This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
The Stay signed in? prompt appears after a user successfully signs in. This process is known as Keep me signed in (KMSI) and was previously part of the customize branding process.
This article covers how the KMSI process works, how to enable it for customers, and how to troubleshoot KMSI issues.
Configuring the 'keep me signed in' (KMSI) option requires one of the following licenses:
You must have the Global Administrator role to enable the 'Stay signed in?' prompt.
If a user answers Yes to the 'Stay signed in?' prompt, a persistent authentication cookie is issued. The cookie must be stored in session for KMSI to work. KMSI doesn't work with locally stored cookies. If KMSI isn't enabled, a non-persistent cookie is issued and lasts for 24 hours or until the browser is closed.
The following diagram shows the user sign-in flow for a managed tenant and federated tenant using the KMSI in prompt. This flow contains smart logic so that the Stay signed in? option isn't displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device. For federated tenants, the prompt will show after the user successfully authenticates with the federated identity service.
Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you uncheck the Show option to remain signed in option, your users might see other unexpected prompts during the sign-in process.
Tip
Steps in this article might vary slightly based on the portal you start from.
The KMSI setting is managed in User settings.
Sign in to the Microsoft Entra admin center as a Global Administrator.
Browse to Identity > Users > User settings.
Set the Show keep user signed in toggle to Yes.
If a user doesn't act on the Stay signed in? prompt but abandons the sign-in attempt, a sign-in log entry appears in the Microsoft Entra sign-in logs. The prompt the user sees is called an "interrupt."
Details about the sign-in error are found in the Sign-in logs. Select the impacted user from the list and locate the following details in the Basic info section.
You can stop users from seeing the interrupt by setting the Show option to remain signed in setting to No in the user settings. This setting disables the KMSI prompt for all users in your directory.
You also can use the persistent browser session controls in Conditional Access to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users without affecting sign-in behavior for everyone else in the directory.
To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI prompt is intentionally not shown in the following scenarios: