I had been having similar problems and went looking through Microsoft's documentation. I noticed that the recommended profile settings here - Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS devices - had at one point been updated. When I built the profile for SSO it indicated using explicit bundle ID's but this doc indicates using partial strings, which seems to resolve as a wild card. Creating a clone SSO config profile and changing the contents of the plist to wild cards seem to have done the trick for me and SSO. Looking to do additional testing, but give it a try on your end.
<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>
We're a Zscaler shop and SSO broke in Zscaler when Sonoma came out, but changing it to just com.zscaler. seems to have fixed that for me as well.
com.zscaler.
