MSAL skips password prompt and shows unwanted "Connected on Windows" accounts

Question

Context: I'm building a .NET Framework 4.8 application where users must log in with organizational account (Azure AD). The goal is to enforce authentication without showing other Microsoft accounts that have logged in before on the shared machine (it's based in a hospital, used by multiple laboratory assistants). I'm using MSAL for authentication.

Problem: When using .WithLoginHint(currentWindowsUser), the account selection screen is hidden, and MSAL attempts to log in automatically. However, it skips the password prompt even if reauthentication is required. This matches GitHub issue #4133, where WithLoginHint bypasses necessary UI interactions like password entry. This issue has been active since May 2023.

Without .WithLoginHint, the login prompt displays multiple "Connected on Windows" accounts (from Settings > Accounts > Email and Accounts). These accounts do not appear in WAM or the Registry, making them difficult to filter programmatically.

Desired Behavior:

1. Users should only be able to authenticate with their Microsoft account (Azure AD).
2. Other accounts (e.g., "Connected on Windows" accounts) should not be displayed.
3. A password prompt should always appear, even if the user is already authenticated in Windows.

public async Task<AuthenticationResult> AcquireTokenInteractiveAsync()
{
    try
    {
        // Get the current Windows user (UPN)
        string currentWindowsUser;
        using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
        {
            UserPrincipal user = UserPrincipal.Current;
            currentWindowsUser = user.UserPrincipalName; // e.g., "user@stackoverflow.com"
        }

        // Configure the MSAL token request
        var oBuilder = m_oClientApp.AcquireTokenInteractive(scopes: new[] { "User.Read" })
            .WithPrompt(Prompt.Consent) // Shows unwanted accounts
            //.WithLoginHint(currentWindowsUser) // Skips password prompt
            .WithUseEmbeddedWebView(useEmbeddedWebView: true)
            .WithParentActivityOrWindow(parent: m_oGetParentWindowFunc)
            .WithExtraQueryParameters($"login_hint={currentWindowsUser}"); // Workaround for login hint, doesn't seem to work either.

        // Execute the token request
        AuthenticationResult oResult = await oBuilder.ExecuteAsync();
        return oResult;
    }
    catch (MsalClientException oEx) when (oEx.ErrorCode == "redirect_uri_mismatch")
    {
        Debug.WriteLine($"Redirect URI configuratie fout: {oEx.Message}");
        throw new AzureAuthenticationException("Redirect URI configuratie incorrect. Controleer Azure Portal instellingen.", oEx);
    }
    catch (Exception oEx)
    {
        Debug.WriteLine($"Interactie authenticatie fout: {oEx.Message}");
        throw new AzureAuthenticationException("Interactie authenticatie mislukt. Controleer uw inloggegevens.", oEx);
    }
}

Observed Behavior:

• With .WithLoginHint:

  1. The account selection screen is hidden.
  2. MSAL silently authenticates without prompting for a password (even if reauthentication is required).

• Without .WithLoginHint:

  1. The login prompt displays multiple "Connected on Windows" accounts (from Settings > Accounts > Email and Accounts).
  2. These accounts do not appear in WAM or the Registry, making them difficult to filter.

Attempted Workarounds (Failed):

• .WithPrompt Variations:

  1. Prompt.ForceLogin, Prompt.SelectAccount, Prompt.Consent.
  2. Result: Either skips the password prompt or shows unwanted accounts.

• Manual Cache Removal:

var accounts = await m_oClientApp.GetAccountsAsync();
foreach (var acc in accounts) await m_oClientApp.RemoveAsync(acc);

• Result: No effect (Windows-integrated auth still bypasses the prompt).

• Query Parameters:

1. .WithExtraQueryParameters($"login_hint={currentWindowsUser}");
2. Result: No effect

Environment:

• .NET Framework 4.8
• Windows domain-joined machines.
• Azure AD organizational accounts.