Microsoft Entra Application didn't ask Pick an account page for 2 different tenants

Question

Microsoft Entra Application didn't ask Pick an account page for 2 different tenants

Pa Le 45

Hi,

I have 2 different applications which register to 2 different Microsoft Entra SSO, eg App A register to tenant A and App B register to tenant B.

The issue is when I try to login to both application with same browser then the 2nd login application didn't ask for "Pick an account" page and it straight away login. Can I check how should I prevent this?

Below is the details step:

Step 1: login to app A using, Entra SSO, tenant A.

Step 2: login to app B in the same browser in Step 1, using Entra SSO, tenant B. ( here, it didn't ask "Pick an account").

Rukmini 30,115 Reputation points Microsoft External Staff Moderator

2026-03-09T22:09:28.7266667+00:00
Hey Pa Le, it sounds like what you’re seeing is just Azure AD’s SSO session in action—once you’ve signed in to tenant A, that session carries over to tenant B (even if it’s a different directory), so you don’t get prompted again. To force the “Pick an account” (or even a fresh sign-in), you can leverage the OIDC prompt parameter in your auth requests.

Here are a couple of approaches:

Use prompt=select_account • In your OAuth2/OpenID Connect authorize URL, add &prompt=select_account. Example: https://login.microsoftonline.com/{tenantB}/oauth2/v2.0/authorize? client_id={clientId}& response_type=code& redirect_uri={redirectUri}& scope=openid%20profile& prompt=select_account • If you’re using MSAL.js (or another MSAL), pass it in the login options:
const loginRequest = { scopes: ["openid", "profile"], prompt: "select_account" }; msalInstance.loginRedirect(loginRequest);

Use prompt=login (if you want to force full re-authentication) Replacing select_account with login will require the user to re-enter credentials.

Clear the session cookie If you prefer not to use prompt parameters, you can end the existing session first by redirecting users to the Azure AD sign-out endpoint (https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout) before kicking off the second login. That effectively wipes out the SSO cookie so they’ll be prompted again.

Hope that clarifies things! Let me know if you need examples for your specific platform/SDK.

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.
Rukmini 30,115 Reputation points Microsoft External Staff Moderator

2026-03-10T18:03:59.28+00:00

Hello Pa Le

Following up to see if the above provided information was helpful. If you have any further queries do let us know.

1 answer

Your answer

Rukmini 30,115 Reputation points Microsoft External Staff Moderator

2026-03-09T22:09:28.7266667+00:00

Hey Pa Le, it sounds like what you’re seeing is just Azure AD’s SSO session in action—once you’ve signed in to tenant A, that session carries over to tenant B (even if it’s a different directory), so you don’t get prompted again. To force the “Pick an account” (or even a fresh sign-in), you can leverage the OIDC prompt parameter in your auth requests.

Here are a couple of approaches:

Use prompt=select_account • In your OAuth2/OpenID Connect authorize URL, add &prompt=select_account. Example: https://login.microsoftonline.com/{tenantB}/oauth2/v2.0/authorize? client_id={clientId}& response_type=code& redirect_uri={redirectUri}& scope=openid%20profile& prompt=select_account • If you’re using MSAL.js (or another MSAL), pass it in the login options:
const loginRequest = { scopes: ["openid", "profile"], prompt: "select_account" }; msalInstance.loginRedirect(loginRequest);

Use prompt=login (if you want to force full re-authentication) Replacing select_account with login will require the user to re-enter credentials.

Clear the session cookie If you prefer not to use prompt parameters, you can end the existing session first by redirecting users to the Azure AD sign-out endpoint (https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout) before kicking off the second login. That effectively wipes out the SSO cookie so they’ll be prompted again.

Hope that clarifies things! Let me know if you need examples for your specific platform/SDK.

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.
Rukmini 30,115 Reputation points Microsoft External Staff Moderator

2026-03-10T18:03:59.28+00:00

Hello Pa Le

Following up to see if the above provided information was helpful. If you have any further queries do let us know.

Answer 1

Hello @Pa Le,

When using Microsoft Entra SSO with multiple applications, such as App A and App B registered to different tenants, the behavior you are experiencing is due to how session cookies are managed in the browser. When you log in to App A, a session cookie is set for tenant A. If you then attempt to log in to App B, the session cookie for tenant A may still be valid, allowing you to bypass the ‘Pick an account’ prompt if the session is recognized as valid for tenant B.

When you log into multiple applications using Microsoft Entra SSO in the same browser, the session cookies set by the first application can allow for automatic sign-in to the second application without prompting for account selection. This happens because MSAL.js relies on session cookies to provide single sign-on (SSO) capabilities between different applications. If the user has multiple accounts, they should typically be prompted to pick an account, but this may not happen if the session cookie from the first application is still valid for the second application. To manage this, you can use the ssoSilent method with a login_hint or sid to specify which account to use, thus ensuring that the correct session is recognized and prompting the user to select an account if necessary

SSO between browser tabs for the same app

If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.

Pa Le 45 Reputation points

2026-03-05T03:55:01.3433333+00:00

Hi Sunoj,

I don't understand how to use ssoSilent method. In my case, user haven't login yet so, what value to pass in for login_hint or sid ?
Rukmini 30,115 Reputation points Microsoft External Staff Moderator

2026-03-12T19:21:48.44+00:00

Hello Pa Le

With Microsoft Entra ID , this is expected behavior. The browser retains an authentication session cookie after logging into App A. The “Pick an account” page is skipped when you launch App B since Entra recognizes the current session and does SSO.

To resolve the error, *Include prompt=select_account in the authentication request to force the account selection screen.

Example:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?...&prompt=select_account

If using MSAL:

msalInstance.loginRedirect({ scopes: ["openid","profile"], prompt: "select_account" });

Note: ssoSilent is not required in this situation and is only used for quiet authentication when a user session already exists.

Let me know if any further queries - feel free to reach out!

Share via

Microsoft Entra Application didn't ask Pick an account page for 2 different tenants

1 answer

Your answer