-
Notifications
You must be signed in to change notification settings - Fork 286
/
how-to-manage-stay-signed-in-prompt.yml
93 lines (68 loc) · 5.6 KB
/
how-to-manage-stay-signed-in-prompt.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
### YamlMime:HowTo
---
metadata:
title: Manage the 'Stay signed in' prompt in Microsoft Entra ID
description: Learn how the 'Stay signed in' prompt for Microsoft Entra users works and how to configure it in Microsoft Entra ID.
author: shlipsey3
ms.author: sarahlipsey
manager: amycolannino
ms.reviewer: almars
ms.date: 01/16/2024
ms.service: entra
ms.subservice: fundamentals
ms.topic: how-to
ms.custom:
- ge-structured-content-pilot
# Customer intent: As an IT admin, I want to know how to configure the 'Stay signed in' prompt for Microsoft Entra users, so their sign-in experience is not interrupted unnecessarily.
title: |
Manage the 'Stay signed in?' prompt
introduction: |
The **Stay signed in?** prompt appears after a user successfully signs in. This process is known as **Keep me signed in (KMSI)** and was previously part of the [customize branding](how-to-customize-branding.md) process.
This article covers how the KMSI process works, how to enable it for customers, and how to troubleshoot KMSI issues.
prerequisites:
summary: |
Configuring the 'keep me signed in' (KMSI) option requires one of the following licenses:
- Microsoft Entra ID P1 or P2
- Office 365 (for Office apps)
- Microsoft 365
You must have the **Global Administrator** role to enable the 'Stay signed in?' prompt.
## How does it work?
If a user answers **Yes** to the **'Stay signed in?'** prompt, a persistent authentication cookie is issued. The cookie must be stored in session for KMSI to work. KMSI doesn't work with locally stored cookies. If KMSI isn't enabled, a non-persistent cookie is issued and lasts for 24 hours or until the browser is closed.
The following diagram shows the user sign-in flow for a managed tenant and federated tenant using the KMSI in prompt. This flow contains smart logic so that the **Stay signed in?** option isn't displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device. For federated tenants, the prompt will show after the user successfully authenticates with the federated identity service.
Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you uncheck the **Show option to remain signed in** option, your users might see other unexpected prompts during the sign-in process.
:::image type="content" source="media/how-to-manage-stay-signed-in-prompt/kmsi-workflow.png" alt-text="Diagram showing the user sign-in flow for a managed vs. federated tenant.":::
procedureSection:
- title: |
Enable the 'Stay signed in?' prompt
summary: |
[!INCLUDE [portal update](../includes/portal-update.md)]
The KMSI setting is managed in **User settings**.
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator).
- |
Browse to **Identity** > **Users** > **User settings**.
:::image type="content" source="media/how-to-manage-stay-signed-in-prompt/user-settings-page.png" alt-text="Screenshot of the User settings page in Microsoft Entra ID.":::
- |
Set the **Show keep user signed in** toggle to **Yes**.
:::image type="content" source="media/how-to-manage-stay-signed-in-prompt/show-keep-user-signed-in.png" alt-text="Screenshot of the Show keep user signed in prompt." lightbox="media/how-to-manage-stay-signed-in-prompt/show-keep-user-signed-in-expanded.png":::
## Troubleshoot 'Stay signed in?' issues
If a user doesn't act on the **Stay signed in?** prompt but abandons the sign-in attempt, a sign-in log entry appears in the Microsoft Entra sign-in logs. The prompt the user sees is called an "interrupt."
:::image type="content" source="media/how-to-manage-stay-signed-in-prompt/kmsi-stay-signed-in-prompt.png" alt-text="Screenshot of the Sample Stay signed in? prompt.":::
Details about the sign-in error are found in the **Sign-in logs**. Select the impacted user from the list and locate the following details in the **Basic info** section.
- **Sign in error code**: 50140
- **Failure reason**: This error occurred due to "Keep me signed in" interrupt when the user was signing in.
You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the user settings. This setting disables the KMSI prompt for all users in your directory.
You also can use the [persistent browser session controls in Conditional Access](~/identity/conditional-access/howto-conditional-access-session-lifetime.md) to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users without affecting sign-in behavior for everyone else in the directory.
To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI prompt is intentionally not shown in the following scenarios:
- User is signed in via seamless SSO and integrated Windows authentication (IWA)
- User is signed in via Active Directory Federation Services and IWA
- User is a guest in the tenant
- User's risk score is high
- Sign-in occurs during user or admin consent flow
- Persistent browser session control is configured in a Conditional Access policy
relatedContent:
- text: Learn how to customize branding for sign-in experiences
url: how-to-customize-branding.md
- text: Manage user settings in Microsoft Entra ID
url: how-to-manage-user-profile-info.yml