How to block stay signed on off site

Brian 0 Reputation points
2023-06-01T07:52:18.65+00:00

Hello Everyone,

I'm trying to add conditional access rule so if my co workers are off site they will not have the option to stay signed in.

If we are on site they can stayed signed in.

I have already added our own subnet as safe/trusted location but i get stuck at the conditional access part.

Hopefully someone can give me some info.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,454 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Carlos Solís Salazar 17,771 Reputation points MVP
    2023-06-01T13:03:21.6333333+00:00

    Thank you for asking this question on the Microsoft Q&A Platform.

    I understand that you need to create a conditional access policy by location, correct?

    Create a Conditional Access policy

    More info: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location

    Hope this helps!


    Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

    NOTE: To answer you as quickly as possible, please mention me in your reply.


  2. JamesTran-MSFT 36,531 Reputation points Microsoft Employee
    2023-06-07T19:23:47.38+00:00

    @Brian

    Thank you for your post and I apologize for the delayed response!

    I understand that you're trying to create a Conditional Access Policy where users working off-site aren't given the Stay signed in prompt. To hopefully resolve your issue or point you in the right direction, I'll share my findings below.


    Findings:
    As a note, when it comes to managing the Stay signed in Prompt, this can be controlled for your entire tenant under User Settings. However, in your specific situation you should be able to use the persistent browser session controls in Conditional Access to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users without affecting sign-in behavior for everyone else in the directory.

    Note: I wasn't able to test this out within my tenant, but you should be able to use the below example to help give you an idea of how to create your CA Policy.

    For more info - Persistence of browsing sessions

    1. Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.

    Browse to Azure Active Directory > Security > Conditional Access.

    Select New policy.

    1. Give your policy a name.
    2. Fill in your required conditions, for example:
    3. Users -> Include: All / Exclude: Emergency access account(s)
    4. Cloud apps or actions -> All cloud apps (Persistent browser session only works correctly when "All cloud apps" are selected)
    5. Conditions -> Include: Any location / Exclude: (All/Selected) Trusted Locations
    6. Session -> Persistent browser session

    User's image

    Additional Links:

    I hope this helps!

    If you're still having issues with your Conditional Access Policy, please let me know. Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.