Using Microsoft IdP via OIDC, allowing any issuer

Hi folks! I’m looking for a way to allow any users with a Microsoft account (so either consumer accounts, or an account on any Azure AD instance) to log in. I don’t want to have to do actual AD integrations with all of our customers who use it, since we’re dealing with government organizations and the like and that’d just never get done.

I’ve already tried two different approaches. One was the “vanilla” Microsoft connector, which wouldn’t cut it since it only works for “consumer” Microsoft accounts as far as I can tell.

My other approach was a custom OIDC connector (with config values as in this MS doc, with the common tenant value). The problem is that if I use the common tenant in my configs (so use URLs that look like https://login.microsoftonline.com/common/...), the issuer of the ID token will be either the “consumer” tenant or the tenant ID of an Azure AD. So while the OIDC connector nominally works, I’d have to set up a separate connector with different issuer configs for each of our customers’ Azure AD tenants, which is pretty clunky.

If I was doing this “manually”, I’d just check that the issuer starts with a https://login.microsoftonline.com/ and call it a day, since we don’t really care who the specific issuer is.

Any workarounds or suggestions?