When logging in to ZTNA tenant using SAML authentication user sees 'Unauthorized operation' error. 'The operation you were trying to perform was blocked (HTTP status 401):

ZTNA tenant integrated with Azure IdP.

This error occurs when SAML response does not contain all required attributes.

Make sure that Azure IdP returns all required attributes. List of mandatory attributes can be found here

NOTE: Please make sure that user profile is populated with required information. For example, one of required attributes is email address. Azure returns this attribute only if email address is configured in user's profile.