Azure AD Authentication

I’m attempting to set up Orchestrator (v2019.10.14) for Azure AD authentication. I’ve registered Orchestrator in Azure AD, and set up the web.config file in the following way:

I set up a local user with my AD email as the UserName, and then try it out…

At first it looks like it’s going to work – I get the Azure icon on the login page, clicking it redirects me to my Microsoft login page, which all appears to work correctly (including sending me the Duo Push), but after approving the Push, I’m redirected back to this:

What have I done wrong?

Thanks for your help.