After configuring Azure AD (Entra) and attempting to login, ACCESS DENIED is presented.

IAM server logs shows 

2025-08-25 10:46:17,238 DEBUG [org.apache.http.wire] (executor-thread-24) http-outgoing-0 << "{"error":"invalid_request","error_description":"AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid. Trace ID: 7c0db24a-4073-4878-9f63-dfb491fe0f00 Correlation ID: 1d438dd9-639a-49cb-9d30-fe4008ceef22 Timestamp: 2025-08-25 14:46:17Z","error_codes":[50146],"timestamp":"2025-08-25 14:46:17Z","trace_id":"7c0db24a-4073-4878-9f63-dfb491fe0f00","correlation_id":"1d438dd9-639a-49cb-9d30-fe4008ceef22","error_uri":"https://login.microsoftonline.com/error?code=50146","claims":"{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"24c395ad-1770-4a31-88e2-33a06791a46f\"]}}}"}"

DEVTEST 10.8.0 or newer

When there are multiple mapped OIDC claims on Azure, this parameter needs to be set to true on the Azure side: "acceptMappedClaims: true". 

In customer's environment,  "acceptMappedClaims: null" at the time of the problem.