Get M365 Devices to Stay Logged in with Conditional Access

M365 Devices to Stay Logged in

Sometimes you have a scenario where you need to Get M365 Devices to Stay Logged in with Conditional Access. I can give you an example. Say you have a dedicated multiuser device that is enrolled in Intune but can’t use MFA.

You need to get that device to stay logged in. Having it logged out would not be good since you might have to tell the user (one of many) what the password is to log back in. A password that could be easily shared. Not the best for security.

Use Conditional Access for Device to Stay Logged in

One way that could help is to use conditional access. It allows you to target the users and devices that have multiuser access and allow them to stay logged in. If you are worried about security in this setup you can add another conditional access policy to enhance security

More importantly, for this article, we are going to configure browser persistence.

What is Browser Persistence

A persistent browser session allows the end-user to remain signed in after closing and reopening their browser window. The default configuration for browser session persistence, allows the end-user on a personal device to choose whether to persist the session by showing a “Stay signed in?” prompt after successful authentication.

This is helpful for the multi-user devices we mentioned above need to stay logged in as long as possible.

Configure Conditional Access for Device to Stay Logged in

1. Go to Conditional Access in Microsoft Entra and Click The “plus sign” to add a new policy

2. Add the Users / Groups you want to include in this policy

3. Under target resources, choose All cloud Apps:

M365 Devices to Stay Logged in

4. Choose persistent browser session and choose always persistent from the dropdown menu and Click Select:

M365 Devices to Stay Logged in

5. Run the policy in “Report-Only” and click create:

M365 Devices to Stay Logged in

It is good to run the policy in report-only mode and make sure it operates as expected before you enable the policy.

This policy should help to keep those devices logged in as long as possible. In my next article, I will show you a way you can get the above mentioned devices logged in after they eventually log out, but the user will not have be told the password! I will show you in my next article how to sign them in without letting the user know the password.

Avatar photo

I am an IT professional with over twenty years experience in the field. I have supported thousands of users over the years. The organizations I have worked for range in size from one person to hundreds of people. I have performed support from Help Desk, Network / Cloud Administration, Network Support, Application Support, Implementation and Security.

Pin It on Pinterest