How to allow Users access Kibana on Elastic Cloud on Azure?

I deployed: Elastic Cloud (Elasticsearch managed service) Elastic Cloud (Elasticsearch managed service)

Now I need to allow users from my Azure tenant to access Kibana using their Azure AD credentials so to do something like described here: SAML based Single Sign-On with Elasticsearch and Azure Active Directory | Elastic Blog

But seems like Enterprise App that was created automatically do not allow me to create any mafiest or to be managed at all....

I'm getting this:
"The single sign-on configuration is not available for this application in the Enterprise applications experience. Elastic Cloud (Managed Service) is a multi-tenant application and the application is owned by another tenant."

Please advise how I can allow users form my tenant to access Kibana without creating separate elastci account for each person

Hey @idelix, welcome to the discussion boards!

I'm not terribly familiar with the Azure marketplace, but we do have instructions for connecting Elastic Cloud to Azure AD via OpenID Connect: Set up OpenID Connect with Azure, Google, or Okta | Elasticsearch Service Documentation | Elastic.

It sounds like the error message you're getting is from Azure, so these instructions may or may not be helpful. If not, I think your best bet would be to reach out to your support contact via support.elastic.co for further assistance.

Thank you I got this to work, had to make some changes to the original:

Elasticsearch setting had to remove this bit:
claim_patterns.principal: "^([^@]+)@<domain_name>\.tld$"

And in Role mapping I removed firstname.surname filter

So now all users from my tenant can login and become superuser, I wonder if anyone knows how to only allow one specific Azure group ?
Ideally I would add users to this group in Azure and they would be mapped to roles in kibana.