Remove Sign-in with another account link from Azure AD login

Question

Remove Sign-in with another account link from Azure AD login

Marina Gurevich 51

Hello,

We have a hybrid application that is first asking users to enter their email address, then based on whether their email domain supports the Federated Authentication feature we direct them to Azure AD B2C login. If it doesn't we ask them for their internal application username and password stored in the database. We are not using B2C "local accounts" feature, only external IDPs. Currently we only support Azure AD as external IDP, but we are planning to introduce others. Since we only support one IDP per customer we are using direct-sign-in and passing user's email as login_hint and their email domain as domain_hint in MSAL.js call. Domain_hint is then mapped in custom policies to their Azure AD tenant sign-in user flow. So users are not presented by the B2C screen, but are taken directly to the external IDP login.

The issue is that even though we prefill the email on the Azure AD based on the login_hint parameter, users can still pick Choose Another account option and then enter the email that doesn't match the 1st email prompt in our application screen. Is there a way to disable the option of choosing another account via custom policies?

Answer 1

AmanpreetSingh-MSFT 55,411

Hello @Marina Gurevich · Welcome to Q&A platform and thanks for your query.

For this purpose, along with login_hint parameter, you need to pass hsu=1 parameter as well.

In your custom policy, you can update the technical profile for the Azure AD added as external IDP with below input claim to pass this parameter.

<InputClaims>  
      <InputClaim ClaimTypeReferenceId="hsu" DefaultValue="1" />  
</InputClaims>

Note: hsu parameter works with login_hint parameter. Using hsu parameter without login_hint will result in error: AADSTS900144: The request body must contain the following parameter: 'login_hint'.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Marina Gurevich 51 Reputation points

2020-12-11T16:56:17.31+00:00

I am getting this error when uploading the custom policy:

Validation failed: 2 validation error(s) found in policy "B2C_1A_TRUSTFRAMEWORKEXTENSIONS" of tenant "ourtenantname".Policy "B2C_1A_TrustFrameworkExtensions" of tenant "ourtenantname.onmicrosoft.com" makes a reference to ClaimType with id "hsu" but neither the policy nor any of its base policies contain such an element.

Tried adding to base policy as well, same error.

<InputClaims>
<InputClaim ClaimTypeReferenceId="hsu" PartnerClaimType="hsu" DefaultValue="1" AlwaysUseDefaultValue="true" />
</InputClaims>
Marina Gurevich 51 Reputation points

2020-12-11T17:10:28.553+00:00

Never mind. I had to add claim type definition to base policy
<ClaimType Id="hsu">
..
</ClaimType>
Marina Gurevich 51 Reputation points

2020-12-11T17:19:13.363+00:00

Thanks that worked!
Pandey, Kaustubh 0 Reputation points

2023-03-02T09:23:40.6333333+00:00

I have B2C Custom policy but it's not SAML one.In this can you please suggest how I can hide "Sign in with another account" link ?

I tried by passing hsu=1 in query parameter but it's still showing me "Sign in with another account" link in login page.

Remove Sign-in with another account link from Azure AD login

0 additional answers

Activity