Hi AdamBryant,

I haven't had specific experience with azure AD, but this sounds just like a traditional claims config issue.  Check the documentation here: http://help.k2.com/onlinehelp/k2blackpearl/icg/current/webframe.html#claims_oauth_configuration.html

That doc gives the location of the smartforms responsible for claims authentication.  From the message it seems that there is a mapping that is not there for the token issuer.

Make sure your issuer exists (htts://sts.windows.net/xxxx-xxxx-xxxx), if not, add it using the Identity.AddIssuer form, and make sure a valid mapping exists for it in AddClaimType mapping.

If you want to post screenshots of the relavent forms and entries, I'll see if my non azure knowledge translates.

Regards,

Mike

PS.  Posting your actual thumbprint may not be a good idea.  Just make sure it matches.

Verify that you have trailing slash in Claims Issuers Issuer value like shown on the picture below (i.e. it should have that slash shown in red on the screenshot in the very end of the issuer URL):

I've seen error exactly because of missing slash in this place. Note my screenshot shows: https://sts.windows.net for initial part of Issuer URL, but it is better use https://login.microsoftonline.com instead (I believe MSFT replaces that sts.windows net URL with https://login.microsoftonline.com and you should always use it).