Hey,
You don’t need to expose your app to the internet. Simply add the domain to the list that the user will be redirected to for authentication (authorization/login endpoint from your IdP).
I have no experience with these Microsoft services, so I don’t know the domain.
I suspect it’s *.microsoftonline.com or login.microsoftonline.com.