So you definitely do NOT want to add it to External Identities, that is what was breaking mine.
I used some of the info from here: Azure AD Connect: Use a SAML 2.0 Identity Provider for Single Sign On - Azure - Microsoft Entra | Microsoft Learn
Basically you open powershell and use: Connect-MsolService
Then set up the federation
This is what mine looked like
$dom = "[DOMAINNAME]"
$BrandName = "[BrandName]"
$LogOnUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml"
$LogOffUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml"
$ecpUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml"
$MyURI = "urn:federation:MicrosoftOnline"
$MySigningCert = "[KeycloakSigningCert]"
$Protocol = "SAMLP"
Set-MsolDomainAuthentication `
-DomainName $dom `
-FederationBrandName $BrandName `
-Authentication Federated `
-PassiveLogOnUri $LogOnUrl `
-ActiveLogOnUri $ecpUrl `
-SigningCertificate $MySigningCert `
-IssuerUri $MyURI `
-LogOffUri $LogOffUrl `
-PreferredAuthenticationProtocol $Protocol
I’m going to try to write up the whole process, but if this doesn’t get you working, let me know.