The SSO process in bezala is quite straight forward:
Log in using the preferred SSO option
The SSO will in most cases work right away, otherwise the SSO process will let you know if you need to whitelist bezala in your AD.
Set the "Enforce SSO authentication" setting on in the company settings: https://app.bezala.com/#settings/company
If you have users who you would like to allow to sign in using email and password then you can override the SSO enforcement by setting the "Enforce SSO authentication" setting in their profile off (requires Manager user role).
Bezala uses the Microsoft identity platform and OAuth 2.0 authorization code flow. It is an open API where we ask MS (Azure AD) who is the user who is trying to authenticate. The user then goes through the organizations normal MS login process (2FA if enabled at organization-level). Based on the information retrieved we let the use in in correct environment. When the MS SSO is enabled, we can disable other authentication methods for that company.