By default, when you sign out of Azure Active Directory when using a Open ID Connect/OAuth2 application, you will be prompted to select a user account to sign out of, even if there is only one user account to select.

To work around this behavior, there are 3 requirements:

Step (1): Add the optional claim for the login_hint

Add the login_hint optional claim to the id token in the App Registration blade

For more information about adding optional claims:

Step (2): Ensure “profile” and “openid” openid connect scopes are in the original sign-in request

When the sign-in request is sent, make sure both “openid” and “profile” is listed in the scope. For example:

When the id_token is returned, the login_hint claim will be returned in the id_token and will look similar to:


Step (3): Logout request

When sending the logout request, pass a logout_hint parameter where login_hint is the value:…

More Information

When using MSAL.js, the code will look like this (MSAL.js will auto send the logout_hint if detected when you send a EndSessionRequest with the account)

logout() {
    var account = this.authService.instance.getAllAccounts()[0];
    let logoutRequest:EndSessionRequest = {
      account: account

When using Microsoft Identity Web or AspNet (Core) OpenIdConnect Authentication

services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>


  // Custom code here.
  options.Events.OnRedirectToIdentityProviderForSignOut = (context) =>


    var login_hint = context.HttpContext.User.Claims.Where(c => c.Type == "login_hint").FirstOrDefault();

    if (login_hint != null)


      context.ProtocolMessage.SetParameter("logout_hint", login_hint.Value);


    return Task.FromResult(true);


5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments