This article is very helpful. Especially the part about modifying the metadata.
Is it possible to call a SAML 2.0 identity provider from a risk-based policy in Access Manager 4.5? If so, please provide details.
It would be helpful to include info about the certificate in the Azure metadata. You need to make sure to import it into Access Manager trusted roots if it is self signed.