We have 20+ tenants to manage and need to control account access more rationally. To do this in other situations we have implemented AzureAD SAML/SSO. That way, at offboarding, the account goes dead (and we don’t have to hunt for it in each and every tenant).
I cannot figure out how to outsource authentication for my tenant administrators’ accounts to AzureAD Saml. I can set up Enterprise AzureAD as an IdP for an app if I so choose. But I can’t provision an administrator account and then have them authenticate through my SAML IdP.
I am positive that if I were to provision an admin for multiple tenants who also has a GSuite/Google account or a Microsoft Live (or a github, or a LinkedIn) account, that admin would be able to authenticate with one of those services. But what about AzureAD/365? How to apply it to all of the tenants managed under my contract?