Step 2. Set up Single Sign-On
Workspace 365/Office 365 administrators are able to enable Single Sign-On (SSO) for their Workspace 365 environment, which helps to decrease login procedures for Workspace 365 users. The recommended setup for Single Sign On is oAuth2.
oAuth2 is an open standard for authorization, commonly used as a way for internet users to log in to third-party websites using their Microsoft, Google, Facebook, etc. accounts without exposing their password. Generally, oAuth2 provides clients with "secure delegated access" to server resources on behalf of a resource owner.
With configuration of oAuth2 in Workspace 365, you can sign in to Workspace 365 via your current federation and you are able to use MFA, also called 2 Factor Authentication (2FA) or MultiFactor Authentication (MFA).
To set up Single Sign-On automatically, choose the "Automatic setup". Workspace 365 will create an Azure AD application with the permissions you will grant. By default SharePoint and Exchange are checked. Additionally you can choose to add Power BI permissions to the application.
Be aware that these permissions are only granted for the administrator in this tenant.
You have to grant it for all users. If you do not "Grant Permissions" you will receive the following error while trying to log in to the Workspace: "Need admin approval".