I am trying to implement SSO with my office add-in. To do this, I am using the office IdentityAPI, which requires you to have an application ID URI, that has some restrictions (such as you owning the domain and it being verified). Using MS lingo, we own www.contoso.com and www.contoso.onmicrosoft.com, so I have set up the AppID URI to be www.contoso.com/{appId}, as is suggested in the documentation. However, my add-in is being hosted on Azure static storage, which has a domain www.contoso.z12.web.windows.net, which is different to the the AppID URI. This means that I get the error in the question when trying to use this setup. Changing the AppID URI to the domain that the static website is on does not work. Does anyone have any suggestions?
You need to host the add-in on the custom domain with a valid certificate. Public Azure web sites are not accepted by the Azure AD services. This is a well-known restriction for using the SSO with Azure AD.
The error on the SSO configuration page should state that explicitly.