Merge pull request #232596 from MicrosoftDocs/main

Publish to Live Wednesday 4AM PST, 03/29

Author: PMEds28

.openpublishing.redirection.azure-monitor.json

@@ -5812,6 +5812,16 @@
             "redirect_url": "/azure/azure-monitor/app/opentelemetry-enable",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/logs/logicapp-flow-connector.md",
+            "redirect_url": "/azure/connectors/connectors-azure-monitor-logs",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/automate-with-logic-apps.md",
+            "redirect_url": "/azure/connectors/connectors-azure-application-insights",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/insights/solutions.md",
             "redirect_url": "/previous-versions/azure/azure-monitor/insights/solutions",

articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 03/28/2023
 
 ms.author: justinha
 author: justinha
@@ -62,13 +62,13 @@ Devices joined to Azure AD using Azure AD Join or Hybrid Azure AD Join receive a
 
 ### Show option to remain signed-in
 
-When a user selects **Yes** on the *Stay signed in?* option during sign-in, a persistent cookie is set on the browser. This persistent cookie remembers both first and second factor, and it applies only for authentication requests in the browser.
+When a user selects **Yes** on the *Stay signed in?* prompt option during sign-in, a persistent cookie is set on the browser. This persistent cookie remembers both first and second factor, and it applies only for authentication requests in the browser.
 
 ![Screenshot of example prompt to remain signed in](./media/concepts-azure-multi-factor-authentication-prompts-session-lifetime/stay-signed-in-prompt.png)
 
 If you have an Azure AD Premium 1 license, we recommend using Conditional Access policy for *Persistent browser session*. This policy overwrites the *Stay signed in?* setting and provides an improved user experience. If you don't have an Azure AD Premium 1 license, we recommend enabling the stay signed in setting for your users.
 
-For more information on configuring the option to let users remain signed-in, see [Customize your Azure AD sign-in page](../fundamentals/active-directory-users-profile-azure-portal.md#learn-about-the-stay-signed-in-prompt).
+For more information on configuring the option to let users remain signed-in, see [How to manage the 'Stay signed in?' prompt](../fundamentals/how-to-manage-stay-signed-in-prompt.md).
 
 ### Remember Multi-Factor Authentication  
 

articles/active-directory/develop/msal-net-client-assertions.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 03/18/2021
+ms.date: 03/29/2023
 ms.author: dmwendia
 ms.reviewer: saeeda, jmprieur
 ms.custom: "devx-track-csharp, aaddev"
@@ -149,7 +149,7 @@ static string GetSignedClientAssertion(X509Certificate2 certificate, string tena
 
 ### Alternative method
 
-You also have the option of using [Microsoft.IdentityModel.JsonWebTokens](https://www.nuget.org/packages/Microsoft.IdentityModel.JsonWebTokens/) to create the assertion for you. The code will be a more elegant as shown in the example below:
+You also have the option of using [Microsoft.IdentityModel.JsonWebTokens](https://www.nuget.org/packages/Microsoft.IdentityModel.JsonWebTokens/) to create the assertion for you. The code will be more elegant as shown in the example below:
 
 ```csharp
         string GetSignedClientAssertionAlt(X509Certificate2 certificate)

articles/active-directory/fundamentals/how-to-customize-branding.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: how-to
-ms.date: 03/24/2023
+ms.date: 03/28/2023
 ms.author: sarahlipsey
 ms.reviewer: almars
 ms.custom: "it-pro, seodec18, fasttrack-edit"
@@ -22,9 +22,10 @@ When users authenticate into your corporate intranet or web-based applications,
 
 The default sign-in experience is the global look and feel that applies across all sign-ins to your tenant. Before you customize any settings, the default Microsoft branding appears in your sign-in pages. You can customize this default experience with a custom background image and/or color, favicon, layout, header, and footer. You can also upload a custom CSS.
 
+The updated experience for adding company branding covered in this article is available as an Azure AD preview feature. To opt in and explore the new experience, go to **Azure AD** > **Preview features** and enable the **Enhanced Company Branding** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
 > [!NOTE]
-> Instructions for the legacy company branding customization process can be found in the **[Customize branding](customize-branding.md)** article.<br><br>The updated experience for adding company branding covered in this article is available as an Azure AD preview feature. To opt in and explore the new experience, go to **Azure AD** > **Preview features** and enable the **Enhanced Company Branding** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
->
+> Instructions for the legacy company branding customization process can be found in the **[Customize branding](customize-branding.md)** article. Instructions for how to manage the **'Stay signed in prompt?'** can be found in the **[Manage the 'Stay signed in?' prompt](how-to-manage-stay-signed-in-prompt.md)** article.
 
 ## License requirements
 
@@ -80,9 +81,7 @@ In the following examples replace the contoso.com with your own tenant name, or
 - Self-service password reset `https://passwordreset.microsoftonline.com/?whr=contoso.com`
 
 > [!NOTE]
-> The settings to manage the 'Stay signed in?' prompt can now be found in the User settings area of Azure AD. Go to **Azure AD** > **Users** > **User settings**.
-<br><br>
-For more information on the 'Stay signed in?' prompt, see [How to manage user profile information](how-to-manage-user-profile-info.md#learn-about-the-stay-signed-in-prompt).
+> To manage the settings of the 'Stay signed in?' prompt, go to **Azure AD** > **Users** > **User settings**.
 
 ## How to navigate the company branding process
 
@@ -198,4 +197,4 @@ Azure AD supports right-to-left functionality for languages such as Arabic and H
 
 - [View the CSS template reference guide](reference-company-branding-css-template.md).
 - [Learn more about default user permissions in Azure AD](../fundamentals/users-default-permissions.md)
-- [Manage the 'stay signed in' prompt](how-to-manage-user-profile-info.md#learn-about-the-stay-signed-in-prompt)
+- [Manage the 'stay signed in' prompt](how-to-manage-stay-signed-in-prompt.md)

articles/active-directory/fundamentals/how-to-manage-stay-signed-in-prompt.md

@@ -0,0 +1,82 @@
+---
+title: Manage the 'Stay signed in' prompt - Azure AD - Microsoft Entra
+description: Instructions about how to set up the 'Stay signed in' prompt for Azure AD users.
+services: active-directory
+author: shlipsey3
+manager: amycolannino
+
+ms.service: active-directory
+ms.workload: identity
+ms.subservice: fundamentals
+ms.topic: how-to
+ms.date: 03/28/2023
+ms.author: sarahlipsey
+ms.reviewer: almars
+ms.custom: "it-pro"
+ms.collection: M365-identity-device-management
+---
+# Manage the 'Stay signed in?' prompt
+
+The **Stay signed in?** prompt appears after a user successfully signs in. This process is known as **Keep me signed in** (KMSI) and was previously part of the [customize branding](how-to-customize-branding.md) process.
+
+This article covers how the KMSI process works, how to enable it for customers, and how to troubleshoot KMSI issues.
+
+## How does it work? 
+
+If a user answers **Yes** to the **'Stay signed in?'** prompt, a persistent authentication cookie is issued. The cookie must be stored in session for KMSI to work. KMSI won't work with locally stored cookies. If KMSI isn't enabled, a non-persistent cookie is issued and lasts for 24 hours or until the browser is closed. 
+
+The following diagram shows the user sign-in flow for a managed tenant and federated tenant using the KMSI in prompt. This flow contains smart logic so that the **Stay signed in?** option won't be displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device. For federated tenants, the prompt will show after the user successfully authenticates with the federated identity service.
+
+Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you uncheck the **Show option to remain signed in** option, your users may see other unexpected prompts during the sign-in process.
+
+![Diagram showing the user sign-in flow for a managed vs. federated tenant.](media/how-to-manage-stay-signed-in-prompt/kmsi-workflow.png)
+
+## License and role requirements
+
+Configuring the 'keep me signed in' (KMSI) option requires one of the following licenses:
+
+- Azure AD Premium 1
+- Azure AD Premium 2
+- Office 365 (for Office apps)
+- Microsoft 365
+
+You must have the **Global Administrator** role to enable the 'Stay signed in?' prompt.
+
+## Enable the 'Stay signed in?' prompt
+
+The KMSI setting is managed in the **User settings** of Azure Active Directory (Azure AD).
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. Go to **Azure Active Directory** > **Users** > **User settings**.
+1. Set the **Show keep user signed in** toggle to **Yes**.
+
+    ![Screenshot of the Show keep user signed in prompt.](media/how-to-manage-stay-signed-in-prompt/show-keep-user-signed-in.png)
+
+## Troubleshoot 'Stay signed in?' issues
+
+If a user doesn't act on the **Stay signed in?** prompt but abandons the sign-in attempt, a sign-in log entry appears in the Azure AD **Sign-ins** page. The prompt the user sees is called an "interrupt."
+
+![Sample 'Stay signed in?' prompt](media/how-to-manage-stay-signed-in-prompt/kmsi-stay-signed-in-prompt.png)
+
+Details about the sign-in error are found in the **Sign-in logs** in Azure AD. Select the impacted user from the list and locate the following details in the **Basic info** section.
+
+* **Sign in error code**: 50140
+* **Failure reason**: This error occurred due to "Keep me signed in" interrupt when the user was signing in.
+
+You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the user settings. This setting disables the KMSI prompt for all users in your Azure AD directory.
+
+You also can use the [persistent browser session controls in Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md) to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users (such as the global administrators) without affecting sign-in behavior for everyone else in the directory.
+
+To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI prompt is intentionally not shown in the following scenarios:
+
+* User is signed in via seamless SSO and integrated Windows authentication (IWA)
+* User is signed in via Active Directory Federation Services and IWA
+* User is a guest in the tenant
+* User's risk score is high
+* Sign-in occurs during user or admin consent flow
+* Persistent browser session control is configured in a conditional access policy
+
+## Next steps
+
+- [Learn how to customize branding for sign-in experiences](how-to-customize-branding.md)
+- [Manage user settings in Azure AD](how-to-manage-user-profile-info.md)