Can we use the native SSO capability (no external plugins) as use Azure AD as the authentication provider? The workflow we’re looking for is similar to that of logging into any Office 365 app, i.e. it would simply redirect to the Microsoft authentication page as part of the sign-in when the session is not authenticated.
If not, I think the OpenID Connect Authentication Plugin could work, but it would be nice to have all the “sso overrides” features, e.g. the name and avatar from their account.
You will need to write a small web service that translates between the Azure AD protocol and the Discourse SSO protocol.
That is doable and it doesn’t need to be a Discourse plugin, so you can use whatever technology you want and host it wherever works best for you.