In a working CA PAM environment with SAML Authentication set to Azure as an IdP, old users are able to log in just fine, but any new user trying to use the system us getting the following error:

PAM-CMN-0988: The validation of the SAML assertion of user identity <user> from remote IdP https://<Azure_app_id> succeeded but mapping the user to a SAML-enabled CA PAM account failed

Checking the assertion generated in Azure for a working and non-working user, there is no difference: Both come up as validated and the attribute mapping is the same in both cases. 

There are multiple possible causes for this, but if all configuration is correct and consistent this may be caused by PAM not being able to provision a user based on the information received from Azure, if the user has not been provisioned earlier

This is the purpose of checking the Allow Just In Time Provisioning (JIT) checkbox in the Remote IdP configuration, as explained on documentation page Azure AD as an Identity Provider (IdP).

If this is not chosen, PAM will not try to provision the user coming from Azure, but only look for an existing matching user, and this error will be obtained, if the user is not provisioned in PAM yet.

Make sure that the Allow Just in Time Provisioning option is checked in the Azure as an IdP configuration on PAM UI page Configuration > Security > SAML > SP Configuration > Configured Remote SAML IdP.