This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 88%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Hello,
We have a hybrid application that is first asking users to enter their email address, then based on whether their email domain supports the Federated Authentication feature we direct them to Azure AD B2C login. If it doesn't we ask them for their internal application username and password stored in the database. We are not using B2C "local accounts" feature, only external IDPs. Currently we only support Azure AD as external IDP, but we are planning to introduce others. Since we only support one IDP per customer we are using direct-sign-in and passing user's email as login_hint and their email domain as domain_hint in MSAL.js call. Domain_hint is then mapped in custom policies to their Azure AD tenant sign-in user flow. So users are not presented by the B2C screen, but are taken directly to the external IDP login.
We want to support SSO and are using "tenant" scope, so that if user signs out of our app they are not signed out of their respective Azure AD and can still use it with other applications.
The issue is that if a user workstation is shared by multiple employees, which is a very likely scenario with our customers, if one user logs out of their application and then 2nd user tries to login, although I can see their tokens deleted from local storage, they are still able to sign-in with previous user token, without even being presented with a login prompt.
Is there a setting in MSAL.js or custom policies that would prevent that? I tried using prompt: 'login', but it didn't help, and then I read that it's not supported for external IDP providers in B2C.
Any suggestion would be welcome.
Hi, we are looking into your issue and will update you shortly!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 66%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
If that helps to narrow it down the issue is only happening with our corporate AAD connected to B2C and not with a basic test one connected to the same B2C with exactly the same settings.
Is there any setting on the AAD level that could affect it?
Hi @Marina Gurevich , sorry for the delay! I'm sending this to the product team to help get you a detailed solution. We should have an answer soon.
Best,
James
Hi James,
Any updates? I can imagine that other people who share the same browser for multiple users will run into this issue also.
Marina
As a workaround I added <InputClaim ClaimTypeReferenceId="prompt" DefaultValue="{OIDC:prompt}" AlwaysUseDefaultValue="true" /> to AAD Claims Provider in Custom Policies and then added prompt: 'login' to MSAL.js request when login_hint (user email) changes.
<InputClaims>
<!-- Add the login hint value to the sign-in names claim type -->
<InputClaim ClaimTypeReferenceId="email" PartnerClaimType="login_hint" DefaultValue="{OIDC:LoginHint}" />
<InputClaim ClaimTypeReferenceId="hsu" PartnerClaimType="hsu" DefaultValue="1" AlwaysUseDefaultValue="true" />
<InputClaim ClaimTypeReferenceId="prompt" DefaultValue="{OIDC:prompt}" AlwaysUseDefaultValue="true" />
</InputClaims>
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 85%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
@James Hamil : Do you have any update on the above issue? We are also running into the same issue for a couple of our apps used at a location where employees are bound to share the workstations.
@Marina Gurevich : Did the workaround posted by you here resolve the issue for your team?
We did end up using it, although the users need to enter their login credentials each time.
You can try adding logic to check if the email is different from the previous one and only then pass the prompt:login parameter. Try saving previous login in the browser local storage or something like that.