Azure IDP User login via KC API without UI access

I have this use case and please help if this is possible to achieve:

=> I have configured the KC to connect to an external IDP Azure SSO
=> With the UI login it works perfectly with automatically user getting created on KC once successfully authenticated to Azure SSO

What I am looking at?
=> I have a chatbot app where user logs in via Teams (i dont have separate UI for this chatbot to get the SSO login page)
=> once they login to teams, i get their email ID and token etc., which is connected to Azure SSO directly.
=> I am using the KC as my centralized user authentication/authorization service, how do I validate this Azure SSO user via KC API and it also create that user automatically?

Can I use any token exchange here?

Yes, Token Exchange should be your friend here: Using token exchange - Keycloak

Thanks. But the documentation is not detailed, i followed the same thing like:

My Target Client here is - admin-cli (which is configured to Azure IDP)
Source client - SecretClient (I manually created one with all the relevant scope)
Permissions & Policies are configured as stated.

I am getting the errors like “client not allowed to exchange keycloak”

I am sure i am missing something but not sure. Could you please help.

Regards