Allow users to log inn to Destinet, Exposer or DSignage using Azure SSO solution.

1. The SSO solution is using deligated permissions.
2. API access is controlled by the Azure APP API permissions:
   1. Directory.AccessAsUser.All - Allows the app to have the same access to information in the directory as the signed-in user.
   2. User.Read - Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
   3. User.ReadBasic.All - Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user.
   4. Group.Read.All - Allows the app to read the list of Azure/Microsoft 365 groups.
3. The solution has only read only access to the Azure AD.
4. The App keys are stored encrypted.
5. Users are stored encrypted.
6. Organizations can remove access at any time by removing the Azure App.

First step is to setup a Azure API App:

Second step is to add the Application ID, Tenant ID and Application Key/Client secret to the Destinet/Exposer/DSignage login section.

Afterwards, your partner will setup a custom login page on your solution that unauthorized users are redirected to to login.