Merge pull request #232492 from shlipsey3/fundamentals-new-kmsi-032823

fundamentals-new-kmsi-032823

Author: JamesJBarnett

articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 03/28/2023
 
 ms.author: justinha
 author: justinha
@@ -62,13 +62,13 @@ Devices joined to Azure AD using Azure AD Join or Hybrid Azure AD Join receive a
 
 ### Show option to remain signed-in
 
-When a user selects **Yes** on the *Stay signed in?* option during sign-in, a persistent cookie is set on the browser. This persistent cookie remembers both first and second factor, and it applies only for authentication requests in the browser.
+When a user selects **Yes** on the *Stay signed in?* prompt option during sign-in, a persistent cookie is set on the browser. This persistent cookie remembers both first and second factor, and it applies only for authentication requests in the browser.
 
 ![Screenshot of example prompt to remain signed in](./media/concepts-azure-multi-factor-authentication-prompts-session-lifetime/stay-signed-in-prompt.png)
 
 If you have an Azure AD Premium 1 license, we recommend using Conditional Access policy for *Persistent browser session*. This policy overwrites the *Stay signed in?* setting and provides an improved user experience. If you don't have an Azure AD Premium 1 license, we recommend enabling the stay signed in setting for your users.
 
-For more information on configuring the option to let users remain signed-in, see [Customize your Azure AD sign-in page](../fundamentals/active-directory-users-profile-azure-portal.md#learn-about-the-stay-signed-in-prompt).
+For more information on configuring the option to let users remain signed-in, see [How to manage the 'Stay signed in?' prompt](../fundamentals/how-to-manage-stay-signed-in-prompt.md).
 
 ### Remember Multi-Factor Authentication  
 

articles/active-directory/fundamentals/how-to-customize-branding.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: how-to
-ms.date: 03/24/2023
+ms.date: 03/28/2023
 ms.author: sarahlipsey
 ms.reviewer: almars
 ms.custom: "it-pro, seodec18, fasttrack-edit"
@@ -22,9 +22,10 @@ When users authenticate into your corporate intranet or web-based applications,
 
 The default sign-in experience is the global look and feel that applies across all sign-ins to your tenant. Before you customize any settings, the default Microsoft branding appears in your sign-in pages. You can customize this default experience with a custom background image and/or color, favicon, layout, header, and footer. You can also upload a custom CSS.
 
+The updated experience for adding company branding covered in this article is available as an Azure AD preview feature. To opt in and explore the new experience, go to **Azure AD** > **Preview features** and enable the **Enhanced Company Branding** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
 > [!NOTE]
-> Instructions for the legacy company branding customization process can be found in the **[Customize branding](customize-branding.md)** article.<br><br>The updated experience for adding company branding covered in this article is available as an Azure AD preview feature. To opt in and explore the new experience, go to **Azure AD** > **Preview features** and enable the **Enhanced Company Branding** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
->
+> Instructions for the legacy company branding customization process can be found in the **[Customize branding](customize-branding.md)** article. Instructions for how to manage the **'Stay signed in prompt?'** can be found in the **[Manage the 'Stay signed in?' prompt](how-to-manage-stay-signed-in-prompt.md)** article.
 
 ## License requirements
 
@@ -80,9 +81,7 @@ In the following examples replace the contoso.com with your own tenant name, or
 - Self-service password reset `https://passwordreset.microsoftonline.com/?whr=contoso.com`
 
 > [!NOTE]
-> The settings to manage the 'Stay signed in?' prompt can now be found in the User settings area of Azure AD. Go to **Azure AD** > **Users** > **User settings**.
-<br><br>
-For more information on the 'Stay signed in?' prompt, see [How to manage user profile information](how-to-manage-user-profile-info.md#learn-about-the-stay-signed-in-prompt).
+> To manage the settings of the 'Stay signed in?' prompt, go to **Azure AD** > **Users** > **User settings**.
 
 ## How to navigate the company branding process
 
@@ -198,4 +197,4 @@ Azure AD supports right-to-left functionality for languages such as Arabic and H
 
 - [View the CSS template reference guide](reference-company-branding-css-template.md).
 - [Learn more about default user permissions in Azure AD](../fundamentals/users-default-permissions.md)
-- [Manage the 'stay signed in' prompt](how-to-manage-user-profile-info.md#learn-about-the-stay-signed-in-prompt)
+- [Manage the 'stay signed in' prompt](how-to-manage-stay-signed-in-prompt.md)

articles/active-directory/fundamentals/how-to-manage-stay-signed-in-prompt.md

@@ -0,0 +1,82 @@
+---
+title: Manage the 'Stay signed in' prompt - Azure AD - Microsoft Entra
+description: Instructions about how to set up the 'Stay signed in' prompt for Azure AD users.
+services: active-directory
+author: shlipsey3
+manager: amycolannino
+
+ms.service: active-directory
+ms.workload: identity
+ms.subservice: fundamentals
+ms.topic: how-to
+ms.date: 03/28/2023
+ms.author: sarahlipsey
+ms.reviewer: almars
+ms.custom: "it-pro"
+ms.collection: M365-identity-device-management
+---
+# Manage the 'Stay signed in?' prompt
+
+The **Stay signed in?** prompt appears after a user successfully signs in. This process is known as **Keep me signed in** (KMSI) and was previously part of the [customize branding](how-to-customize-branding.md) process.
+
+This article covers how the KMSI process works, how to enable it for customers, and how to troubleshoot KMSI issues.
+
+## How does it work? 
+
+If a user answers **Yes** to the **'Stay signed in?'** prompt, a persistent authentication cookie is issued. The cookie must be stored in session for KMSI to work. KMSI won't work with locally stored cookies. If KMSI isn't enabled, a non-persistent cookie is issued and lasts for 24 hours or until the browser is closed. 
+
+The following diagram shows the user sign-in flow for a managed tenant and federated tenant using the KMSI in prompt. This flow contains smart logic so that the **Stay signed in?** option won't be displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device. For federated tenants, the prompt will show after the user successfully authenticates with the federated identity service.
+
+Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you uncheck the **Show option to remain signed in** option, your users may see other unexpected prompts during the sign-in process.
+
+![Diagram showing the user sign-in flow for a managed vs. federated tenant.](media/how-to-manage-stay-signed-in-prompt/kmsi-workflow.png)
+
+## License and role requirements
+
+Configuring the 'keep me signed in' (KMSI) option requires one of the following licenses:
+
+- Azure AD Premium 1
+- Azure AD Premium 2
+- Office 365 (for Office apps)
+- Microsoft 365
+
+You must have the **Global Administrator** role to enable the 'Stay signed in?' prompt.
+
+## Enable the 'Stay signed in?' prompt
+
+The KMSI setting is managed in the **User settings** of Azure Active Directory (Azure AD).
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. Go to **Azure Active Directory** > **Users** > **User settings**.
+1. Set the **Show keep user signed in** toggle to **Yes**.
+
+    ![Screenshot of the Show keep user signed in prompt.](media/how-to-manage-stay-signed-in-prompt/show-keep-user-signed-in.png)
+
+## Troubleshoot 'Stay signed in?' issues
+
+If a user doesn't act on the **Stay signed in?** prompt but abandons the sign-in attempt, a sign-in log entry appears in the Azure AD **Sign-ins** page. The prompt the user sees is called an "interrupt."
+
+![Sample 'Stay signed in?' prompt](media/how-to-manage-stay-signed-in-prompt/kmsi-stay-signed-in-prompt.png)
+
+Details about the sign-in error are found in the **Sign-in logs** in Azure AD. Select the impacted user from the list and locate the following details in the **Basic info** section.
+
+* **Sign in error code**: 50140
+* **Failure reason**: This error occurred due to "Keep me signed in" interrupt when the user was signing in.
+
+You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the user settings. This setting disables the KMSI prompt for all users in your Azure AD directory.
+
+You also can use the [persistent browser session controls in Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md) to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users (such as the global administrators) without affecting sign-in behavior for everyone else in the directory.
+
+To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI prompt is intentionally not shown in the following scenarios:
+
+* User is signed in via seamless SSO and integrated Windows authentication (IWA)
+* User is signed in via Active Directory Federation Services and IWA
+* User is a guest in the tenant
+* User's risk score is high
+* Sign-in occurs during user or admin consent flow
+* Persistent browser session control is configured in a conditional access policy
+
+## Next steps
+
+- [Learn how to customize branding for sign-in experiences](how-to-customize-branding.md)
+- [Manage user settings in Azure AD](how-to-manage-user-profile-info.md)

articles/active-directory/fundamentals/how-to-manage-user-profile-info.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: how-to
-ms.date: 03/23/2023
+ms.date: 03/28/2023
 ms.author: sarahlipsey
 ms.reviewer: jeffsta
 ms.collection: M365-identity-device-management
@@ -29,7 +29,7 @@ When new users are created, only some details are added to their user profile. I
 
 1. There are two ways to edit user profile details. Either select **Edit properties** from the top of the page or select **Properties**.
 
-    ![Screenshot of the overview page for a selected user, with the edit options highlighted.](media/active-directory-users-profile-azure-portal/user-profile-overview.png)
+    ![Screenshot of the overview page for a selected user, with the edit options highlighted.](media/how-to-manage-user-profile-info/user-profile-overview.png)
 
 1. After making any changes, select the **Save** button. 
 
@@ -38,14 +38,14 @@ If you selected the **Edit properties option**:
    - To edit properties based on the category, select a category from the top of the page.
    - Select the **Save** button at the bottom of the page to save any changes.
 
-   ![Screenshot a selected user's details, with the detail categories and save button highlighted.](media/active-directory-users-profile-azure-portal/user-profile-properties-tabbed-view.png)
+   ![Screenshot a selected user's details, with the detail categories and save button highlighted.](media/how-to-manage-user-profile-info/user-profile-properties-tabbed-view.png)
 
 If you selected the **Properties tab option**:
    - The full list of properties appears for you to review.
    - To edit a property, select the pencil icon next to the category heading.
    - Select the **Save** button at the bottom of the page to save any changes.
 
-   ![Screenshot the Properties tab, with the edit options highlighted.](media/active-directory-users-profile-azure-portal/user-profile-properties-single-page-view.png)
+   ![Screenshot the Properties tab, with the edit options highlighted.](media/how-to-manage-user-profile-info/user-profile-properties-single-page-view.png)
 
 ### Profile categories
 There are six categories of profile details you may be able to edit. 
@@ -62,64 +62,41 @@ There are six categories of profile details you may be able to edit.
 
 - **On-premises:** Accounts synced from Windows Server Active Directory include other values not applicable to Azure AD accounts.
 
-    >[!Note]
-    >You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next synchronization cycle to complete before you'll see the changes.
+> [!Note]
+> You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next synchronization cycle to complete before you'll see the changes.
 
 ### Add or edit the profile picture
 On the user's overview page, select the camera icon in the lower-right corner of the user's thumbnail. If no image has been added, the user's initials appear here. This picture appears in Azure Active Directory and on the user's personal pages, such as the myapps.microsoft.com page. 
 
 All your changes are saved for the user.
 
->[!Note]
+> [!Note]
 > If you're having issues updating a user's profile picture, please ensure that your Office 365 Exchange Online Enterprise App is Enabled for users to sign in.
 
 ## Manage settings for all users
-In the **User settings** area of Azure AD, you can adjust several settings that affect all users, such as restricting access to the Azure AD administration portal, how external collaboration is managed, and providing users the option to connect their LinkedIn account. Some settings are managed in a separate area of Azure AD and linked from this page.
+In the **User settings** area of Azure AD, you can adjust several settings that affect all users. Some settings are managed in a separate area of Azure AD and linked from this page. These settings require the Global Administrator role.
 
-Go to **Azure AD** > **User settings**.
+Go to **Azure AD** > **User settings**. 
 
-### Learn about the 'Stay signed in?' prompt
+![Screenshot of the Azure AD user settings options.](media/how-to-manage-user-profile-info/user-settings-options.png)
 
-The **Stay signed in?** prompt appears after a user successfully signs in. This process is known as **Keep me signed in** (KMSI). If a user answers **Yes** to this prompt, a persistent authentication cookie is issued. The cookie must be stored in session for KMSI to work. KMSI won't work with locally stored cookies. If KMSI isn't enabled, a non-persistent cookie is issued and lasts for 24 hours or until the browser is closed.
+The following settings can be managed from Azure AD **User settings**.
 
-The following diagram shows the user sign-in flow for a managed tenant and federated tenant using the KMSI in prompt. This flow contains smart logic so that the **Stay signed in?** option won't be displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device. For federated tenants, the prompt will show after the user successfully authenticates with the federated identity service.
-
-The KMSI setting is available in **User settings**. Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you uncheck the **Show option to remain signed in** option, your users may see other unexpected prompts during the sign-in process.
-
-![Diagram showing the user sign-in flow for a managed vs. federated tenant](media/customize-branding/kmsi-workflow.png)
-
-Configuring the 'keep me signed in' (KMSI) option requires one of the following licenses:
-
-- Azure AD Premium 1
-- Azure AD Premium 2
-- Office 365 (for Office apps)
-- Microsoft 365
-
-#### Troubleshoot 'Stay signed in?' issues
-
-If a user doesn't act on the **Stay signed in?** prompt but abandons the sign-in attempt, a sign-in log entry appears in the Azure AD **Sign-ins** page. The prompt the user sees is called an "interrupt."
-
-![Sample 'Stay signed in?' prompt](media/customize-branding/kmsi-stay-signed-in-prompt.png)
-
-Details about the sign-in error are found in the **Sign-in logs** in Azure AD. Select the impacted user from the list and locate the following error code details in the **Basic info** section.
-
-* **Sign in error code**: 50140
-* **Failure reason**: This error occurred due to "Keep me signed in" interrupt when the user was signing in.
-
-You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the user settings. This setting disables the KMSI prompt for all users in your Azure AD directory.
-
-You also can use the [persistent browser session controls in Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md) to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users (such as the global administrators) without affecting sign-in behavior for everyone else in the directory.
-
-To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI prompt is intentionally not shown in the following scenarios:
-
-* User is signed in via seamless SSO and integrated Windows authentication (IWA)
-* User is signed in via Active Directory Federation Services and IWA
-* User is a guest in the tenant
-* User's risk score is high
-* Sign-in occurs during user or admin consent flow
-* Persistent browser session control is configured in a conditional access policy
+- Manage how end users launch and view their applications
+- Allow users to register their own applications
+- [Prevent non-admins from creating their own tenants](users-default-permissions.md#restrict-member-users-default-permissions)
+- Restrict access to the Azure AD administration portal
+- [Allow users to connect their work or school account with LinkedIn](../enterprise-users/linkedin-user-consent.md)
+- [Enable the "Stay signed in?" prompt](how-to-manage-stay-signed-in-prompt.md)
+- Manage external collaboration settings
+    - [Guest user access](../enterprise-users/users-restrict-guest-permissions.md)
+    - [Guest invite setting](../external-identities/external-collaboration-settings-configure.md)
+    - [External user leave settings](../external-identities/self-service-sign-up-user-flow.md#enable-self-service-sign-up-for-your-tenant)
+    - Collaboration restrictions
+- Manage user feature settings
 
 ## Next steps
+
 - [Add or delete users](add-users-azure-active-directory.md)
 
 - [Assign roles to users](active-directory-users-assign-role-azure-portal.md)