When users from Azure domain are trying to access resources published via XenApp 7.9 on your premise, they receive this error: "Cannot complete your request".

On looking at the Storefront debug logs, you see that storefront does a Callback:
00001779             3:27:23 AM        [8248] [Authenticate] Perform callback

 And then you see below errors:
00001787             3:27:23 AM        [8248] CitrixAGBasic: The credential validation failure: username: FailedPasswordComplexity domain: test resulted in status: ​"your domain FQDN" 

00001795             3:27:23 AM        [7356] A CitrixAGBasic Login request has failed.\nCitrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException: Authenticate encountered an exception. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.           
 

If you have SAML as the primary authentication type, you need to disable authentication in the LDAP policy and configure it for only group extraction. Then, bind the LDAP policy as the secondary authentication type.

---

Problem Cause

SAML authentication does not use a password and only uses the user name. Also, SAML authentication only informs users when authentication succeeds. If SAML authentication fails, users are not notified. Since a failure response is not sent, SAML has to be either the last policy in the cascade or the only authentication policy.

There is an integration setup between your domain and another domain on Azure cloud service. Users from Azure domain try to access published resources from your on-premise domain and get error: "Cannot complete your request"