Here's a note on the implementation, and also details on how the App Registration needs to be configured in Azure.
Implementation
Each Directory in Azure has a unique Tenant ID. Users and Apps are linked to the Tenant. So when we want users from a certain Directory to login, we need to be able to specify the Tenant ID in the OAuth authorization and token URLs. We have added a new config for tenant ID, and the OAuth URLs in the provider/azure.php use this tenant ID to construct the URLs.
If a tenant ID is not provided, it will authenticate against the "common" tenant ID.
Azure AD Config
A new "App Registration" needs to be created, and the following settings to be made in this App
- In the API Permissions, the User.Read, profile & email permissions need to be added.
- On this same screen, the button "Grant Admin Consent for Directory" needs to be clicked, since due to a Azure quirk, if users need to consent to these permissions, a token error is seen