Getting error authenticating user using OpenID Connect SSO plugin

You cannot use Legacy Url options with Azure, that is for older Okta implementations.   Also do not add openid, profile scopes as additional scopes, as the label said, these are already added by default.  Then verify your authorization server, it looks off from Azure AD clients I have seen.   Then verify your token contains a valid email address.

Also note this only works with organization Azure AD.  If you are trying to do this with B2C or another AD extension it won't work.

Thanks for reply,

We have updated config as per your suggestion but getting the same error. Let me explain steps.

1. I created app registration on Azure active directory.

2. Added return url 

3. 

4. I am using AAD Microsoft user id for login and I consent.

5. after consent redirect to error page which I highlighted. 

How you verify that "it looks off from Azure AD clients I have seen" and what is the meaning of this?

Thanks for reply,

We have updated config as per your suggestion but getting the same error. Let me explain steps.

1. I created app registration on Azure active directory.

2. Added return url 

3. 

4. I am using AAD Microsoft user id for login and I consent.

5. after consent redirect to error page which I highlighted. 

How you verify that "it looks off from Azure AD clients I have seen" and what is the meaning of this?

Thats not the usual authorization url I see on a client, ensure you are getting it from the Url list of the client.   You also need to register the logout Url.  You will need to also ensure the returned token contains an email grant

You may also need to set up fiddler on the server to capture a trace