After creating or enabling an Azure account, there are no errors noted in the Active Roles Web Interface or in the Event Viewer logs, but the account is never created on the Azure side.
Verbose logging shows an exception similar to the following:
There are two known root causes:
Confirm the Azure Tenant Type in the Azure Portal.
Browse to Azure Active Directory | Custom Domain Names
There is a Federated column. If no Domains are checked off, then the Tenant is not Federated and should be integrated as a Synchronized Identity Tenant.
If one or more domain suffixes are not present in Azure, the Tenant also does not qualify as a Federated Domain and should be integrated as a Synchronized Identity Tenant. Even if the domain suffix is not used in the UPN of the Azure object and the on-prem domain suffix is a private domain.local or something similar, it must still be present in Azure in order to qualify as a Federated Domain Tenant Type.
In Active Roles Web Interface as an Active Roles Administrator:
If the Domain in the Azure Portal is Federated but Active Roles is still throwing this error, check the contents of the dbo.AzureDomains table in the SQL configuration database. The authentication type noted should match that shown in the Azure Portal. If not, delete and re-integrate the Azure Tenant.