I know this thread is old - but we ran into the same issue... two tips that helped us: 1 - I loaded the ISE admin certs from all the nodes that would potentially become a PAN. In our case it was a public cert and root. It was no trouble adding multiples to the Azure manifest file. 2 - We had gotten stuck on the URL being graph.microsoft.net/<tenantID>. The correct one in 2019 is graph.windows.net/<tenantID>. The microsoft support people had this wrong, but a TAC engineer suggested the change and it worked.
... View more