This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 1%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Hi,
We are observing an issue related to the oauth screen. If a user happens to double click or do additional clicks on the microsoft account microsoft generates multiple triggers. There triggers causes multiple callback being triggered making our applications invalidate the request preventing login.
Is there a way to prevent this behaviour. Since the oauth screen is handled by outlook what can be done here.
Using classic Outlook for Windows in business environments
The additional clicks are done on the microsoft screen and it is generating triggers. How a ui change work in this case since the control is gone to microsoft.
Is there a way to prevent microsoft from showing this account and force the user to enter the username and password everytime. In this case double clicks wont be a problem
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 11%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETD%3C/text%3E%3C/svg%3E)
Hi @Dumbre, Rohit
Once the flow reaches Microsoft's account picker screen, as shown in your screenshot, the interface is fully controlled by Microsoft. At that point, any changes to your own UI such as disabling a button can only help prevent duplicate submissions before the redirect.
If you want to bypass the "Choose an account" screen and ensure users always re-enter their credentials, Microsoft supports a query parameter that can help. By adding prompt=login to your OAuth request, you instruct the Microsoft identity platform to ignore existing sessions and require the user to enter their username and password every time. This eliminates the risk of accidental extra clicks on the account picker screen.
Here is an example of how your authorization request might look:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope={scopes}
&state={state}
&prompt=login
This approach ensures that the user is taken directly to the login form, avoiding the account picker screen entirely.
You can find more details in the Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | M….
Hope this helps clarify things. Let me know if you run into any other issues or need further guidance.
Hi @Dumbre, Rohit
May I know if you have got any chance to check my answer? If you need further assistance, feel free to let me know. Thank you!
Thanks after discussing further this experience kind of degrades the user performance as they now how to enter the password.
Users should be able to directly login by clicking on the account
Hi @Dumbre, Rohit
Thank you for your update.
I understand that requiring users to enter their password each time may affect their experience. I’m glad to hear that you have considered the best approach for your organization. If you have any further questions or need additional assistance, please feel free to post back. It’s always a pleasure to help.
Hi @Dumbre, Rohit
Thank you for posting your question in the Microsoft Q&A forum.
This is a common challenge many developers face when integrating OAuth flows. While the login and consent screens are managed by Microsoft and can't be directly modified to debounce or block extra clicks, there are several effective strategies you can implement on your end to protect your application against multiple callback issues:
-Disable the login button immediately after the first click.
A simple UI change helps prevent users from unintentionally triggering multiple login attempts, which can lead to duplicate requests and session confusion.
-Validate the login session on your server.
Accept only the first valid callback. Your backend should track each login attempt using a unique session identifier or timestamp. Once a callback is successfully processed, mark it as consumed (e.g., loginProcessed = true) and gracefully ignore any subsequent callbacks with the same state or code.
Generate and store a unique state parameter for each login attempt. This ensures that each authentication flow is traceable and prevents replay attacks or accidental reprocessing.
Please refer to Pass custom state in authentication requests (MSAL.js) | Azure Docs
-Use Microsoft Authentication Libraries (MSAL) with proper redirect handling.
Microsoft Authentication Libraries support passing custom state parameters and managing redirects effectively. You can read more at Authentication configuration options - Microsoft Authentication Library for JavaScript | Microsoft …
-If your app supports it, consider switching to popup login, which can help avoid full-page reloads and reduce the likelihood of duplicate submissions.
I hope these suggestions help you build a more resilient authentication flow.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.