Hi Chris. I'm not able to test import of this on my F5, due to text format I suppose...
Assuming SAML begins from: "IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
I can see 3 certificates, where 2 self-signed referring to CN=accounts.accesscontrol.windows.net are almost equal in parameters (with 2 weeeks of difference in issuing date, same key lenght,...)
So I think is impossible to say which one is right unless you ask it to metadata issuer (Mr. MSft), or unless Idp Automation (no experience with this) chooses the right one for you