Explain Azure AD based authentication in Azure Monitor plugin

I am working on a custom datasource plugin that will require the queries to possess an authorization token from AAD for the database to approve the request.
Our custom datasource plugin needs AAD based authentication (we assume Azure Monitor does the same)
@daniellee - We observe Azure Monitor plugin takes client id, client secret and tenant id as input which are used in the routes:{} part of the plugin.json
We do not understand how above client id/secret are used to acquire tokens and pass queries using those tokens. @daniellee/others - Please explain the flow, it will help us to code our datasource plugin similarly

Hopefully this explains how it works: