Configure the 'Stay signed in?' prompt for Azure AD accounts

Keep me signed in (KMSI) displays a Stay signed in? prompt after a user successfully signs in. If a user answers Yes to this prompt, the keep me signed in service gives them a persistent refresh token. For federated tenants, the prompt will show after the user successfully authenticates with the federated identity service.

The following diagram shows the user sign-in flow for a managed tenant and federated tenant and the new keep me signed in prompt. This flow contains smart logic so that the Stay signed in? option won't be displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device.

Diagram showing the user sign-in flow for a managed vs. federated tenant

Note

Configuring the keep me signed in option requires you to use Azure Active Directory (Azure AD) Premium 1, Premium 2, or Basic editions, or to have a Microsoft 365 license. For more information about licensing and editions, see Sign up for Azure AD Premium.

Azure AD Premium and Basic editions are available for customers in China using the worldwide instance of Azure AD. Azure AD Premium and Basic editions aren't currently supported in the Azure service operated by 21Vianet in China. For more information, talk to us using the Azure AD Forum.

Configure KMSI

  1. Sign in to the Azure portal using a Global administrator account for the directory.

  2. Select Azure Active Directory, select Company branding, and then select Configure.

  3. In the Advanced settings section, find the Show option to remain signed in setting.

    This setting lets you choose whether your users remain signed in to Azure AD until they explicitly sign out.

    • If you choose No, the Stay signed in? option is hidden after the user successfully signs in and the user must sign in each time the browser is closed and reopened.
    • If you choose Yes, the Stay signed in? option is shown to the user.

    Screenshot shows the Show option to remain signed in setting

Troubleshoot sign-in issues

If a user doesn't act on the Stay signed in? prompt, as shown in the following diagram, but abandons the sign-in attempt, you'll see a sign-in log entry that indicates the interrupt.

Shows the Stay signed in? prompt

Details about the sign-in error are as follows and highlighted in the example.

  • Sign in error code: 50140
  • Failure reason: This error occurred due to "Keep me signed in" interrupt when the user was signing in.

Example sign-in log entry with the keep me signed in interrupt

You can stop users from seeing the interrupt by setting the Show option to remain signed in setting to No in the advanced branding settings. This disables the KMSI prompt for all users in your Azure AD directory.

You also can use the persistent browser session controls in conditional access to prevent users from seen the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users (such as the global administrators) without affecting sign-in behavior for the remaining users in the directory. For more information, see User sign-in frequency.

To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI prompt is intentionally not shown in the following scenarios:

  • User is signed in via seamless SSO and integrated Windows authentication (IWA)
  • User is signed in via Active Directory Federation Services and IWA
  • User is a guest in the tenant
  • User's risk score is high
  • Sign-in occurs during user or admin consent flow
  • Persistent browser session control is configured in a conditional access policy

Next steps

Learn about other settings that affect sign-in session timeout: