为 Azure AD 帐户Configure the 'Stay signed in?' 配置“保持登录状态?”提示prompt for Azure AD accounts

用户成功登录后,“使我保持登录状态 (KMSI)”会显示“保持登录状态?”提示。Keep me signed in (KMSI) displays a Stay signed in? prompt after a user successfully signs in. 如果用户对此提示的回答为“是”,则“使我保持登录状态”服务向用户提供永久刷新令牌If a user answers Yes to this prompt, the keep me signed in service gives them a persistent refresh token. 对于联合租户,此提示在使用联合标识服务成功进行身份验证后显示。For federated tenants, the prompt will show after the user successfully authenticates with the federated identity service.

下图显示了托管租户和联合租户的用户登录流,以及新的“使我保持登录状态”提示。The following diagram shows the user sign-in flow for a managed tenant and federated tenant and the new keep me signed in prompt. 该流包含智能逻辑,如果机器学习系统检测到高风险登录或来自共享设备的登录,就不会显示“保持登录状态?”选项。This flow contains smart logic so that the Stay signed in? option won't be displayed if the machine learning system detects a high-risk sign-in or a sign-in from a shared device.

显示托管与联合租户的用户登录流的图示

备注

配置“使我保持登录状态”选项需要使用 Azure Active Directory (Azure AD) Premium 1、Premium 2 或 Basic 版本,或拥有 Microsoft 365 许可证。Configuring the keep me signed in option requires you to use Azure Active Directory (Azure AD) Premium 1, Premium 2, or Basic editions, or to have a Microsoft 365 license. 有关许可和版本的详细信息,请参阅注册 Azure AD PremiumFor more information about licensing and editions, see Sign up for Azure AD Premium.

在中国,使用 Azure AD 全球实例的客户可以使用 Azure AD Premium 和 Basic 版本。Azure AD Premium and Basic editions are available for customers in China using the worldwide instance of Azure AD. 中国区 21Vianet 运营的 Azure 服务目前不支持 Azure AD Premium 和 Azure AD Basic 版本。Azure AD Premium and Basic editions aren't currently supported in the Azure service operated by 21Vianet in China. 有关详细信息,请通过 Azure AD 论坛与我们联系。For more information, talk to us using the Azure AD Forum.

配置 KMSIConfigure KMSI

  1. 使用目录的全局管理员帐户登录到 Azure 门户Sign in to the Azure portal using a Global administrator account for the directory.

  2. 依次选择“Azure Active Directory”、“公司品牌”和“配置” 。Select Azure Active Directory, select Company branding, and then select Configure.

  3. 在“高级设置”部分中,找到“显示保持登录状态的选项”设置 。In the Advanced settings section, find the Show option to remain signed in setting.

    使用此设置,你可以选择是否在用户显式注销之前使用户保持登录到 Azure AD 的状态。This setting lets you choose whether your users remain signed in to Azure AD until they explicitly sign out.

    • 如果选择“否”,则在用户成功登录后隐藏“保持登录状态?”选项,用户在浏览器每次关闭并重新打开时都需要登录 。If you choose No, the Stay signed in? option is hidden after the user successfully signs in and the user must sign in each time the browser is closed and reopened.
    • 如果选择“是”,则向用户显示“保持登录状态?”选项 。If you choose Yes, the Stay signed in? option is shown to the user.

    显示“显示保持登录状态的选项”的屏幕截图

排查登录问题Troubleshoot sign-in issues

如果用户未在显示“保持登录状态?”提示时进行操作,如下图所示,而是放弃登录尝试,你将看到一个指示过程中断的登录日志条目。If a user doesn't act on the Stay signed in? prompt, as shown in the following diagram, but abandons the sign-in attempt, you'll see a sign-in log entry that indicates the interrupt.

显示“保持登录状态?”提示

有关登录错误的详细信息如下所示,并在示例中突出显示。Details about the sign-in error are as follows and highlighted in the example.

  • 登录错误代码:50140Sign in error code: 50140
  • 失败原因:此错误是由于用户登录时出现“使我保持登录状态”中断而发生的。Failure reason: This error occurred due to "Keep me signed in" interrupt when the user was signing in.

包含“使我保持登录状态”过程中断信息的登录日志条目示例

你可以通过在高级品牌设置中将“显示保持登录状态的选项”设置为“否”来阻止用户看到中断信息 。You can stop users from seeing the interrupt by setting the Show option to remain signed in setting to No in the advanced branding settings. 对于 Azure AD 目录中的所有用户,这会禁用 KMSI 提示。This disables the KMSI prompt for all users in your Azure AD directory.

你还可以在条件访问中使用持久性浏览器会话控件来防止用户查看 KMSI 提示。You also can use the persistent browser session controls in conditional access to prevent users from seen the KMSI prompt. 使用此选项可以对选择的用户组(例如全局管理员)禁用 KMSI 提示,而不会影响目录中其他用户的登录行为。This option allows you to disable the KMSI prompt for a select group of users (such as the global administrators) without affecting sign-in behavior for the remaining users in the directory.

为了确保 KMSI 提示只在有益于用户的情况下显示,在以下情况下我们有意不显示 KMSI 提示:To ensure that the KMSI prompt is shown only when it can benefit the user, the KMSI prompt is intentionally not shown in the following scenarios:

  • 用户是通过无缝 SSO 和集成 Windows 身份验证 (IWA) 登录的User is signed in via seamless SSO and Integrated Windows Authentication (IWA)
  • 用户是通过 Active Directory 联合身份验证服务和 IWA 登录的User is signed in via Active Directory Federation Services and IWA
  • 用户是租户中的来宾User is a guest in the tenant
  • 用户的风险评分高User's risk score is high
  • 登录发生在用户或管理员同意流期间Sign-in occurs during user or admin consent flow
  • 持久性浏览器会话控制在条件访问策略中配置Persistent browser session control is configured in a conditional access policy

后续步骤Next steps

了解影响登录会话超时的其他设置:Learn about other settings that affect sign-in session timeout: