A Guide to Disable ‘Stay Signed In’ Prompt in Microsoft 365
The ‘Stay signed in?’ option reduces the number of times users are prompted to sign into Microsoft 365 services. This prompt was previously the ‘Keep me signed in’ (KMSI) checkbox, part of Microsoft 365 company branding.
This convenient authentication interruption especially benefits users relying on services like SharePoint Online, which lacks dedicated desktop clients. However, enabling this option on public computers and closing the browser without signing out poses a significant security risk 😱. In such cases, the user’s account becomes vulnerable to unauthorized access by the next person using the browser.
In this blog, we will explore how administrators can effectively disable the ‘Stay signed-in?’ prompt through the Microsoft Entra admin center to mitigate this risk.
The ‘Stay signed in?’ prompt appears after the successful authentication of the user’s first sign-in with a particular browser profile. The same prompt also appears for users who successfully authenticate with the federated identity service.
When a user selects ‘Yes’ in the ‘Stay signed in?’ prompt, a persistent authentication cookie gets stored in their browser. This cookie allows access to M365 services without requiring users to re-enter credentials or undergo multi-factor authentication each time they start a new browser session.
If the user selects ‘No’ in the prompt, a non-persistent cookie is issued, allowing password entry to be skipped for 24 hours or until the user closes their browser.
Managing the ‘Keep me signed in’ prompt requires Global administrator rights and a Microsoft Entra ID P1 or P2 license for your tenant. By default, the ‘Show keep user signed in?’ option is enabled.
This means that, even if users don’t respond to the ‘Stay signed in?’ prompt after authentication, Microsoft Entra’s sign-in logs capture all attempted logins. This prompt is technically referred to as an “interrupt”.
To stop users from seeing this interrupt, you need to disable the ‘Stay signed in?’ prompt or configure browser session control for the users.
Follow the simple steps described here to disable the appearance of the KMSI prompt via the Microsoft Entra admin center.
- Go to the Microsoft Entra admin center and navigate to the Identity tab.
- Then, head to the Users tab and select the User settings option.
- There, set the Show keep user signed in toggle to No and click Save. Similarly, if the KMSI prompt is already disabled and you want to enable it for the entire organization, set the Show keep user signed in toggle to Yes.
Warning:
- Certain functionalities in SharePoint Online and Office 2010 rely on users staying signed in. In such case, if you choose to conceal this option, users might encounter extra and unforeseen sign-in prompts.
- After you disable the ‘Stay signed in?’ prompt in Office 365, users who already have accepted the ‘Keep me signed in’ option won’t be signed out. To ensure immediate logout for users who are still signed in from previous sessions, initiate a force sign-out and revoke their access.
Configuring persistent browser sessions through the Conditional Access policy allows users to remain signed in or signed out upon browser restart. This feature enables admins to deactivate the KMSI prompt for specific users or groups (such as for administrators), without impacting the sign-in experience for other users.
To keep the users signed in or signed out after a browser session, just follow the steps stated here:
- Navigate to Protection -> Conditional Access in the Microsoft Entra admin center.
- Click on the Create new policy option.
- Provide a meaningful full name for the policy in the Name text box.
- After that, select the users or groups based on your requirements.
- Next, choose All cloud apps for the Target resources.
- In the Session control, check the Persistent browser session box and choose the required option from the drop-down.
- Always persistent: Selected users will remain signed even if the browser is closed.
- Never Persistent: Selected users will be signed out after closing the browser (Need a new sign-in for the next session).
- Then, click on Select.
- Turn On the policy and finally, click on the Create button.
Note: If you select Never persistent, it overrides persistent SSO claims from the federated authentication services. It also prevents SSO on mobile devices between applications and the user’s mobile browser.
In the following scenarios, the ‘Keep me signed in’ prompt doesn’t show along with the authentication even if it is enabled in your organization:
- If the user who is signing in is a guest in your M365 tenant.
- When the user’s risk score is high.
- When the user is signed in using the Active Directory federation services and Integrated Windows Authentication (IWA).
- When the user is signed in via the Single sign-on (SSO) and Integrated Windows Authentication (IWA).
- During the sign-in with the context of user or admin consent flow.
- When persistent browser session control is configured within a Conditional Access policy.
- If the machine learning system identifies sign-in from a shared device.
- If you want to suppress the sign-in prompts for your entire organization and only allow some users to remain signed in, turn off the Azure AD ‘Stay signed in?’ prompt. Then, use the persistent browser session policy with the Always persistent session option.
- If you want to have the sign-in prompt enabled for your entire organization and want to disable it for selected users alone, leave the KMSI in Azure AD as it is. Then, use the persistent browser session policy with the Never persistent session option to sign out the users immediately after closing the browser.
- To eliminate the security risk associated with public computers through the KSMI option in Microsoft 365, you can configure device-based Conditional Access policies. This prevents users from signing in from unknown devices.
- Even if users select ‘Yes’ on the ‘Keep me signed in’ prompt, it won’t work for users in the following scenarios: if the idle session timeout for M365 web apps is enabled or if the Entra portal session timeout is enforced.
Emphasizing the balance between user convenience and account security, this blog helps you to configure and get rid of the ‘Stay signed in?’ prompt. The guide also addresses managing the ‘Stayed sign in?’ using the persistent browser session controls through Conditional Access. Stay tuned for a holistic understanding of seamless and secure usage of Microsoft 365 services.