I understand the problem. There are 2 almost identical objects in SmartConsole: "Microsoft Azure" - used for CloudGuard (aka vsec) and "AzureAD" for Identity Awraeness, which was added in R81.
See that my headline is different:
So, there are 2 options using AzureAD:
1. Stay in R80.40, configure Identity Provider object for AzureAD and authenticate users with SAML in IDA captive portal. In Access Role, you will need to use Identity Tag.
2. Upgrade both SmartCenter and GW to R81 and in addition to the Identity Provider object, configure AzureAD object for Access Role usage
Group manager, Identity Awareness R&D