We are working with Microsoft to setup MCAS proxy to our Data Center Atlassian tools. Microsoft said there is an issue with the SP (Atlassian SSO Data Center app) when crafting the SAMLRequest parameter.  We are not so sure this is an issue on your side, but wanted to run it by you. This is Microsoft's explanation:

The Sign on URL itself is correct to have the "&", ie. the SAML URL configured for the app should look like:

https://us.saml.cas.ms/saml/sso_login?orig_idp=https%3A%2F%2Fl...*&*mcastenant=xxxxx

This is where the syntax error is: the SP creates this "SAMLRequest" XML, then encodes it and sends it to the SAML Proxy URL via POST request. However, the original XML crafted by the SP contains the unescaped "&" character, which must be encoded for the XML to be valid, and for this parameter to properly be processed. So the correct XML (before encoding) for that "SAMLRequest" parameter should look like:

<samlp:AuthnRequest [...] Destination=[https://us.saml.cas.ms/saml/sso_login?orig_idp=https%3A%2F%2Flo...*&*mcastenant=xxxxx</samlp:AuthnRequest>

Again, we think it would be on mcas side, but wanted to get your thoughts.