Multi Tenancy Single Sign on with Microsoft Entra

HI Folks, we are using Elastic Cloud, and would like to set up Single Sign on using Microsoft Entra, with the addition of using multiple (any) Microsoft Azure Tenants. I would like to achieve this without needing to register Entra Applications on each tenant.

I can use Set up SAML with Microsoft Entra ID | Elastic to get this working for our tenant, but have not been able to convert it to work multi tenant.

Our Entra App Registration is configured for multi tenant, yet I haven't quite figured out the elasticsearch.yml config to get this working.

Here is our elasticsearch.yml

xpack:
  security:
    authc:
      realms:
        saml:
          kibana-realm:
            order: 2
            attributes.principal: "nameid"
            attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
            idp.metadata.path: "https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml?appid=<our app ID>"
            idp.entity_id: "https://sts.windows.net/<our tenant ID>"
            sp.entity_id: "https://<our proxied URL>/"
            sp.acs: "https://<our proxied URL>/api/security/saml/callback"
            sp.logout: "https://<our proxied URL>/logout"

You will note in idp.metadata.path I swapped our tenant id for common. I also tried organizations.

I also note that the url reccomended by the guide for attributes.groups does not resolve properly.

Current error message is when trying to log in is:

Error: [security_exception
	Root causes:
		security_exception: Cannot get role descriptors [type/name={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor] because the metadata [location=https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml?appid=<our app ID>] for SAML entity [id=https://sts.windows.net/<our tenant ID>] could not be resolved]: Cannot get role descriptors [type/name={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor] because the metadata [location=https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml?appid=XXXXX] for SAML entity [id=https://sts.windows.net/<our tenant ID>] could not be resolved
    at login_form_LoginForm.loginWithSelector (https://<our proxied URL>/8aa0b59da12c/bundles/plugin/security/1.0.0/security.chunk.6.js:3:29606)

Any help would be much appreciated. Happy to send logs, but currently none are showing on the cloud 'Logs and Metrics' page.

Removed #elastic-cloud