There is a known issue when using the new features in 8.7.2 for AzureAD integration regarding Patch APIs in Workflow, and with accessing Patch Management areas of the console.

ITMS 8.7.2

Known issue

This issue has been fixed in ITMS 8.7.3

Workaround:

The work-around is to enable Windows Authentication to Enabled and Forms Authentication to Disabled for PatchManagmentCore in IIS. 

Open IIS Manager on the Notification Server (NS) and navigate to Default Web Site > Altiris > PatchManagmentCore.

Highlight PatchManagmentCore, and then in the right pane, double-click Authentication.

Right-click Windows Authentication and select Enabled

Right-click Forms Authentication and select Disabled

Note that the Workflow API will now function, but Console users will need to log into the console using Windows credentials to view Patch Management related pages.