Using Vault as an OIDC provider with AzureAD to protect resources behind haproxy


I’m looking to secure services running inside a docker swarm cluster. Inside of the cluster I use HAproxy as a reverseproxy/load balancer and I would like to use haproxy for authorizing request to services running in the cluster.
Using a luascript, HAproxy is able to verify JWTtokens given that it has access to the public key with which the private key was used to sign the token with.
HaProxy should redirect unauthorized users to Vault for authentication and once the user has been authenticated it will be redirected back to the original URL but now with a signed JWTtoken as authentication.
The users I would like to authenticate are AzureAd users.
So Vault needs to be able to authenticate the user credentials with azure ad and then
return a vault token to the user which then will be able to access resources behind haproxy.

Do you have any idea of how to achieve this?