CA PAM documentation provides means of using Azure  as an IdP under several constraints:

• Users are provisioned JIT
• PAM is configures to either manage devices (Web) or devices and users (Public Client), meaning a connection to Azure is required and the application registered in Azure must be able to manage it, to be able to establish the necessary connection

The procedure requires as well to create an application in Azure, provide PAM Assertion consumer services URL to Azure, include Azure Metadata in PAM and get a secret to be used with the Azure registration

However, there may be situations where JIT is not necessary and there is no need to manage devices or users in Azure from PAM. As such, no Azure Client is really necessary, no Azure application and target account must be defined. 

In this case Azure is just used for SSO: that it, there must be a local user defined (imported for instance through LDAP) already defined in Azure and Azure sole function is to authenticate the user and allow login to PAM

This configuration is simpler than the Azure as an IdP with PAM acting as a client. This article provides what steps must be followed

To be able to use Azure just as a SSO IdP, with no device or user management, you need to do the following:

• Create a local AzureSAMLUsers local group in CA PAM and assign to it SAML Authentication type. This group is needed because you PAM will look for all Azure Authenticated users in this specific group. If the user you are trying to log is not in this group, authentication will fail with an error indicating the user cannot be mapped
• Import all the users which will be authenticated via Azure in PAM. For instance you can do that by importing a group in AD containing them or any other method. However, the userid must match the same as exists in Azure (for instance, if in azure one has [email protected], there should be a user [email protected] in PAM and it should be a member or AzureSAMLUsers)
• Follow the documentation for creating an Application registration in Azure and for subsequently importing the metadata in CA PAM. Also assing users and roles to the application like you would do in a regular Azure as an IdP configuration
• Configure as well the different CA PAM cluster servers for SSO. Remember that an IP address an certificate (may be the default) is required for every node in the SAML Configuration, 
• Import Azure Metadata into PAM in the Configured Remote SAML IdP under SAML. Then edit it and do not mark the JIT checkbox. Click on the Download Metadata so that it downloads the XsuiteMetadataFor_<application_name>.xml is downloaded and edit it to retrieve the AssertionConsumerService (ACS) entries therein specified
• The corresponding ACS will have to be entered in Azure in the application defined previously, in Application Registration under the Redirect Uri Configuration (either as Mobile or desktop applications or as Web)

With this it should be able to do SSO to PAM with any of the users specified under AzureSAMLUsers without needing to have an Azure management subscription. However, note that users and machines in Azure won't be discovered by default if this configuration is used. There will be no JIT and the users will need to be managed manually