Currently the plugin requires the user to enter their credentials every time, defeating the purpose of SSO. This behavior can be configured easily enough using the 'prompt' argument in the original authentication link.

https://learn.microsoft.com/en-us/entra/identity-platform/msal-js-prompt-behavior

Not including the 'prompt' argument at all is functionally equivalent to 'prompt=login'. For backwards compatibility with existing installs, this should be set as the default.

For most installations, 'prompt=select_account' is the best fit.

Without changing various assumptions in the plugin, limiting the options to 'login' and 'select_account' seems to make the most sense.

The other options are 'none', which would require error handling if the user isn't already logged in, 'consent' prompting for app consent adds a layer of complexity handled elsewhere, and 'create' sends the user to a create Entra ID account flow that is also out of scope.