When you say "If the user is signed into Canvas first", do you mean that the user logs in at /login/canvas?
If so, that flow won't work. That authenticates the user with the canvas username/password, but Microsoft won't accept that authentication.
They would need to log in at /login/saml (or something similar to that, depending on your setup), which technically redirects the authentication request to AzureAD before granting access to Canvas. Once the user logs in at the saml address, they are authenticated to Microsoft and should be able to navigate to Azure without issue.
To ensure that the user is authenticating to AzureAD when starting at Canvas, I think you need to make sure provider #1 is the saml provider, with the canvas login below it.
This discussion post is outdated and has been archived. Please use the Community question forums and official documentation for the most current and accurate information.