Once THE feature is armed, note the APP URI is set by default. You must go get the client secret, by configuring the directory.
We configured ours, using the apps panel of our directory tenant:
To get the client secret, remember to “enable for external access”. We also selected single sign on WITH directory read access – even thought our particualr AAD tenant is set to proxy to our own ADFS-like websso IDP.