Share via

User should be prompted to sign into the application when they close and reopen a window

Sarah 161 Reputation points
2021-12-01T15:03:59.283+00:00

We have our application registered in our organization Azure AD. When we use our application and close the browser window (without signing out), users are not prompted to sign in again to access the application in a different window. Whereas If I configure my private Azure AD 'tenant ID' and 'client ID' in the same application, I am asked to sign in every time I open a new window to access the application (even if haven't signed out when I last used the application).

I am wondering if this could be related to organization Azure AD setting like KMSI(keep me signed in) or something of that sort. Because we use single sign on and wont be asked to enter password every time, we just choose the account and sign in. But this application doesn't prompt us to choose the account as well. Of course, first-time it prompts but if we don't sign out manually, the above scenario happens.

I expect the organization account to act same as my private account. User should be prompted to sign in when they open a new window, and signed out when they close the window(even if they don't sign out manually). May I know how this could be achieved. Thank you.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,866 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,336 Reputation points
    2021-12-02T09:25:56.58+00:00

    Hi @Sarah • Thank you for reaching out.

    This could happen when your device is registered/joined/hybrid joined to your organization's Azure AD, in case of which a PRT (Primary Refresh Token) is issued to the device. The PRT is then used to provide a seamless single sign-on experience by automatically signing in with the account used to log in to the device. Also, as you mentioned this could be due to KMSI (keep me signed in), which issues persistent cookies to the users and is stored on the disk.

    In your test tenant, you are asked to sign in every time a new window is opened to access the application could be because the above-mentioned settings are not configured.

    To require users in your organization's directory to supply credentials every time they access the application without un-registering/disjoining or disabling KMSI (as it may affect other applications), you need to update your application code to include prompt=login parameter in the authentication request. This is an Oauth parameter that forces interactive authentication regardless of whether a valid PRT and/or Cookies are present or not.

    Read more: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

    154330-image.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siddharth Goyal 1 Reputation point
    2022-02-18T13:27:08.317+00:00

    Thanks for the explanation.

    We have a similar use case, however, we want this prompt login screen to always open in the same tab from where this is triggered in our application. The current behaviour is when we configure this link on the button of our app, this always opens in a new tab of the browser.
    Is there a way where we restrict this to always open in the same tab?

    This is quite urgent and quick response on this would be really appreciated!

    Thanks!

    0 comments