Microsoft changes account sign-in system to keep users logged in automatically
Microsoft is implementing a significant change to its account authentication system starting February 2025. Under the new system, users stay signed in across sessions unless they sign out explicitly.
To better understand the change, it is necessary to look at how sign ins are handled currently by Microsoft. When you sign in to a Microsoft account in a web browser, a "stay signed in" prompt is displayed after you provide username, password, and the optional two-factor authentication verification.
Tip: check out our review of the best authenticator apps for Android and iOS.
When you decline, you stay signed in for the session only. When you accept it, you stay signed in even across sessions. This prompt is going away starting in February.
Here are the details:
- The change affects all Microsoft services, including Outlook, OneDrive, Microsoft 365, and other services and products that support login.
- A new global sign out option is available.
Security implications
While the change may look minor on first glance, it may have serious consequences on shared or public computer systems.
Here, it is necessary to sign out explicitly, as the next user may access the Microsoft account and linked services otherwise.
One way around this is to use a browser's private browsing mode on shared or public computer systems. Sign ins and any other activity is only kept for the browsing session. Once you close the browser, all data, including Microsoft account data, is no longer available.
Microsoft even suggests to use private browsing on devices that you do not own on the sign in page.
Best option remains to avoid signing in to any service on computers or devices that you do not have full control over.
The Global sign out option
Microsoft customers who forget to sign out on systems that others have access to may trigger a global sign out to force a sign out on all systems.
Here is how that works:
- Open this Microsoft support page.
- Select the "sign in" button on the page. A new page opens that asks you to sign in, if you have not already.
- Scroll down on the additional security options webpage until you get to the sign out everywhere section.
- Activate the sign out everywhere link.
- Confirm the prompt by selecting "sign out".
Microsoft notes that this may take up to 24 hours. In other words, there is a 24 hour window in which others may still access Microsoft account related services on other devices.
Closing Words
The change impacts mostly Microsoft customers who sign in to their accounts on public or shared devices. Others may also be impacted, but to a lesser degree.
What is your take on the change? How do you handle sign ins on the Web? Feel free to leave a comment down below.
I have used Microsoft products for decades, but I am starting to dislike their push to decide how I use my PC from what browser I should use, to how I should sign into Windows. Even when I should install a upgrade. I don’t even like Windows 11 that much as a operating system…
Does Microsoft use cookies to determine if users are signed in or not? If so, simply deleting them which I’ve configured Firefox to do when I close it should cause users to be signed out automatically.
Same with Brave.
The warning message is visible and in red right now. It won’t be long until it is de-emphasized & removed altogether. Because Microsoft is the worst company in the world.
I am deleting my Microsoft account
Ya know, I’m really beginning to hate computing at home. Between Nosey Google and Ultra Nosey M$..its just depressing. And since M$ bouight git-hub…their crap is all over linux now.
Again, it’s seriously depressing.
Hell, try finding a digital picture viewer for your flash drive that doesn’t hook up to WiFi. They are out there, but they are not promoted at all. In fact, the sellers have bought in enough to warn you not to buy a non Wifi viewer.
Clean out the cookies and you’re also signed out, along with less spying by big brother.
If you delete cookies in edge, you are automatically signed BACK into MS related sites (bing for example)
Sometimes you wonder what they’re smoking!
More privacy invading crap from Microsoft. Someone signing into Outlook to check their emails should not then automatically be signed into Bing, or other Microsoft Advertising properties.
From a security perspective, this change is pure idocy. If you want to limit access to accounts, personal or sensitive information you sign in, do what you need to do then sign out.
This process should be automatic as well with sign-in credentials only having a limited lifespan regardless if the authentication mechanism is JWT, OAuth tokens or Kerberos Tickets. Shorter the window, the lower the attack surface.
Keeping sign-in credentials active across sessions significantly increases the threat surface area and only makes sense if you want to actively track user behaviour.
One more reason I am glad to leave the Microsoft ecosystem completely.
Who needs to plant cookies when MS now will blatantly steal whatever is on your device.
Presumably you can continue using a local account to sign in with over which Microsoft has no control, or are they saying that local accounts can’t be used anymore?
Well, the popup was useless, people wouldn’t read it and still accept it anyways.
Honestly it is better the little message they have now “You’ll stay signed in unless you use private browsing or explicitly sign out.”, at least it is red and if people are signing in a new account, they will see it.
It would be good if sites prompted something when they detect you are in normal mode though, because the whole concept of needing a complete different ‘private window’ to stay out of trouble like this is just weird, the browser should have features to do that in normal windows, without too much set up.