Hi @Pedro Cabral ,
Thanks for reaching out.
As you mentioned that error you are getting is expected as users from another tenant cannot access the application in another tenant.
The browser will automatically use the current session's credentials when trying to sign into a new tenant, rather than prompting the user to select a different account.
To get the list of accounts to pick, you need to force the browser by adding prompt="select_account" to OpenID/OAuth2 request to get the option to "Pick another account".
Regarding the issue of being able to change password locally and still have access to the application, it is a security concern that local authentication can override Azure AD authentication. To mitigate this, you can consider disabling the ability to change password locally or implementing a mechanism that synchronizes the local password with the Azure AD password.
Hope this will help.
Please remember to "Accept Answer" if answer helped you.