Fusion auth single sign on issue

I have two same enabled applications defined on fusionauth each representing a separate web application hosted on my local. I have also created two applications on an azure ad tenant and connect my fusion auth applications to them via two saml v2 identity provider I have created on fusionauth. I have created one user on AzureAD tenant and only added that user to one of the applications.
I can launch the web application which the azure ad user has access to and log into the application using it. Now when I try the other web application on the same browser what happens is it logs into the application without even going to a login page. What I am expecting is the second application to be rejected to log in as the azure ad user does not have access to it.
What do I need to acheive the desired behaviour?

@mark-robustelli , thanks the issue though was my web app was sending the nameid format as persistent after removing it the issue was resolved.

I created an application in FusionAuth that uses SAML internally but it also uses an Azure AD created as a fusion auth identity provider. the SAML Nameid is defined as useremail in the actual Azure AD (it is the newest Azure AD which I believe Microsoft changed its name to Entra ID) which is configured as Saml. However when I test the integration the Nameid returns to my web application is id which turned out to be the user id created by fusion auth. However I was expecting the Saml response to return the user mail. I also changed the nameid format to email in both Azure AD and Fusion Auth IDP. why does the fusion auth return fusion auth user.id as part of saml response to my web application?