Microsoft Teams for the web will respect Microsoft Entra “Keep Me Signed In” (KMSI) settings

🚨 The Signal: Microsoft Teams web will now respect Microsoft Entra 'Keep Me Signed In' (KMSI) settings. This improves security by clearing sessions on unmanaged devices if users don't explicitly choose to stay signed in, reducing unauthorized access risk.

The Impact

All users accessing Teams via web are affected, reducing the risk of unauthorized access on shared or unmanaged devices.

  • Unmanaged device users: Reduced risk of unauthorized access if they don't select KMSI.
  • Shared device users: Enhanced security by requiring re-authentication if KMSI is not chosen.
  • Security teams: Improved session control and reduced attack surface for web-based Teams.
  • Compliance teams: Better alignment with session management and authentication security policies.

The Action

  1. Review existing Microsoft Entra KMSI configurations via Entra admin center > Identity > Users > User settings > Manage user feature settings.
  2. Assess Conditional Access policies that suppress KMSI prompts or enforce session controls via Entra admin center > Protection > Conditional Access > Policies.
  3. Communicate KMSI behavior changes to end-users, especially those on shared or unmanaged devices.
  4. Verify session persistence behavior in a test environment post-rollout (late July 2026).

Domain: Entra · Impact: medium · Workload: Teams · Essential Eight: Multi-Factor Authentication · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0974, ISM-1173, ISM-1228, ISM-1401, ISM-1504, ISM-1505, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1892, ISM-1893, ISM-1894, ISM-1906, ISM-1907