@Brian
Thank you for your post and I apologize for the delayed response!
I understand that you're trying to create a Conditional Access Policy where users working off-site aren't given the Stay signed in prompt. To hopefully resolve your issue or point you in the right direction, I'll share my findings below.
Findings:
As a note, when it comes to managing the Stay signed in Prompt, this can be controlled for your entire tenant under User Settings. However, in your specific situation you should be able to use the persistent browser session controls in Conditional Access to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users without affecting sign-in behavior for everyone else in the directory.
Note: I wasn't able to test this out within my tenant, but you should be able to use the below example to help give you an idea of how to create your CA Policy.
For more info - Persistence of browsing sessions
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
Browse to Azure Active Directory > Security > Conditional Access.
Select New policy.
- Give your policy a name.
- Fill in your required conditions, for example:
- Users -> Include: All / Exclude: Emergency access account(s)
- Cloud apps or actions -> All cloud apps (Persistent browser session only works correctly when "All cloud apps" are selected)
- Conditions -> Include: Any location / Exclude: (All/Selected) Trusted Locations
- Session -> Persistent browser session
Additional Links:
I hope this helps!
If you're still having issues with your Conditional Access Policy, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.