Issue with logout_hint not suppressing account selection prompt

Question

Issue with logout_hint not suppressing account selection prompt

Krishna Amal 20

A request is made to log out from the application using the logout_hint parameter, but an account selection prompt still appears. The logout request format used is as follows:

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/logout?id_token_hint={id_token}&post_logout_redirect_uri={redirect_uri}&logout_hint=user@example.com

Despite including logout_hint, the account selection prompt is still displayed. What could be the reason for this behavior?

Bandela Siri Chandana 2,485 Reputation points Microsoft External Staff

2025-04-03T23:52:05.1933333+00:00
Hi @Krishna Amal
I understand that you are trying to log out from the application using the logout_hint parameter, but still the account selection prompt is still displayed.

Try to logout using below URL:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize? client_id={app_id}&response_type=code &redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient &response_mode=query &scope=user.read&logout_hint

Make sure that you use openid and profile scope in the sign-in request. Store this claim in your application and pass it as logout_hint parameter in your sign-out request.

Follow the link for more information: https://learn.microsoft.com/en-us/answers/questions/759538/bypass-the-the-account-selection-screen-while-logo

If still problem persists you can Sign out with a pop-up window or sign out with a redirect.

Follow the document for more information: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-spa-sign-in?source=recommendations&tabs=javascript2#sign-out-with-a-redirect

Hope this helps. Do let us know if you have any further queries.

Accepted answer

0 additional answers

Your answer

Bandela Siri Chandana 2,485 Reputation points Microsoft External Staff

2025-04-03T23:52:05.1933333+00:00

Hi @Krishna Amal
I understand that you are trying to log out from the application using the logout_hint parameter, but still the account selection prompt is still displayed.

Try to logout using below URL:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize? client_id={app_id}&response_type=code &redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient &response_mode=query &scope=user.read&logout_hint

Make sure that you use openid and profile scope in the sign-in request. Store this claim in your application and pass it as logout_hint parameter in your sign-out request.

Follow the link for more information: https://learn.microsoft.com/en-us/answers/questions/759538/bypass-the-the-account-selection-screen-while-logo

If still problem persists you can Sign out with a pop-up window or sign out with a redirect.

Follow the document for more information: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-spa-sign-in?source=recommendations&tabs=javascript2#sign-out-with-a-redirect

Hope this helps. Do let us know if you have any further queries.

Answer 1

Hello @Krishna Amal,

I understand that you are trying to log out from the application using the logout_hint parameter without any prompt that is Prompt less logout.

The issue you are facing is because, you are passing logout_hint as UPN.

Note: You need to pass login_hint value in logout_hint. Don't use UPNs or phone numbers as the value of the logout_hint parameter. Refer this Microsoft Document: OpenID Connect (OIDC) on the Microsoft identity platform | Azure Docs

enter image description here

When I passed UPN as the logout_hint in the request, I got the prompt:

enter image description here

Hence to resolve the issue, configure login_hint as optional claim for ID token in the Microsoft Entra ID application:

enter image description here

Make sure to pass openid and profile scope in the request

I used the below endpoint to authorize/sign-in the user:


https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?

&client_id=ClientID

&response_type=code

&redirect_uri=https://jwt.ms

&response_mode=query

&scope=User.Read openid offline_access profile

&state=12345

enter image description here

Generated tokens using below parameters:


https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id: ClientID

grant_type: authorization_code

scope: User.Read openid offline_access profile

redirect_uri: RedirectURL

code: xxx

client_secret: Secret

enter image description here

Decode the ID token, you will find login_hint:

enter image description here

Make use of below request to logout from Microsoft Entra ID application without prompt:


https://login.microsoftonline.com/TenantID/oauth2/v2.0/logout?id_token_hint=IDTOKEN&post_logout_redirect_uri=REDIRECTURL&logout_hint=LoginHintValueFromIDToken

The user logged out successfully without any account selection prompt:

enter image description here

And you will be redirected to the redirect URL page without any prompt to select account to logout. Hope this helps!

If this answer was helpful, please click "Accept the answer" and mark Yes, as this can be beneficial to other community members.

User's image

If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.

Rukmini 1,421 Reputation points Microsoft External Staff

2025-04-07T03:31:44.0766667+00:00

Krishna Amal,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.

Share via

Issue with logout_hint not suppressing account selection prompt

0 additional answers

Your answer