Remove Sign-in with another account link from Azure AD login

Marina Gurevich 51 Reputation points


We have a hybrid application that is first asking users to enter their email address, then based on whether their email domain supports the Federated Authentication feature we direct them to Azure AD B2C login. If it doesn't we ask them for their internal application username and password stored in the database. We are not using B2C "local accounts" feature, only external IDPs. Currently we only support Azure AD as external IDP, but we are planning to introduce others. Since we only support one IDP per customer we are using direct-sign-in and passing user's email as login_hint and their email domain as domain_hint in MSAL.js call. Domain_hint is then mapped in custom policies to their Azure AD tenant sign-in user flow. So users are not presented by the B2C screen, but are taken directly to the external IDP login.

The issue is that even though we prefill the email on the Azure AD based on the login_hint parameter, users can still pick Choose Another account option and then enter the email that doesn't match the 1st email prompt in our application screen. Is there a way to disable the option of choosing another account via custom policies?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,559 questions
Azure Active Directory External Identities
No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 55,411 Reputation points

    Hello @Marina Gurevich · Welcome to Q&A platform and thanks for your query.

    For this purpose, along with login_hint parameter, you need to pass hsu=1 parameter as well.

    In your custom policy, you can update the technical profile for the Azure AD added as external IDP with below input claim to pass this parameter.

          <InputClaim ClaimTypeReferenceId="hsu" DefaultValue="1" />  

    Note: hsu parameter works with login_hint parameter. Using hsu parameter without login_hint will result in error: AADSTS900144: The request body must contain the following parameter: 'login_hint'.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful