The write-up is here:
Tutorial: Windows Azure AD integration with Salesforce
but I couldn't get it working.
Luckily, I have some SAML experience so figured out the problem.
I posted before about how important it is to get the NameID stuff right and this was indeed the problem.
When you create the user in Salesforce, you have to make sure that the Salesforce username is exactly the same as the login name you use for your AAD tenant.
And you have to use a valid email name.
The email name and username do not have to match.
So assume I log into my AAD tenant as:
My email address is email@example.com.
So I create the Salesforce user with:
email = firstname.lastname@example.org
username = email@example.com
Check your email - you will get a "Change Password" email from Salesforce.
Change your password.
Login to AAD - navigate to the Access Panel - click Salesforce.
What will happen is that AAD will take your logged in name, put it in a NameID SAML assertion called username and pass it to Salesforce.
Salesforce will check that there is a registered user with that username.
There is so A-OK - you are logged in.
I did not have to synchronise any accounts to achieve this.