "Stay signed in".  

How do I prevent it from being offered on office computers without preventing it on their personal devices?  Most, though not all, of our offices are AD joined, so if there's a GPO I can push out please indicate that in some way.

If the classic login screen can be permanently forced per-domain (per tenant may not work for our parent company), that would also be acceptable. 

Because as it stands, this is a horrible idea.  I'm going to have realtors reading each other's emails after we told them we were setting them up with MFA to keep anyone else from getting into their email.