Hi @Sarah • Thank you for reaching out.
This could happen when your device is registered/joined/hybrid joined to your organization's Azure AD, in case of which a PRT (Primary Refresh Token) is issued to the device. The PRT is then used to provide a seamless single sign-on experience by automatically signing in with the account used to log in to the device. Also, as you mentioned this could be due to KMSI (keep me signed in), which issues persistent cookies to the users and is stored on the disk.
In your test tenant, you are asked to sign in every time a new window is opened to access the application could be because the above-mentioned settings are not configured.
To require users in your organization's directory to supply credentials every time they access the application without un-registering/disjoining or disabling KMSI (as it may affect other applications), you need to update your application code to include prompt=login
parameter in the authentication request. This is an Oauth parameter that forces interactive authentication regardless of whether a valid PRT and/or Cookies are present or not.
Read more: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.