Certain Azure policies may not work when a domain hint is configured in the SSO setup.

In this article we explain how the domain hint works and how to configure it in the Workspace.​

The regular oAuth flow is as follows:

In the normal flow the Federated domain check is done after the user fills in the UPN. In the configuration with domain hint, this is already preconfigured by the admin in Workspace. In this way the SSO reply URL to will have the value of the federated domain included.

The domain hint option provides a hint about the environment or domain that the user should use to sign in. The value of the domain_hint is a registered domain for the environment. If the environment is federated to an on-premises directory, Microsoft Entra ID (previously Azure AD) redirects to the specified environment federation server.

As an admin, go to the Workspace Settings and select Single sign-on. Make sure the manual setup is selected. Here you can set a domain hint (don't forget to click on Done to save it).