Setup user based connection/ destination between SCP Mobile Services and Azure

Hello,

we are currently facing some issues with the SAP Cloud Platform and the mobile services. We have the scenario that we want to access OData services located in the Microsoft Azure (Dynamics365) using the SCP Mobile Services and its corresponding SDK for iOS. We know that we could also connect and authenticate our iOS application directly against the Azure but we want to use SCP Mobile Services as the middleware for all our mobile applications, giving us the possibility to connect other backend systems to the application in the future.

The important point is that we need to authenticate our platform/ mobile destination, in this case the OData services from Dynamics365, with preserving the user session/user principal. We tried several approaches but had no success until now. Therefore I have four different questions:

1. Is there a SAP recommended way of accessing content via the SAP Cloud Platform Mobile Services and the iOS SDK on the Microsoft Azure Cloud using the IDP of the Azure tenant?
2. How can I authenticate a Cloud Platform Destination/Mobile Destination against the Azure with preserving the user session/user principal? OAuth2ClientCredentials is not available for Mobile Destinations, and the Azure does not support the OAuth2 SAML Bearer Assertion Flow.
3. Is there a way of dynamically utilizing Open Connectors while preserving the user principal accessing the Azure/Dynamics365? We could only achieve this by creating a new instance for each user.
4. Is there a way to use a custom OAuth Provider (e.g. Azure) on the SAP Cloud Platform?

It would it be great if someone of you who faced the same questions/ problems in the past could provide us some information or hints.

Thanks in advance

Stephan