We have a Keycloak instance setup where we are connecting to Microsoft as an IdP and want a certain group of users to login via that option instead of using the regular user/pass that Keycloak provides. If a user enters the information into Keycloak, we want it to deny the user access and instead point them to use the Microsoft Identity Broker instead, or have it just redirect them to Microsoft to begin the login process. Can this be configured? Where, if possible, could I configure this in the admin console?
I believe you can play with the kc_idp_hint parameter that comes OOTB to redirect to an external IdP.
Alternatively, you can review this lovely SPI, which has some similar functionalities: GitHub - sventorben/keycloak-home-idp-discovery: Keycloak: Home IdP Discovery - discover home identity provider or realm by email domain