I don’t know how can I begin this post. I thought a very long time about it and doesn’t know it.
If you are plan to establish an Connection from your On-Premise Sharepoint with MS Azure AD, please aware the following:
PARTS OF THE MICROSOFT ARTICLE ARE FALSE! BULLSHIT! NOT WORKING!
Sorry, but I must say it.
I stuck several hours on the Issue with the Access granting to MS Azure groups and nothing works.
I repeated the Microsoft part a several times and nothing helps. After a few hours I found a solution (not from Microsoft!)
It belongs to this MS Part
I don’t know, why Microsoft have this “not working” path inside their Guide.
I found the final solution here: https://sharepointwhoknew.wordpress.com/tag/sso/
The part which helps is this:
Resolution: How To Fix It Section
The resolution/workaround for this is to use the Email Address as the identifying Claim instead of the UPN
To accomplish this we’ll have to adjust both our AAD SSO App SAML claims to be like the following: (We will fix the AAD Security Groups here too like I promised)
To setup your Role Claims you have to edit the ‘Groups returned in claim:’ section as follows
So your complete AAD SSO App claim configuration should look like this:
This part helps me out of this nightmare!