completing a web form project, using an organizational id (proxied to our STS, by Office’s Azure AD IDP_proxying element of service)
Note the “common” IDP endpoint. Note the realm name (tuned to our verified domain). Note some clientid/pwd, for OAUTH refresh token handling, presumably.
note that having “assigned” our app to a “management point”, the web form shows the users view. And note, how unlike traditional SSO, there is a signup for organizations – wanting to one of the n IDPs supporting the associated user base’s access to this “managed application”.
We can guess that this “management point” Azure AD, and its graph entities in particular, is that which is guarding WHICH IDPs (also with Azure AD/Office) can signup.