Manage the 'Stay signed in?' prompt

Configuring the 'keep me signed in' (KMSI) option requires one of the following licenses:

• Microsoft Entra ID Free
• Office 365 (for Office apps)
• Microsoft 365

You must have the Global Administrator role to enable the 'Stay signed in?' prompt.

How does it work?

If a user answers Yes to the 'Stay signed in?' prompt, a persistent authentication cookie is set. The cookie must be stored in session for KMSI to work. KMSI doesn't work with locally stored cookies. If KMSI isn't enabled, a non-persistent cookie is issued and lasts for 24 hours or until the browser is closed.

The following diagram shows the user sign-in flow for a managed tenant and federated tenant using the KMSI prompt. If the user is presented with the Stay signed in? prompt and they select 'Yes', the persistent cookie is set.

Special considerations

• The 'Don't show this again' checkbox functions separately from the 'Stay signed in?' flow.
• This experience might not be applicable depending on the authentication requirements configured for your tenant. Some Conditional Access policies and authentication configurations prevent the 'Keep me signed in' flow from being displayed.
• The flow contains smart logic so that the Stay signed in? option isn't displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device. This scenario is reflected in the diagram, where the 'Keep me signed in' option is removed.
• For federated tenants, the prompt shows after the user successfully authenticates with the federated identity service.
• Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you uncheck the Show option to remain signed in option, your users might see other unexpected prompts during the sign-in process.

The KMSI setting is managed in User settings.

1. Sign in to the Microsoft Entra admin center as a Global Administrator.

2. Browse to Identity > Users > User settings.

   

3. Set the Show keep user signed in toggle to Yes.

   

   Troubleshoot 'Stay signed in?' issues

   If a user doesn't act on the Stay signed in? prompt but abandons the sign-in attempt, a sign-in log entry appears in the Microsoft Entra sign-in logs. The prompt the user sees is called an "interrupt."

   

   Details about the sign-in error are found in the Sign-in logs. Select the impacted user from the list and locate the following details in the Basic info section.

   • Sign in error code: 50140
   • Failure reason: This error occurred due to "Keep me signed in" interrupt when the user was signing in.

   You can stop users from seeing the interrupt by setting the Show option to remain signed in setting to No in the user settings. This setting disables the KMSI prompt for all users in your directory.

   You also can use the persistent browser session controls in Conditional Access to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users without affecting sign-in behavior for everyone else in the directory.

   To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI prompt is intentionally not shown in the following scenarios:

   • User is signed in via seamless SSO and integrated Windows authentication (IWA)
   • User is signed in via Active Directory Federation Services and IWA
   • User is a guest in the tenant
   • User's risk score is high
   • Sign-in occurs during user or admin consent flow
   • Persistent browser session control is configured in a Conditional Access policy