Attempts to use Single Sign On ('Sign in with Company Credentials") to access Citrix Files may fail when Microsoft Azure is used as the iDP (identity provider).

Upon closer inspection, you may find errors similar to the following:

This error can be seen despite the user being a member of the relevant Active Directory groups so as to be entitled to the role assignment. This membership can be seen when viewed via on-premises Active Directory. You may not be able to identify the same group membership when inspected via the Azure portal. When on the Azure portal, you may instead receive an error stating 'Microsoft_AAD_IAM'.

Attempts to manually sign in (without using SSO) succeed.

Problem Cause

This problem can be caused by exceeding the quota for syncing objects between on-premises Active Directory and on-cloud Azure AD.

If this quota is breached, then no new Active Directory group changes which are made on-premises will sync to Azure AD.

This can result in the scenario described in this article, until the quota in question is either reset or increased.