The certificate you select in the auth profile identifies the local firewall to the IDP (Azure) so you need to select a certificate you have the private key for. If you look at your certs, you need one where you have the private key, and if you dont, generate a test cert. You should then be able to select that certificate to sign the request that the firewall sends to Azure. I cant remember if you need to also upload the public cert to Azure.
... View more