Bypass the Azure AD SSO “choose an account” prompt and automatically login cookie stored user?

Benjamin 21 Reputation points
2021-03-11T15:16:36.093+00:00

Hello AzureAD Team,

we have configured our enterprise web application to be protected by Azure AD SSO. It works great. The first time the user navigates to the enterprise web application page, they are redirected to the https://login.microsoft.com login page and prompted to enter their username@mathieu.company .com and then they are authenticated using the Windows credentials through Kerberos (or at least I think it's Kerberos. It doesn't require a password). They are now signed into our enterprise web application.

Now the user closes their browser, which closes the session with our enterprise application, then opens it again.

They go back to the enterprise web application page. It redirects to https://login.microsoft.com, and this time it remembers who they are, because it has the username@mathieu.company .com in the "Choose an account" dialog. But it didn't automatically sign them in, making for a very unfriendly user experience.

I've read many similar questions on the internet (Like: https://social.msdn.microsoft.com/Forums/en-US/f9e7c013-fbdc-4bbb-9e9c-22bf187f6c79/bypass-the-azure-ad-sso-choose-an-account-prompt-and-automatically-login-cookie-stored-user?forum=WindowsAzureAD ) and the common answer is to enable Auto-acceleration.
Unfortunally Auto-acceleration is not recommended by Microsoft.
My question is, is there another and secure way to get rid of the "Choose an account" dialog?

Thanks in advance for the answers!

Best regards

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,443 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2021-03-16T08:53:31.907+00:00

    Hi @Benjamin · Thank you for reaching out.

    The “choose an account” prompt can be bypassed by using OAuth parameters HSU=1 and Login_Hint parameters. Please refer to below document to see how application can use Login_Hint parameters to be sent in Authentication request:

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sreedhar K 1 Reputation point
    2021-12-22T11:10:02.153+00:00

    Hello amanpreeth,

    I would like to take your help. I am using capacitor js to wrap my react app to convert in to mobile app. While using sso from web, i am getting choose account prompt. but while using the same from mobile, it logging in directly. I have multiple apps which has different logins. When trying to use B app, browser is trying to login with A app credentials. Thiis isi the url i m using "https://login.microsoftonline.com/common/oauth2/v2.0/authorize" . How to get choose account prompt on mobile. please help

    0 comments