Share via

How to use OIDC without SSO?

manus-9231 20 Reputation points
2025-04-16T14:09:45.0333333+00:00

We are developing a single-tenant, intranet-only SCADA web app, hosted on-premises at each of our customers.

Most of our customer users will use shared computers to sign in to the app with OpenID Connect (OIDC) and Microsoft Entra ID.

Is there a way to sign in solely to our app without signing in to the rest of apps provided by Microsoft Entra ID? In other words, is there a way to bypass Single sign-on (SSO)?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

Answer accepted by question author

Raja Pothuraju 47,420 Reputation points Microsoft External Staff Moderator
2025-04-17T19:14:13.4066667+00:00

Hello @manus-9231,

Based on your description, I understand that you've configured an application in Azure using the OIDC protocol for user authentication via Microsoft Entra ID as the identity provider. However, your goal is to ensure that the user session does not extend to other Microsoft 365 or Entra apps (such as the Entra Admin Center), even if the user provides valid credentials.

By default, Microsoft Entra ID acts as a Single Sign-On (SSO) provider. When a user signs in through the Entra login page, they receive a Primary Refresh Token (PRT) or browser-based SSO cookies, which allow seamless access to other applications within the same tenant.

As a result, when a user signs in to your app using Entra ID via OIDC, they may also gain access to: Microsoft 365, Entra Admin Portal, Azure Portal, Any other Entra-integrated apps. This happens because the SSO session cookie is present in the browser.

Additionally, you want users to be prompted for credentials every time they access your application.

To enforce this behavior, you can use the prompt=login parameter in your OIDC authentication request. This parameter forces users to enter their credentials again, bypassing any existing SSO sessions—even if they are already signed into another Entra ID app.

Your end goal is to allow users to sign in only to your web application (https://myapp.test-env-1.example.com/) and prevent access to any other Microsoft first-party or third-party applications.

While you cannot entirely prevent users from signing in to other apps, you can restrict their access using Conditional Access policies.

To achieve your objective of blocking access to all applications except your web app: Create a Conditional Access policy that blocks access to all cloud apps and, exclude your web application.

This way, users will be denied access to everything except your specified web app. Since Conditional Access policies work at the resource (application) level, it's important to test this policy with a single user first to ensure your app is still accessible as expected.

Keep in mind that the effectiveness of this approach depends on how your application is registered and recognized as a resource in Entra ID.

Was this answer helpful?

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 160.2K Reputation points MVP Volunteer Moderator
    2025-04-16T14:31:33.63+00:00

    They can certainly logon directly to the app and have it redirect them back to Azure for authentication and not logon to any other Microsoft app but not sure what you mean by "Bypass SSO".

    End users can go here and access the app:

    https://myapps.microsoft.com/

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.