chore(docs): update azure-ad/entra setup docs

docs/docs/providers/azure-ad.md

@@ -45,7 +45,7 @@ AZURE_AD_CLIENT_SECRET=<copy generated client secret value here>
 AZURE_AD_TENANT_ID=<copy the tenant id here>
 ```
 
-That will default the tenant to use the `common` authorization endpoint. [For more details see here](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
+That will default the tenant to use the `common` authorization endpoint. However, if you've configured your app as multi-tenant, users outside of your tenant will *only* be able to log in if you've configured them as external users within Azure. [For more details see here](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
 
 :::note
 When you see `ResourceNotFound` error code while accessing an API, make sure to use the correct tenant ID. For instance, when the intended access is for a personal account, the tenant ID should not be provided.
@@ -71,3 +71,45 @@ providers: [
 ...
 
 ```
+
+### To allow users from any tenant access without adding them as "external users":
+
+- In https://portal.azure.com/ search for "Microsoft Entra ID", and select your organization.
+- Next, in the left menu expand the "Manage" accordion and then go to "App Registration" , and create a new one.
+- Pay close attention to "Who can use this application or access this API?"
+  - You'll want to select either all azure tenants (i.e., work and school accounts), or all azure tenants and public Microsoft accounts (Skype, Xbox, Outlook.com, etc.)
+- When asked for a redirection URL, select the platform type "Web" and use `https://yourapplication.com/api/auth/callback/azure-ad` or for development `http://localhost:3000/api/auth/callback/azure-ad`.
+- After your App Registration is created, under "Client Credential" create your Client secret.
+- Now copy your:
+  - Application (client) ID
+  - Client secret (value)
+
+In `.env.local` create the following entries:
+
+```
+AZURE_AD_CLIENT_ID=<copy Application (client) ID here>
+AZURE_AD_CLIENT_SECRET=<copy generated client secret value here>
+```
+
+That will default to use the `common` authorization endpoint. This means that users from tenants other than your own will be able to sign up and/or log in to your app, which is often the case if you're building a SaaS. [For more details see here](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
+
+:::note
+Azure AD returns the profile picture in an ArrayBuffer, instead of just a URL to the image, so our provider converts it to a base64 encoded image string and returns that instead. See: https://docs.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0#examples. The default image size is 48x48 to avoid [running out of space](https://next-auth.js.org/faq#:~:text=What%20are%20the%20disadvantages%20of%20JSON%20Web%20Tokens%3F) in case the session is saved as a JWT.
+:::
+
+In `pages/api/auth/[...nextauth].js` find or add the `AzureAD` entries:
+
+```js
+import AzureADProvider from "next-auth/providers/azure-ad";
+
+...
+providers: [
+  AzureADProvider({
+    clientId: process.env.AZURE_AD_CLIENT_ID,
+    clientSecret: process.env.AZURE_AD_CLIENT_SECRET,
+  }),
+]
+...
+
+```
+