diff --git a/src/routes/oauth/config.ts b/src/routes/oauth/config.ts
index e9c00d6f..57bd086d 100644
--- a/src/routes/oauth/config.ts
+++ b/src/routes/oauth/config.ts
@@ -91,6 +91,9 @@ export const PROVIDERS_CONFIG: Record<
       client_id: process.env.AUTH_PROVIDER_AZUREAD_CLIENT_ID,
       client_secret: process.env.AUTH_PROVIDER_AZUREAD_CLIENT_SECRET,
       authorize_url: `${azureBaseUrl}/[subdomain]/oauth2/authorize`,
+      custom_params: {
+        prompt: 'select_account',
+      },
       access_url: `${azureBaseUrl}/[subdomain]/oauth2/token`,
       profile_url: `${azureBaseUrl}/[subdomain]/openid/userinfo`,
       subdomain: process.env.AUTH_PROVIDER_AZUREAD_TENANT || 'common',
diff --git a/src/routes/oauth/index.ts b/src/routes/oauth/index.ts
index c22d2257..d6e76beb 100644
--- a/src/routes/oauth/index.ts
+++ b/src/routes/oauth/index.ts
@@ -334,6 +334,7 @@ export const oauthProviders = Router()
         const userInput = await transformOauthProfile(profile, options);
         user = await insertUser({
           ...userInput,
+          disabled: ENV.AUTH_DISABLE_NEW_USERS,
           userProviders: {
             data: [
               {
@@ -349,6 +350,10 @@ export const oauthProviders = Router()
     }
 
     if (user) {
+      if (user.disabled) {
+        return sendError(res, 'disabled-user', { redirectTo }, true);
+      }
+
       const { refreshToken } = await getNewRefreshToken(user.id);
       // * redirect back user to app url
       return res.redirect(generateRedirectUrl(redirectTo, { refreshToken }));