Federated login using Microsoft Entra ID as IdP, but only for pre-approved customers?

We want to allow users to log in with Microsoft Entra ID, but ONLY if they come from one of the tenants we trust.

What we've tried: Following https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc allows end users for one specific Entra ID tenant to log in. That's better than nothing, but it means we'd have an Entra ID login button for each tenant. That would be awkward, can Zitadel do better than that?

More details: We want to provide a generic "Log in with Entra ID" button on the login UI in Zitadel. That'll ship the user to Entra ID where they do the actual login. Coming back to Zitadel, we then want to make sure the tenant they belong to is one we have a commercial relationship with (an allow-list, basically). After that we want to grab the list of roles we are allowed to see from Entra ID and include those in the access token.

Keywords I'm told are related include using Microsoft Entra ID as external IdP, with Zitadel as Relying Party / OIDC client.

Any documentation you can point me in the direction of?

ZITADEL Docs

Open the Microsoft Identity Provider Template