Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
Keep Me Sign In doesn't work after 24 hours for custom policy in Azure ADB2C.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 72%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Purnendu Kumar
0
Reputation points
@AmanpreetSingh-MSFT : Hi AmanPreetSingh. We are using Keep Me Sign (KMSI) feature for duration of 90 days, in our SPA using AzureADb2C . Initially, KMSI worked good and users were not forced to sign in after 24 hours . But lately , we added a cookiebot feature where a user can Allow or Deny cookies and preferences , and if a user selects "Deny" option in cookiebot, the users of forced to Sign In again after 24 hours. Snapshot of our custom policy.
Snapshot of cookie "x-ms-cpim-sso:*" which is a session cookies.
Can you help us to dig deep into this issue and resolve it ? Thanks!
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 7.000000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC3%3C/text%3E%3C/svg%3E)
Carolyne-3676 1,131 Reputation points2026-03-18T16:33:23.8133333+00:00 Typically, when users select “Deny” in Cookiebot, it likely blocks or deletes Azure AD B2C essential authentication cookies, specifically the
x-ms-cpim-sso:{Id}cookie, which is the persistent SSO cookie required for KMSI. Once this cookie is treated as non‑essential or third‑party and removed, Azure AD B2C falls back to the default 24‑hour non‑persistent session, forcing reauthentication [learn.microsoft.com], [learn.microsoft.com]To resolve this issue,configure Cookiebot to always allow Azure AD B2C cookies as “Strictly Necessary” (do not gate them behind consent), and ensure no script deletes cookies from
b2clogin.com / branded domain; KMSI only works if the persistentx-ms-cpim-sso:{Id}cookie is preserved regardless of user consent choice
Sign in to comment
Sign in to answer