This behavior is a result of session management at the identity provider level (Azure AD), not FusionAuth. When federating authentication to an external IdP, FusionAuth does not control how sessions are managed within that IdP—Azure AD determines session persistence and re-authentication policies.
Why This Happens:
When
UserA logs out of your application, their
Azure AD session remains active unless explicitly ended.
When
UserB attempts to log in, Azure AD
automatically reuses the existing session (UserA’s session) instead of prompting for new credentials.
Since FusionAuth relies on the identity assertion from Azure AD, it issues a token based on the
session provided by Azure AD, resulting in UserA’s credentials being used.
How to Prevent This:
1. Ensure Proper Logout from Azure AD
When logging out a user,
also log them out from Azure AD to end their IdP session.
This is typically done by
redirecting the user to Azure AD’s logout URL during the sign-out process.
Example for Microsoft Entra ID (formerly Azure AD):
https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri={your-app-logout-url}
This ensures that UserA is fully logged out before a new user attempts to sign in.
2. Disable "Keep Me Signed In"
Many IdPs, including Azure AD, offer a
"Keep me signed in" option. If the machine is shared, instruct users not to enable this option, as it maintains the session even after closing the browser.
3. Enforce Re-authentication
Some IdPs provide settings to force authentication on each login attempt.
*In
Azure AD, you can modify your
SSO session policies to require fresh authentication after logout or in specific conditions (e.g., IP changes, new browser sessions).
If your application requires frequent user switching, consider enforcing authentication via the prompt=login parameter in the Azure AD authentication request:
https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?prompt=login
Summary
FusionAuth trusts the session response from Azure AD, so this issue must be resolved at the IdP level.
Logout must also happen at Azure AD, not just your application.
Session settings in Azure AD should be configured to ensure proper user switching.
For shared devices, instruct users not to use "Keep me signed in."
For more details, refer to Azure AD’s session management documentation or configure logout redirects properly within your FusionAuth setup.