Need Keep Me Signed In Back in 365


#1

Our use case is a bit odd but here we go:
We use a script called OneDriveMapper in Citrix to map users’ OneDrives to a virtual drive which minimizes redundant caching of files. OneDriveMapper makes use of session tokens stored in IE to authenticate to 365 - not a problem with Duo as we bypass MFA while in Citrix.

The problem we’ve come across is that some users are no longer prompted with “Keep Me Signed In” on the 365 login page meaning the token is not generated thus as user passwords are expiring so are the tokens, breaking the drive mapping.

Is it possible to bring back KMSI? We do not federate on-premises so the usual ADFS config change to turn on KMSI won’t work.


#2

Are you using the Duo custom control for Azure AD conditional access. I don’t believe that the Duo control itself has any effect on Azure’s KMSI functionality. Have you tried playing with Azure’s token lifetimes? https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes
https://blogs.technet.microsoft.com/enterprisemobility/2017/08/31/changes-to-the-token-lifetime-defaults-in-azure-ad/