Detailed steps to achieve the azure JIT into PAM group :

Azure AD(ENTRA) SAML integration with PAM for JIT provisioning

Set PAM as SP:

Log in to Azure(Entra) admin console:

Create Enterprise Application:

In our example we created Symantec PAM. (Non-gallery application)

We first Assign User/Group that can access application via Assign users and groups.

We click add user/group

In our scenario we add PAM JIT group.

So only member of PAM JIT in Azure can use SAML IDP.

Next step is to configure SAML. So we click Single Sign-on.

We select SAML.

Now to configure SAML, got to have export from PAM SP xml.

If so click Upload metadata file to import PAM URLs.

Once you import/add manually basic SAML configuration, as per requirement only Identifier and Reply URL is mandatory.

Identifier: Entity ID set in PAM SP.
Reply URL: "yourpam.domain.com//samlsp/module.php/saml/sp/saml2-acs.php/xsuite-default-sp"

Next step is attribute and claims:

First we changed claims to correct attributes expected by PAM.

Attributes excepted: e-mail , firstName, lastName, userGroup.

So we modify attribute by attribute. Name ID, we use sAMAccountName , so mailnickname attribute fits the profile.

We go next and modify all other/create new if needed.

This is how it looks like, we modify to following:

Continue for each other until you have all required.
Keep in mind userGroup requires attribute to contain value of the local PAM group with SAML authentication.

Auth Type: SAML.

Once created you can assign it access(policy) or specific roles for your use case.

Anyway back to Azure.
We do one Group Claim, where we will send only groups which are assigned to PAM as membership.

Also customize the claim.

End result should be:

Now we go to download Azure IDP metadata to import to PAM.

Go to PAM and import the metadata.

Once uploaded, click update to make sure to select JIT.

Test the new IDP. Expected result.

Azure user:

Group Membership: