Remove Sign-in with another account link from Azure AD login

Marina Gurevich 56 Reputation points
2020-12-11T14:35:03.107+00:00

Hello,

We have a hybrid application that is first asking users to enter their email address, then based on whether their email domain supports the Federated Authentication feature we direct them to Azure AD B2C login. If it doesn't we ask them for their internal application username and password stored in the database. We are not using B2C "local accounts" feature, only external IDPs. Currently we only support Azure AD as external IDP, but we are planning to introduce others. Since we only support one IDP per customer we are using direct-sign-in and passing user's email as login_hint and their email domain as domain_hint in MSAL.js call. Domain_hint is then mapped in custom policies to their Azure AD tenant sign-in user flow. So users are not presented by the B2C screen, but are taken directly to the external IDP login.

The issue is that even though we prefill the email on the Azure AD based on the login_hint parameter, users can still pick Choose Another account option and then enter the email that doesn't match the 1st email prompt in our application screen. Is there a way to disable the option of choosing another account via custom policies?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,633 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,396 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,301 Reputation points
    2020-12-11T15:42:10.263+00:00

    Hello @Marina Gurevich · Welcome to Q&A platform and thanks for your query.

    For this purpose, along with login_hint parameter, you need to pass hsu=1 parameter as well.

    In your custom policy, you can update the technical profile for the Azure AD added as external IDP with below input claim to pass this parameter.

    <InputClaims>  
          <InputClaim ClaimTypeReferenceId="hsu" DefaultValue="1" />  
    </InputClaims>  
    

    Note: hsu parameter works with login_hint parameter. Using hsu parameter without login_hint will result in error: AADSTS900144: The request body must contain the following parameter: 'login_hint'.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful