OCS APIs should allow requests with an Access Token issued by my Identity Provider

A customer is building a Web application that needs to access both Microsoft APIs (secured using Azure Active Directory) and OCS APIs (secured using OCS Identity Server). In order for the customer to call both sets of APIs from their Web application, they currently need to authenticate the User with Azure Active Directory and perform a second authentication with OCS Identity Server. The Access Token issued by Azure Active Directory can be used to access Microsoft’s APIs and the Access Token issued by OCS Identity Server can be used to access OCS APIs, but not vice-versa. This means that the customer has to (a) perform 2 authentications of the User logging into their application (with potentially two login dialogs, though the two login dialogs can likely be worked around) and (b) maintain two sets of Access and Refresh Tokens, each with their own lifetimes. This is complex to build and maintain.   Instead, the customer would like to be able to configure their OCS Tenant to “trust” their Azure Active Directory Identity Provider. The intent would be to have their Web Application authenticate once only with their Azure Active Directory and have the Access Token issued by their Azure Active Directory be “directly accepted” by the OCS APIs. This would radically simplify the complexity of their application.